When you think “data breach,” what typically comes to mind is the major retailers, restaurants and healthcare systems – the big names that we all know. But the reality is that 58% of data breaches recorded in 2017 were small to medium sized businesses (SMB’s), according to Verizon’s 2018 Data Breach Report.
In fact, attacks against smaller companies have been on the rise over the last four years. “Cyber hackers view small businesses as a soft, easy mark versus big blue chip companies which have ramped up their cyber firewalls,” said Sian John, a chief strategist at Symantec. Matt McKenna of FounderShield adds, “Criminals understand that large companies are pouring significant piles of cash into beefing up their cybersecurity (Gartner, forecasts worldwide enterprise security spending to total $96.3 billion in 2018). So naturally, SMB’s become a logical target.”
Many small businesses think they are not attractive to hackers. Michael Kaiser, executive director of the National Cyber Security Alliance, says that Small Businesses “may also feel like they’re not going to be the target of an attack because they don’t have as much to protect.” However, small businesses have troves of valuable information that is attractive to hackers, from customer information, to vendor information, to payment information.
The Inherent Security Vulnerabilities in SMB’s
SMB’s do not have the IT staff, the money or the resources to secure every way into their network and system – which makes them a prime target. According to a survey conducted by CDW and IDG in 2018:
- 46% of all businesses surveyed had experienced a data breach
- Only 33% of small businesses had purchased security software
- Only 25% believed they were in compliance with the Payment Card Industry Data Security Standards (PCI-DSS)
- Only 30% of IT leaders are confident they can thwart an attack against their organization
Hackers use a variety of ways to infiltrate SMB’s. A favorite is phishing emails embedded with malware. Symantec’s 2018 Internet Security Threat Report reports that 88% of malicious emails use malware-laden attachments to gain access to their victim’s networks. And smaller companies don’t always have the security set up to filter these emails, instead relying on their employees not to open these dangerous emails or attachments. However, due to resource constraints, employees are not always trained properly on what emails not to open. Employees can also make errors, and one error can cost a small company hundreds of thousands of dollars to millions of dollars. According to Eva Velasquez, writing for Firm of the Future:
“…cybercriminals… will often begin to send out emails en masse, posing as your financial institution and asking for your personally identifying information (PII). Even those who would otherwise be leery of a phishing email may do a quick Google search to see if their bank had suffered from the attack and may find one of the many stories making headlines. The scammers know that these stories will help convince consumers that their financial institution has suffered from a breach, and they will, therefore, be more likely to go ahead with the process.”
Another issue is protecting the perimeter. SMB’s often lack basic security features such as firewalls, and others are notoriously bad at installing patches and software updates – which can leave an open door for hackers into a system.
Data Breaches Bring Dire Consequences to SMB’s
According to Layr, 60% of small business will go out of business six months after a data breach or cyber-attack occurs. One of the reason this happens, according to Deloitte, is there are many “hidden” costs not immediately considered in the financial loss, including brand and reputational damage, decreased confidence in the victimized company’s ability to competently deliver its offering, and even increased costs associated with debt financing. Vision Soft found that a single data breach can cost a small business 20% of its customer base which is enough, for many, to shut their doors permanently.
And the brand damage can also be significant. In 2015, UPS Store computers were infected with malware that compromised the security of 51 stores across 24 states and exposed the personal data of over 100,000 customers to hackers. You hear UPS and you think “another big retail hack.” But in fact, dozens of individually owned UPS Store franchises were breached, all under the umbrella of UPS, demonstrating that no matter how big or small your business network is – you can be breached.
Devaluing the Data is Key for SMB’s
At Bluefin, we advocate for a holistic payment security approach, consisting of EMV, PCI-validated Point-to-Point Encryption (P2PE) and tokenization to “devalue” an SMB’s payment data. There are two security paths that companies can take in the fight against data breaches: Defend the Data or Devalue the Data. With the Defend the Data approach, SMB’s build stronger, higher, and more expensive walls of security around their systems and data.
With the Devalue the Data approach, businesses employ security technology to devalue the cardholder data before it reaches their point-of-sale (POS) systems, rendering the data useless to hackers if it is exposed. This is where P2PE is such a crucial security technology, since it immediately encrypts card data within a PCI P2PE device so that it never traverses the system or network as clear text.