Craig McDonald 04 July 2019 16:00:12 AEST 11 MIN READ

78% of small businesses/startups employing staff are being targeted by cybercriminals

I was going to begin this blog by posing a question to CEOs about ‘How high cybersecurity is on your list of priorities?’ 

But on reflection, that’s probably a moot point. Cybersecurity has made its case with most board members and C-levels, backed by a litany of data breaches around the world that have resulted in gargantuan amounts of data and profit loss - to the point where some companies have had to shut down.    

So you already know that implementing a good cybersecurity strategy is key for your business to keep running smoothly.  

But do you know exactly how important it is? 

Here’s a sobering fact to remind you of how vulnerable businesses are to cyber-attacks: According a 2019 report, there was a 424% increase in new breaches of small businesses in 2018 compared to 2017. 

Here’s more: In a survey of 1,000 small and medium-sized businesses (SMBs) in The 2018 State of SMB Cybersecurity from Ponemon and Keeper, 78% of respondents indicated they had been the target of cyber-attacks in the past 12 months. 

So here’s a wake-up call for those small business owners who think they can get away with lax cybersecurity policies : Cybercriminals are increasingly targeting small companies and today, it is imperative that your business – no matter how small or big –  is equipped to handle cyber-attacks of any scale. 

Which brings us to the next question: 

Why are more cybercriminals targeting small businesses and start-ups? 

Less data, less money, less cyber risk, right? Wrong. In fact, smaller businesses are popular targets for cyber-attacks because cybercriminals (sometimes correctly) assume that your defences aren’t as strong as bigger companies.  

Some hackers may prefer to focus on bigger companies because of the ratio of effort and risk to their ultimate reward, but others are increasingly targeting smaller companies.  

Firstly, smaller businesses are often the gateways to bigger rewards. As part of a supply chain, many small businesses have professional relationships with larger organisations, or simply by the nature of the organisation they may be the conduit to a network of sensitive data, such as for contracting services firms, accounting practices, legal firms, conveyancers, and others. These organisations are custodians of sensitive data, ranging from customer information through to confidential passwords, systems access, and valuable financial information - exactly what cybercriminals take advantage of.  

They often attempt to hack into smaller organisations’ systems to gain access to bigger, higher revenue-generating companies too. Home Depot’s 2014 data breach is a famous example of this, when cybercriminals stole the retailer’s network credentials via a third-party vendor and used them to seize the credit/debit card information of 56 million Home Depot customers. (For more such examples, check out MailGuard’s list of 18 noteworthy cyber-attacks that shook the web.) 

Secondly, with enterprises, even though there are more entryways and more money to steal, and perhaps even better data to ransack, there will also be increased cybersecurity to keep their systems tight. Enterprises generally will have the resources to invest in cybersecurity, including the right tools, people and processes, and the capacity to train frontline staff effectively.  

Comparatively, smaller businesses and start-ups tend to focus proportionately more time and effort on getting your business up and running, generating wealth and ideas, and getting your brand out there. You may not have much experience with business cybersecurity, other than virus protection - and you probably don’t have a great deal of funds to dedicate to the cause. We all know small business owners and start-up founders need to wear many hats and being a cybersecurity chief probably isn’t one them. 

But that doesn’t mean that you should ignore the threat - especially because the stakes of doing so are way too high. 

The cost of cyber-attacks to small businesses 

I’ve witnessed first-hand the devastation that cyber-attacks can cause small businesses. This ranges from monetary fraud, through to IP corruption, and even the ability to cripple a business. That’s mainly because of lost revenue due to downtime, and the cash spent attempting to remediate the breach, plus the often overlooked reputational damage. They can all really add up.  

In fact, according to Ponemon Institute, cyber-attacks cost SMBs an average of over $2.2 million. Clean-up costs are responsible for about half, with the other half due to business disruption. 

Besides these costs, you can get into trouble with governmental agencies too. Both the GDPR and the Notifiable Data Breaches scheme require strict reporting should customer data become compromised - with the potential for stiff penalties and fines for non-compliance, up to $2.1million for the NDB, and up to €20 million or 4% of the company’s global annual turnover for GDPR. 

