The Willie Sutton Rule asserts that it’s human nature to take the path of least resistance when pursuing a goal. It’s named after a comment attributed to notorious criminal Willie Sutton who explained that he robbed banks because “that’s where the money is.” We don’t think of small businesses as having deep reserves of cash, but we can see the Willie Sutton Rule in action when it comes to cybercrime. That’s because SMBs are a target that offers cyber criminals the best opportunities for easy money. In fact, more than 40% of small businesses were on the receiving end of a cyberattack last year.
Over 40% of small businesses were victims of a cyberattack last year
What makes small businesses such an attractive target to cybercriminals? There are several reasons why they are particularly vulnerable.
Business Owners Often Too Busy to Focus on Security
There’s never enough time in a day for an entrepreneur or small business owner. Very few have the bandwidth or expertise to keep up with security processes like software patches and server backups. A lack of technical personnel also makes it difficult for small businesses to maintain effective cybersecurity. Instead, many default to a “if it’s not broke, don’t fix it” attitude towards their systems. Unfortunately, keeping systems updated and secured requires an ongoing process. The National Institute of Standards and Technology (NIST) lists five essential steps in their Cybersecurity Framework Quick Start Guide for Small Businesses:
- Identify – Inventory your hardware, software and other systems; assess which are most critical; and identify sensitive data they access
- Protect – Restrict sensitive information to only those employees who should see it; regularly update software; ensure backup processes are in order; and train employees on the risks of cyber attacks
- Detect – Understand signs of suspicious activity in your systems and physical environment; install anti-virus and anti-malware software; and engage a Managed Service Provider for small business to monitor your networks and computers for signs of a cyber attack
- Respond – Have an incident response plan in place; assess severity and cause; contain damage from the attack; communicate details to internal and external parties, especially when required by law
- Recover – conduct a postmortem on the event; identify lessons learned and additional opportunities to secure your business
Employees Are Also a Cybersecurity Risk
Without a cybersecurity training program in place, employees may not be aware of cyber threats or data security hygiene, making them susceptible to falling victim to social engineering attacks or malicious links. Weak passwords are a common security oversight. Employees who resort to using easily guessable or shared passwords make it easy for cybercriminals to gain unauthorized access to systems and data.
Accounts belonging to departing employees that are left active can also be a security issue. Smaller businesses tend to have a higher rate of employee turnover than large enterprises and staff may not be able to deactivate accounts in a timely fashion. Even employees who move to a new role within a company can create an area of exposure if they are not removed from applications they no longer use. Implementing strong system access policies such as least privilege, and immediately updating accounts can help secure systems.
Risks from Phishing and Ransomware Attacks
Employees may be vulnerable to phishing attacks from hackers who send deceptive emails or messages designed to trick them into clicking on malicious links or downloading malware from attachments. If your business doesn’t currently use anti-phishing software such as Barracuda, your staff are already under attack: it’s estimated that as many as 1.2% of emails sent today are malicious. A successful phishing attack can give a hacker access to sensitive information like login credentials, credit card details, or personally identifiable information (PII).
As many as 1.2% of emails sent today are malicious
Another cybercrime, ransomware, poses a significant risk to small businesses. This type of malware encrypts a victim’s data, making it inaccessible until a ransom is paid. This leaves small businesses in a difficult position, forced to comply with the attacker’s demands or face significant financial and operational losses. Companies can be held hostage for millions of dollars. It’s no surprise that an estimated 60% of small businesses close their doors within six months of a ransomware attack.
60% of small businesses close within six months of a ransomware attack
Not only is there a surge in these kinds of malware, but they continue to evolve, with new versions cropping up as soon as hackers spot an opportunity.
Stay Ahead of Criminals with an MSP for Small Business
A focus on day-to-day operations, lack of specialized expertise, and poor security processes create a perfect storm for hackers looking for easy targets. How can your small business stay ahead of cybercrime without having to support a team of IT specialists? Small business owners can consult a managed IT services provider (MSP) who can develop a comprehensive cybersecurity strategy comprised of regular security assessments, employee training, and state of the art security tools and technologies.
If you don’t have a full picture of your technology infrastructure, your IT team may end up missing critical gaps in your security. If this sounds like something your small business is facing, talk to a member of our team to learn how a vulnerability assessment can identify ways to make your systems more secure.
