There’s nothing small about “small” business. Within the global economy, small-to-medium sized businesses (SMBs) collectively generate trillions of dollars and employ millions of workers. SMBs are typically categorized as businesses with fewer than 500 employees, but what about the smallest of all businesses? According to IDC estimates, there are approximately 80 million businesses worldwide that operate with fewer than 10 employees. These “very small businesses” business are often operated in homes, and the business’s “founder and president” is usually the same person who orders paper for the printer. And yet these organizations will process millions, if not billions, of dollars in 2013.
Another reality of these 80 million very small businesses (VSBs) is that the vast majority don’t have employees or resources dedicated to building their IT networks. In many cases, the same employee responsible for ordering printer paper is also responsible for maintaining the computers and networks that keep VSBs connected to their customers.
Despite their smaller size, VSBs have some key needs in common with their larger business counterparts, in particular the need to protect important data – such as customer data and their own financial information – while banking online and processing customer orders. They share an unfortunate similarity as well – they can easily become victims of cybercrime.
Too Small to Be Noticed?
Two common assumptions shared by small businesses, and particularly among VSBs, are:
- My small business is safe from cybercriminals, because they won’t waste their time targeting me
- My small business doesn’t have anything worth stealing
There is plenty of evidence to contradict the first point. For instance, in Verizon’s 2013 Data Breach Investigations Report, which includes data from worldwide forensic investigations, found that of the 621 data breaches analyzed, 193 breaches – more than 30 percent – occurred at companies with 100 or fewer employees1. The second point is equally untrue, since whenever a business makes a sale online, they almost always access some form of private customer data, such as their name, address, and credit card number. This basic information certainly has value to cybercriminals, and the financial information of the small business itself has value as well.
In fact, some cybercriminals prefer targeting very small businesses instead of larger businesses, since they believe many VSBs aren’t fully protected and are thus an easy target for a quick pay-day. Like all predators, cybercriminals set their sights on the weakest targets – with the lack the budget, and low levels of staff sophistication on a topic like security, VSBs are making an easy target and the chances of the thieves getting caught is much lower.
What Are the Consequences?
For a fledgling business, a single security incident can easily push it into financial ruin. According a 2013 Global Corporate IT Security Risks survey (conducted by B2B International, in conjunction with Kaspersky Lab), the worldwide average cost of a data breach for a small or medium sized business can be as high as $36,000 USD. This amount includes the average amount of lost business opportunities, as well as costs to hire an external IT expert to remediate the immediate problem, and possibly purchase new equipment. For a very small business, a 5-digit cost to respond to a cybersecurity incident can be a crushing blow. Beyond the immediate costs, a security breach can also create a more long-term and intangible effect – the loss of your customers’ trust.
Mark Bermingham, Director, Global Product Marketing, Kaspersky Lab
“If a customer is forced to cancel a credit card because their personal information was stolen from a business, that customer will likely be angry enough to never purchase from that business again. For VSBs that offer services involving sensitive information – such as tax records found in small financial services businesses – the customer could potentially sue the business. Lastly, many businesses are required by law to report certain types of data breaches. If their security practices are deemed to be below the minimum requirements set by industry regulations, the business could face steep fines.”
So what should VSBs do to protect themselves? Here are 3 quick tips:
- Understand that no company is “too small to be noticed” by the bad guys – even small companies have intellectual property, bank accounts, and in most cases, customer data.
- Keep it Simple – Small businesses should select SMB-specific software or select vendors that are well-known for providing intuitive, comprehensive security software in order to avoid the trap of paying too much for something they will struggle to use.
- Key Areas for Investment – Look into Encryption technologies after you’ve invested in basic anti-virus. Data encryption is vital for any company that processes and stores the payment information of customers, and is often required by law. If encrypted data is stolen or lost, there is a good chance the criminals will never be able to harvest the stolen data, leaving your customers protected.
Verizon Communications Inc.'s forensic analysis unit