How to Assess the Cybersecurity Risk of Your Small Business

Cybercriminals perceive small businesses to be lucrative targets. Find out why, and what cybersecurity experts suggest to reduce your digital security risks.

Some small-business owners assume that the size of their company makes it an unlikely target for cyber adversaries. That may have been true in the past, but it’s no longer the case.

“The increase in ‘targeting the little guy’ began several years ago (2011)… but represented less than a fifth of all attacks,” writes cybersecurity expert Joseph Steinberg in his Inc. article Small Businesses Beware: Half of all Cyber-Attacks Target you. “Today, however, the number is somewhere just shy of 50 percent. Furthermore, the trend towards targeting small businesses is likely to continue. Small businesses have become, in the eyes of many hackers, more attractive targets than larger enterprises.”

Steinberg offers the following reasons and more as to why:

  • Small business owners pay ransom: Small businesses run on a tight budget, need their company data to stay solvent, and most find paying the ransom to be the best way out of an unfortunate predicament.
  • Small businesses have valuable data: Cybercriminals are finding that even smaller companies store sufficient sensitive information—financial and personal—to make hacking worth their effort.
  • Small businesses provide hackers access into other businesses: Small companies provide and receive services from other businesses, both large and small. A bad-guy bonus from attacking a small business might be an unprotected path to more lucrative victims—the Target Corporation breach, for example.
  • Small businesses often lack adequate cyberdefenses: It is unlikely that the cyberdefenses of a small business will be of the same caliber as an enterprise-size corporation. Besides lacking sophistication, small businesses seldom have full-time employees who are responsible for cybersecurity. Steinberg adds, “Some who would never risk trying to attack might have little if any qualms trying to hack a mom-and-pop retail outlet.”

There are at least two more factors working against small businesses:

  • The good guys have to protect every weakness whereas the bad guys only have to find one way in.
  • “The bad guys typically know more about a target’s equipment and how to break into it than the owners do,” suggests author and cybersecurity expert Greg Scott.

The big- versus small-business risk inequality is something Matt D’Angelo would like to eliminate. In his article How to Assess the Cybersecurity Risk of Your Small Business, D’Angelo describes ways small-business owners can reduce their company’s appeal to cybercriminals. For starters, D’Angelo suggests conducting a thorough digital risk assessment.

Jorge Rey, CISO for Kaufman Rossin P.A., agreed with D’Angelo during an interview for the article. Rey also emphasized the need to consider everything as part of a risk profile: Threats, vulnerabilities, potential losses, and then ask, “Are we doing good, or do we need to do more?”

D’Angelo offers an example of where small-business management can fall short. “Oftentimes, the most common cyberattacks come from disgruntled employees or mistakes from workers within the organization,” he explains. “While industry-wide crime trends like phishing, ransomware and DDoS attacks should be considered, don’t forget about threats within your own company.”

Both D’Angelo and Rey acknowledge that it is impossible to find every vulnerability. D’Angelo suggests this is where cybersecurity consultants and third-party risk assessment companies can be of use. “Once company personnel have looked at threats and determined existing vulnerabilities, a cybersecurity consultant can then help quantify risk and implement strategies to protect the business,” writes D’Angelo. “When looking for companies or individuals to partner with, Rey said it’s important to consider experience and work with a company that understands the business aspect of cybersecurity.”

“Small businesses can manage risk through technology, but technology is not the only solution,” adds Rey. “It is important to have someone who understands the business side of the company and can associate security issues to some operational or financial metric that is understandable to responsible parties in the company.”

D’Angelo, Rey, and Scott offer some final advice about consultants, “Considering everything, the experience and the relationship they provide are important.”

 Small businesses are vital

The fact that cybercriminals are targeting small businesses is alarming for several reasons. According to the National Telecommunications and Information Administration, small businesses are responsible for over 50% of all sales in the US, 21% of all manufactured exports, and employ 54.4 million people (57% of the private workforce in the US). To say small businesses are important to the US seems like a huge understatement.

D’Angelo and other concerned experts hope small businesses will band together, share what works and what doesn’t when it comes to cybersecurity, and defend what is rightfully theirs.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.