Hackers Are Targeting Small Businesses in the Bay Area

The mainstream news is littered with stories of high profile data breaches. In the last two years alone, we’ve seen some of the world’s largest organizations like MyFitnessPal, Quora, GooglePlus, and Facebook fall victim to major cyber attacks. However, hacks against large businesses are only one part of the picture. While this coverage has increased public awareness of massive data breaches it’s done little to highlight the very real threat to small businesses.  

Many small businesses think they are too small or insignificant to be on a hacker’s radar. One report found that 54% of small and medium-sized businesses (SMBs) believe they are “too small” to be a ransomware attack target^[1]. This belief is as false as it is dangerous. Verizon’s Data Breach Investigation Report (DBIR) found that 43% of all data breaches target SMBs^[2]. With that alarming figure in mind, let’s take a look at why small businesses in the Bay Area are being targeted and how we can prevent future cyber attacks.

Why Do Hackers Target Small Businesses

There are several pieces to this puzzle but put simply, small businesses are a goldmine for hackers. While a hacker stands to gain more from attacking a large business, they are also much less likely to be successful. Large businesses usually have cybersecurity teams and heavily fortified networks, among other preventative measures. While these measures don’t stop 100% of cyber attacks, they do make it very difficult for hackers and demand a more sophisticated hacking operation. Let’s delve a little deeper into why hackers target small businesses.

There’s Big Money in Small Businesses

While hackers don’t stand to gain as many resources (data or ransom) from hacking a small business, there are a lot more small businesses available to target. When you consider that there are approximately 28 million small businesses in the US, and that these make up 99.7% of all US firms^[3], it’s easy to see why small businesses are a lucrative target. According to a report by Hiscox, the average cost for a cyber attack across all business is $200,000 and around 60% of businesses go out of business within six months of becoming a victim^[4].

 Ransomware attacks remain the biggest threat to small businesses of all cyber attacks. Ransomware is a type of malware that is installed on the company’s computer or network and will either block access to critical information or threaten to expose sensitive information if the ransom is not paid. The demanded ransom is usually asked for in cryptocurrency form due to the anonymity this method provides for hackers.

 Ransomware attack attacks can cripple small businesses. When the company’s systems are locked by ransomware, the company is unable to operate and will lose money. A ransomware attack can have long-standing consequences on a company’s reputation, making both customers and investors wary.

 With so much at stake, many small business owners will pay up the ransom to regain control of their systems swiftly. Of course, most of us understand in an academic way that you shouldn’t pay a ransom. We’ve all watched enough Hollywood movies to know that people who ask for ransoms aren’t trustworthy. You have no guarantee that the hacker will relinquish control of your data and hand everything back as it was without keeping any of it for themselves. Even knowing this, many business owners will hand over the ransom.

In fact, one report found that around 55% of executives at SMBs state they would pay a ransom to hackers to regain control of their data^[5]. It’s not that small business owners don’t understand the consequences of paying a ransom, they’re not stupid, they just often feel like they have no other option. Most cybersecurity professionals vehemently oppose paying a ransom, and instead propose that companies should invest more in cybersecurity defenses and regularly back up their data. This is solid advice, but a lot of small businesses only heed this advice when they have already experienced an attack.

Additionally, a lot of hacking relies on creating a sense of urgency in the victim. Ransomware falls firmly in this category. Humans are notoriously bad at making the right decision when they are put under stress and pressure. This is the same reason that certain phishing scams are so successful. A common phishing scam is where the victim receives an email saying their account has been suspended, or their order has been shipped (an order they never placed).

This scam creates a sense of urgency for the victim because they want to solve the issue immediately to either get their account back or stop funds leaving their account. This urgency encourages people to act quickly and forgo safety measures like analyzing the URL or contacting the company through a different medium. Ransomware works the same way. When a victim loses control of their company data, their top priority is getting it back as quickly as possible and this makes paying the ransom seem like the logical solution. The average downtime for an SMB hit with a cyber attack in 2018 was over 8 hours^[6].

