Cybersecurity is a major concern for businesses of all kinds and sizes. Our imagination has been captured by big, attention-grabbing breaches and attacks. Target's big hack of customer information, the huge breach at the US federal government's Office of Personnel Management, and earlier attacks in recent years have all cemented the idea of big companies as prime targets for hackers. It's true that these companies are at risk for attacks and that their high profile means that any cybersecurity breach will generate headlines due to their size.
However, that does not mean that small businesses don't need to worry about protecting themselves. There are many different kinds of cyberattacks, and small business owners need to be aware of all of them. For example, many attacks don't involve hacking into a website or bank- they involve simply trying to obtain usernames and passwords by writing fake emails or making fradulent phone calls. These attackers pose as IT workers or managers and ask for account information from regular employees. Other attacks are more like the major headline breaches where teams of hackers break into a network through brute force or by exploiting vulnerabilities in code.
All of these are potential threats to small businesses because attackers know that small businesses don't have the same facilities as big business. A big business can afford to put a lot of money into tough defenses, hire an entire IT department, and spend many hours training its staff in ways to spot potential attacks. A small business, on the other hand, has a small staff and not many resources to allocate to cyber-defense. Hackers are well aware of this, and they target small businesses because they know they are often softer targets.
There are many examples of such attacks that don't hit the news because individually they are not as large as the biggest corporate attacks, but they still occur and can have devastating consequences. For example, Luna and Luna LLP is a real estate escrow company that experienced a nasty shock when a bank that they were using fell victim to Chinese hackers, who cleaned out several accounts. They lost nearly two million dollars. The fallout from attempting to recover the money from the bank soured the relationship between the bank and Luna and Luna, who are now in legal proceedings over the status of the money. There is little chance that any of that money will come back, as it had been wired out of the country into China before the firm noticed the loss.
The example of Luna and Luna shows small businesses that they need to develop a risk management plan for cyber-based advanced persistent threats. Every small business owner needs to be aware of not only the liability of their company, but also the potential for any bank, supplier, or other business that they are connected to to experience a hack. Experienced hackers can compromise not only their target company but also every exposed and connected company they can. It's not easy for small businesses to balance cybersecurity with all of the other demands on their time and resources, but it is becoming an increasingly important risk. A single breach might be enough to ruin a business depending on how much damage it does, both in terms of monetary losses and in terms of intnagible losses. A company that gets hacked might lose customers, because it will be seen as a security risk. They could also lose connections to banks, suppliers, and partners. It becomes a human resources risk as well if employee or customer data was stolen. Cybersecurity was a non-issue only a few years ago, but increased risk and the broadening scope of attacks means that small businesses need to start making serious plans to address their exposure to cyberattacks.