Over the last five years, the US has seen quite a few large scale data breaches addressed in the news. Many of these newsworthy breaches have targeted very large companies: Equifax (2017), Adult Friend Finder (2016), Anthem (2015), eBay (2014), JPMorgan Chase (2014), Home Depot (2014), Yahoo (2013) and Target Stores (2013) to name a few. However, small- to medium-sized businesses are being targeted more frequently and often more effectively. In fact, the hackers involved in the Target breach of 2013 gained access through a privately held third-party contractor with about 125 employees, stealing their vendor credentials and accessing Target’s electronic billing system.


Small to Medium-Sized Businesses

According to a Ponemon Institute’s 2017 Report, 61% of small and medium-sized businesses experienced a cyber attack, an increase from the 55% reported the previous year. In addition 54% actually faced a breach, also an increase from the 50% in 2016. This growing threat to these smaller businesses is not new to the cybersecurity landscape. In 2015 Symantec reported a dramatic increase in spear-phishing attacks targeting businesses with under 250 employees, from 18% to 43% in just five years.

The likely cause of this targeting is the belief held by many small and medium-sized businesses that they are too small to be of interest. Though malware is used in 30% of security events and ransomware was the most prevalent variety of malware in 2017, 51% of surveyed businesses believed themselves to be too small to be the target of a ransomware attack and only half considered prevention of ransomware attacks a high priority, according to the Ponemon Institue report.

While some (48%) believe that anti-virus protection will be enough to protect their company, three quarters of organizations breached were running up-to-date endpoint protection, according to a survey report released by Sophos, one of the top 10 global security software providers. In fact, 79% of ransomware was allowed access through phishing or social engineering efforts targeting company employees. The lack of proper education and training for employees can leave large vulnerabilities in businesses’ cybersecurity plans.


Data Breach Costs

When a breach does occur, the costs can be significant for small to medium-sized businesses. In 2017, costs of data breach for these businesses averaged $2,235,000, and lack of preparation only drives these costs up. Ransomware often blocks access to essential business data until a ransom is paid, so the longer it takes to resolve the breach, the more businesses lose in downtime costs. Datto reports that small to medium-sized businesses lost an average of $8,500 per hour of ransomware-induced downtime in 2017.

These costs are expected to increase in the future. Cybersecurity Ventures predicts that ransomware damages will cost $8 billion globally in 2018, up from $325 million in 2015 – a 2,360% increase in only three years. Ransomware targeting healthcare organizations are of particular note, predicted to quadruple by 2020.

With the prevalence and cost of cyber attacks growing, all businesses, including small to medium-sized organizations, should be aware of their risk for a data breach and take measures to protect their company and prepare a plan to address the eventuality of an attack.


Tools and Resources

We provide several tools and resources to help you evaluate your risk and begin addressing your security and recovery program in our Cyber Center. Our Cyber Risk assessment in particular can help you evaluate your business’s potential cyber risk.

Complete the two-minute survey to see where your level of cyber exposure falls on our risk-o-meter.