Why Do Hackers Target Small Businesses?

Updated on October 25, 2021 Leave a comment

Cybercriminals aren’t all that different from a common thief, they always opt for the path of least resistance – aka the open window without any locks.

The common assumption is that hackers focus all their attention on Fortune 500 companies because why not, that’s where the money is, right?

However, a series of alarming stats indicate that’s far from the case.

For instance, Verizon’s 2020 Data Breach Investigations Report revealed that 43% of online attacks were targeted at small businesses. Close to 40% of small business owners surveyed said they were targeted with malicious emails in a study by IBM Security. These attacks have only increased with the pandemic.

Another study asserted that the cost of global cybercrime will reach about $6 million by the end of 2021.

These are surprising. Why go after the lowly small business and not the big fish? Keep reading as we take a look at what makes small business so appealing to hackers.

A Small Business makes for a Soft Target

There’s little doubt that many hackers dream of hacking into a corporation like Walmart and making off with millions of ill-gotten gains. However, the reality is that large corporations are very cybersecurity conscious and are equipped with the resources to ensure they are well protected.

On the other hand, the average small business does not have the expertise nor the resources required to protect their data, making them easy targets for cybercriminals.

One example was the 2009 Maine incident where $345,000 was stolen from a family-owned construction company.

What makes the task easier for hackers is that many small companies use the cloud to store data and do online business. Unfortunately, most of these cloud services do not use the right security measures to protect data and secure the business.

Easy Targets for Spear Phishing

Given the lack of technical experience with cyber protection, its not a surprise that small businesses are easy to target through spear phishing.

Spear phishing is where hackers conduct deep research into a company and then send out fraudulent emails claiming to be someone the recipient knows and trusts. Hackers often access the victim’s social media profile to discover more information. This also allows them to better masquerade as someone who knows the recipient well.

The email attempts to install malware or direct the victim to a fake site that can log keystrokes and login details. This information can then be used to access banking accounts or payroll systems.

Easy Access to Personal Data

Even if hackers are unable to access important banking details, they may still be able to access other sensitive data. For instance, every business keeps employee information on file. This includes social security numbers, debit card details, health records and much more.

Some hackers may have no use for it but they can turn a profit by selling this information on the dark web.

Small Business Are Used as Stepping Stones

Not long ago in 2013, Target’s security system was breached and hackers escaped with the payment details of about 40 million customers. The incident remains one of the largest data breaches in US history.

But Target is worth about $11.3 billion and has over 360,000 employees so why are we mentioning this? Well, what makes the incident relevant to us is that the hacker gained access to the retailer’s network by hacking a partner HVAC business and obtaining that company’s credentials to login to Target’s network.

This shows that hackers are looking at small businesses as a stepping stone through which to target larger businesses and Fortune 500 companies.

Poor Cybersecurity

Research by Keeper Security found that only 14% of small businesses are equipped to protect themselves from cyberattacks. The study continued, noting that 66% of decision makers at small businesses believed they were not at risk of a cyberattack.

Unfortunately, this feeling of safety is misplaced – it is small businesses that keep facing regular hacking attempts with many being successful. At least four in 10 businesses experience more than one cyberattack. What makes these stats scarier is that cyberattacks, on average, are not noticed for about 100 days. This isn’t a surprise given that the same study revealed that 6 out of 10 businesses don’t have a cybersecurity plan in place.

All these set the scene for ripe pickings for any hacker who knows what he is doing.

How To Prevent Cyberattacks?

There are several strategies that small businesses can implement to better safeguard the company as well as personal information from hackers.

  • Commit to data security
    • Whether its hiring a freelance security manager or a professional IT company, it pays to proactively protect your information rather than scrambling after a breach. Companies are generally not protected from security breaches that can be traced back to the business.
  • Install firewalls and relevant security updates
    • Keep your system updated with relevant patches and security updates to better combat evolving threats. It is no secret that cybercriminals target companies that fail to update their systems in a timely fashion.
  • Train employees
    • Restricting sensitive data to only the necessary employees and training everyone on proper security practices can go a long way in protecting the business. It is common for data breaches to begin when an employee unknowingly downloads malware or keyloggers that are able to record and steal passwords and usernames. Very often, these malwares are downloaded by employees surfing the web or playing video games online. Online thieves are aware of this and often attempt to exploit this habit.
  • Encrypt all data
    • This is especially important on portable devices like laptops.
  • Do not allow unauthorized devices to be plugged into office systems
    • External USB devices can be tainted and automatically install malware on the computer.
  • Use complex passwords
    • Regularly change your passwords and always ensure said passwords are long and complex.