Intellectual Property Makes the Bay Area a Valuable Target

According to Verizon’s latest data breach report, 71% of breaches were financially motivated, and 25% were motivated by espionage^[7]. Espionage in this situation means “motivated by the gain of strategic advantage”. The Bay Area is often dubbed the tech capital of the world and is the birthplace for high tech and technological innovation. This makes the Bay Area a prime target for hackers looking to steal intellectual property from small startups with big ideas. Sometimes these hacking operations are state-backed and other times its simply private hacking operations looking to steal ideas for their own business in a different country.

Small Businesses Are Ill-Prepared for Cyber Attacks

Many small businesses are ill-equipped to deal with a cyber-attack. This can mean that they don’t have adequate cybersecurity infrastructure, employee training, disaster recovery policies, or generally have poor cybersecurity hygiene.

According to a 2018 report by Keeper Security, 74% of small business respondents cited insufficient personnel as the reason their security wasn’t fully effective. Other major challenges to effective security were insufficient budget (55%) and not understanding how to protect against cyberattacks (47%). Only 4% of respondents cited “management does not see cyber attacks as a significant risk” as a challenge to fully effective security^[8]. This suggests that small business owners are becoming increasingly aware of the threat of cyber attacks, but lack the resources or knowledge to protect themselves.

Outsourcing cybersecurity is a great option for small businesses, but having a security-aware workforce is still paramount. According to one report, negligent employees and contractors were the leading cause of data breaches in 2017^[9].

How Small Businesses Can Protect Against Cyber Attacks

• Educate employees: An alarming number of data breaches happen because of human error. Weak passwords remain a serious threat to company data. Small businesses should create a manageable security policy and continually educate employees on cybersecurity topics. This can be things like how to create a secure password, what to do when they receive a suspicious email, where and how they should store sensitive data, and so on. Employees should also be educated in the different types of hacking attacks, like ransomware, social engineering, keylogging, and phishing attacks so they can identify them.
• Follow cybersecurity best practices: Cybersecurity standards are set by some of the world’s leading organizations like the National Institute of Standards and Technology (NIST), Microsoft, and others. Pay attention to what these organizations recommend.
• Consider standing up a cybersecurity team: This can be either in-house or outsourced. Both have their benefits but outsourcing is usually the best option for small businesses because they can access highly skilled labor on-demand at a controlled cost.
• Keep your systems up to date: Security patches exist for a reason. The reason is usually that a vulnerability has been found in the code that hackers can exploit. If you don’t update your software regularly, you’re making it easier for hackers to successfully breach your business.

Moving Forward

Cyber-attacks remain a serious threat to the livelihood of small businesses that make up a huge share of the US economy. Small businesses are vulnerable to cyber-attacks because they are often ill-equipped to prevent them or handle them when they occur. This can be due to a range of factors. The cost of implementing cybersecurity preventative measures remains a major hurdle for small businesses, despite the cost of a breach often being several magnitudes higher. Lack of cybersecurity awareness or skilled employees also remains a major issue.

Small businesses in the Bay Area are likely more aware of cybersecurity issues due to their proximity to leading tech companies, but small businesses in this area are also a very high-value target for hackers. Combatting this issue requires a dedication to implementing cybersecurity best practices across small businesses. As more small businesses invest in cybersecurity we can create a safer world for small businesses in the Bay Area.

^[1] https://ssdtechie.com/

^[2] https://enterprise.verizon.com/resources/reports/dbir/

^[3] https://www.fundera.com/blog/sba-definition-of-small-business

^[4] https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html

^[5] https://www.silicon.co.uk/security/cyberwar/most-us-businesses-pay-ransomware-245787

^[6] https://www.cisco.com/c/dam/en/us/products/collateral/security/small-mighty-threat.pdf

^[7] https://enterprise.verizon.com/en-gb/resources/reports/dbir/

^[8] https://www.keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf

^[9] https://www.techrepublic.com/article/report-negligent-employees-are-no-1-cause-of-cybersecurity-breaches-at-smbs/