Size Doesn’t Matter: Why Small Businesses Are Prime Targets for Cyber Attacks

“Australia’s innovative small business owners are used to wearing many hats, but we can’t just add another task to the to-do or ‘too hard’ lists.”

– Alexi Boyd, CEO, Council of Small Business Organisations Australia (COSBOA)

Small business owners are very impressive people. They are bold risk-takers with a burning desire to succeed. They create jobs and hugely impact the economy. They are passionate about making a difference. They are willing to take on any role or all roles if necessary.

However, they may be too busy to prioritise cyber security, perhaps thinking that only bigger organisations are prime cyber targets. Reports cited by the Australian Cyber Security Centre (ACSC) show otherwise:

• Some 150,000 to 200,000 small office/home office routers in Australia are prone to compromise.
• One in four small to medium businesses paid a ransom after a ransomware attack.
• Global trends indicate a shift to targeting small and medium sized businesses.

One thing is sure: Business size does not matter to cyber criminals.

Why Cyber Attacks Happen to Small Businesses

One case in Brisbane prompted the Queensland Police Financial and Cyber Crime Group to alert small businesses to avoid getting scammed. A criminal used malware to enter the system of an unnamed local company. The hacker then accessed the business client list and used their invoice template to email clients, leading to the company losing $1.9 million.

All businesses are potential targets, but small businesses are being particularly targeted for the following reasons:

Perception of Weaker Cyber Defences

Businesses with few employees and/or low turnover are seen as easy prey. They are a prime target for cybercrimes because:

• Cybercriminals assume that they do not have the resources to invest in strong cyber security.
• Some business owners may put cyber security near the bottom of their to-do list.
• They do not have in-house talent to manage cyber security.
• They often have less complex IT infrastructures that are easier to access and exploit.
• It could be easier to victimise someone who does not consider themselves a target.

Simply put, it takes less effort to jump over a low fence than a taller one.

The Valuable Data They Keep

Small businesses may be storing data that cyber actors consider valuable, such as customer data, financial data, or intellectual property, as follows:

• They often collect customer data (names, addresses, and other personally identifiable information) which can used to commit identity theft or fraud.
• They may have access to financial data (bank account numbers and credit card numbers). Cyber attackers can use those to steal money or commit fraud.
• They can develop intellectual property, such as new products or services. Cybercriminals can copy or steal the intellectual property.

Lack of Expertise in Cyber Security

It might not be true for all, but the perception is a small business has insufficient capacity to counter cybercrime. For example, there may be a perception that small business staff or stakeholders are likelier to fall for a phishing attempt.

Cyber crimes are becoming more complex and more sophisticated by the day, and not everyone has the capacity to keep up. A small business may also not be as familiar with the latest scams. In contrast, bigger organisations can have someone or even a team devoted to IT tasked to actively provide information and/or training to their people on a regular basis. See how untrained employees can put your SMB at risk.

Limited Resources

This could be the most obvious reason: Small businesses may not have the resources to hire security experts, to implement complex security measures, or to test their systems regularly.

They probably have a smaller budget, leaner staff, and less time for cybercrime prevention or cyber security policies. They may then have to rely on less expensive or less effective security measures, and so, boom – another open window for cyber threats.

Lax Security Measures

It’s so much easier for a stranger to enter an unlocked door than a locked one, right?

The misconception that small businesses are unlikely cyber targets, combined with budget and staffing constraints, may lead to having little to no cyber security policies in place. Maybe due to the lack of resources or expertise, small businesses may be using outdated systems that are less safe.

While security software should constantly be updated to address new threats, small businesses might not be able to keep their security software up to date, which can leave them vulnerable to attacks.

Another cause of complacency could be employees not having enough training in identifying and avoiding cyber threats – but what they don’t know will hurt them.

Cyber Security Tips for Small Businesses

Now that you have a better understanding, here are some things can you do to improve cyber security in your small business:

Do What You Can (Even Without a Cyber Security Services Provider)

You don’t need to break the bank or to hire more staff to do these cyber security basics:

• Implement stronger passwords and multi-factor authentication.
• Update your software and systems.
• Do regular backups of your data.
• Use firewalls.
• Use an antivirus software.

Train Your Staff

A huge 95% of cyber incidents are caused by human error. The good news is you can train your staff – probably the most important thing you can do.

• Make sure your cyber awareness training is supported by your top management.
• You must make the training mandatory for all employees.
• You could even make it available for your other stakeholders.

Don’t Wait – Implement Cyber Security Solutions Now

Prevention is always still better than a cure, as illustrated below. These case studies are of different size companies – showing that cyber security measures should be put in place regardless of size.

It was business as usual for Value Plus, a small financial services provider with a few staff. Then they received a notification about potential vulnerabilities due to their unmanaged devices. They immediately sought a comprehensive cybersecurity review, then engaged Future IT Services to bolster their cyber defences. Their online protection levelled up, they reduced cyber risks and became compliant with standards.

Read Full Case Study

Another example is Gidgee Healing, the largest Aboriginal Community Controlled Health Service provider in Queensland. They noted reports of data breaches among their industry peers and requested a cybersecurity audit. The team at Future IT Services helped them move up to Maturity Level 2, which gave them confidence in protecting patient data and other sensitive information.

Read Full Case Study

Get Cyber Security Consulting Services You Can Trust

Unless you have an in-house IT professional, you can ask help from cybersecurity services experts. It could cost you a little but imagine how much more it would cost you in case of a cyberattack – plus the possible reputational harm.

To enquire about how Future IT Services can help protect your small business, call us at 07 4058 5700, email support@futurecomputers.com.au, or send us a quick message. We have been helping businesses with their tech needs for almost 30 years now, including cyber protection – with the mindset that “nothing is worthy breaking a trust.”

Always Be Ready, Control What You Can

In the “real world”, people are not excluded from being victims of crime just because of their financial standing, where they live, or what they do for a living. It’s the same in cyberspace – anyone can be a target, including a small business.

We hope you do not experience a cybercrime (but that’s outside your control), but we wish you could be ready in case it happens (that’s within your control).