Don’t forget the damage to trust in your brand and reputation too. 
When you’re just starting out, making a name for yourself, the trust in your brand and reputation is something that you are actively building. You don’t have the goodwill and reputation that large companies have accumulated. Your good name, and trust in what you do are critical, and just as positive word of mouth can help you grow, bad sentiment and negativity can quickly cripple your business. Brand trust and customer satisfaction levels both typically plummet after a cyber-attack. 
So how are small businesses being compromised?  
There are many avenues of attack, but several studies have cited phishing emails as the top threat vector for businesses today. For example, the 2018 Ponemon and Keeper report found that phishing/social engineering attacks continue to be the number one attack SMBs experienced. This was followed by web-based attacks, general malware and also stolen/compromised devices. 
The figures aren’t ground-breaking. Email is a surprisingly easy road into your systems, and unlike phone calls that purport to be from Microsoft with a distinctly strange accent and line of questioning, emails can more easily seem legitimate. Every day, my team at MailGuard intercepts a host of legitimate-looking phishing and brandjacking attempts that are destined to land in business inboxes and fool staff. 
How to fortify your systems 
In an ideal scenario, companies would have a dedicated cybersecurity consultant or an in-house team of security experts who can conceptualise and execute a robust cybersecurity strategy. However, that just isn’t a possibility for most. Nevertheless, it’s key for companies to recognise that they are appealing and vulnerable targets for hackers and cybercriminals, more so than they have ever been in the past. Here are some pointers to get you started: 
Be a pro-security CEO 
As a CEO or business owner, it’s up to you to set the agenda for cybersecurity in your organisation and actively take charge of boosting cyber resilience within your company.  
You may not be an expert yourself, but you need to know what policies to put in place to instigate security improvements, and what the risks are to your business. Collaborate with your teams and ask them to suggest ways your company can strengthen its security stance. You should call on all corners of your business, from sales through to operations, marketing, finance and IT. They are well-versed in the different IT processes that their teams handle everyday, and may give you useful insights on which aspects of those processes could be made more secure. 
Cybersecurity education 
Ensure that everyone in the company knows they have a part to play in creating a cyber-savvy culture. Think about it - if everyone in your organisation practices good cyber habits, the need for you to allocate a substantial amount of resources for cybersecurity would be drastically reduced. 
Being cyber-savvy is a process that begins with awareness. If you want your team to participate in making the business safer from hacking and cybercrime, you have to give them the knowledge to make good security choices. It doesn’t just happen; it’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defence. 
The goal of cybersecurity education in a business setting is to give team members a functional understanding of how to avoid potential threats. By educating teams about how cybersecurity works a company significantly improves their frontline resilience. Every person in a company doesn’t have to be an IT expert, but everyone should have a basic understanding of the cyber-threats like malicious email that they are likely to encounter on a daily basis. There are several inexpensive means of providing this information to them, such as finding free guidebooks online and/or workshops on how to be cyber secure. That’s why I wrote ‘Surviving the Rise of Cybercrime,’ a free e-book designed to give non-technical executives a basic understanding of cybercrime. You can download your free copy here, and share the link with others in your team.   
Practicing good password habits 
Did you know that 81% of data breaches are caused by weak and/or stolen passwords? Ensuring employees practice good password hygiene is a great way to boost cyber-resilience in your company. Encourage them not to use generic passwords or repeat old ones. You can enforce password rules that disallow password reuse or even similar password reuse (this can be trickier to set up).   

Encouraging employees to use multi-factor authentication can make it harder for phishing scammers to hack into your company if it is available for key business critical systems. Doing so will provide an extra layer of protection for extremely confidential information, especially for your cloud-based accounts. This is because when a user wants to login to their account, they will have to pass a second stage of authentication which commonly involves an SMS message sent to their phone, alerting the original account holders to any fraudulent attempts at sign-ins.  

You can also take advantage of reputable services such as HaveIBeenPwned to see if confidential data has been compromised in any data breaches. Data that they may find has been leaked can include things like usernames, passwords, addresses, etc.  Investing in a good password manager such as LastPass might also prove useful in the long run. Options include USB keys, codes sent to an app, or a verification email as complements to the standard password.  

What strategies are you adopting in your company to ensure that your people and data are protected at all times? I’d love to hear your views. Feel free to contact me via the details below or join the conversation on our Twitter page.  


Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.