Nearly 60 percent of small businesses have been the victims of a cyberattack over the past year, but the vast majority didn’t realize that they had been attacked, according to Nationwide’s third annual survey, released Monday.
The insurance company tapped 1,069 businesses with fewer than 299 employees for the study. Initially, only 13 percent of the participating companies said they had been victims of a cyberattack. However, after they were shown a list of cyberattack types — ranging from phishing scams to trojan horses to ransomware — that figure shot up to 58 percent.
“Cyberattacks are one of the greatest threats to the modern company,” said Mark Berven, Nationwide’s president of property and casualty. “Business owners are telling us that cybercriminals aren’t just attacking large companies on Wall Street.”
The companies that are targeted often have fewer cyberdefense systems, less money to invest in threat protection, and less name recognition at risk from a breach.
The most common forms of attack, based on the survey, were computer viruses, cited by 36 percent of respondents. Next came phishing attacks, cited by 29 percent, and then trojan horses, cited by 13 percent.
Lack of preparedness was a significant problem for the companies surveyed. About 57 percent of the firms did not have dedicated employee or vendor monitoring for cyberattacks in place. About 76 percent did not have a plan for dealing with such attacks. Fifty-seven percent did not have a plan for protecting employee data, and 54 percent lacked a plan for protecting customer data.
Recovery from cyberattacks in many cases was slow and expensive. About 20 percent of cyberattack victims spent US$50,000 and took more than six months to recover, while 7 percent spent more than $100,000 and took more than a year to recover.
Cyberattackers typically steal credit card information from companies with customers who make purchases from them, noted Karen Johnston, a technical consultant with Nationwide. that much
They also steal personally identifiable information — such as addresses, names and Social Security numbers — that hackers can use to apply for new credit cards or loans, she told the E-Commerce Times.
Small businesses need to make sure their systems have proper antivirus and firewall protections, and make sure their systems are password-protected and properly patched and updated with the latest versions of antivirus and operating system software, Johnston said.
Companies also need to have up-to-date backups of their critical systems and customer data, and consider having cloud backups of this information, she suggested.
Further, most small businesses fail to have proper cyber-risk insurance, Johnston noted — or they think they are covered by existing business policies when they are not.
With their limited resources, small businesses tend to be more vulnerable to cyberattacks than larger enterprises.
“Small businesses are one of the most at-risk sectors of the market, in part because their data is equally valuable to an attacker and simultaneously their protections are significantly [less] than what you would see in a mid-size or enterprise business,” explained Kevin O’Brien, CEO of GreatHorn.
Cyberthieves are likely to sell whatever data they find on the Dark Web, and the price per item likely will be the same, whether the firm that was breached was a Fortune 500 or a much smaller firm, he told the E-Commerce Times.
The majority of attacks still arrive via email, but there recently has been a rapid increase in attacks via mobile devices and social media, observed Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint.
Technology firms and companies with complex supply chains, like manufacturers, are targeted more frequently, with about 40 email fraud attempts per organization, he told the E-Commerce Times.
“Small businesses can be a really sweet spot for cybercriminals. They have more money to steal than a consumer and less security in place than a large business,” said Kevin Haley, director of security response at Symantec.
“They are also often dependent on third-party vendors for their technology,” he told the E-Commerce Times. “Meanwhile, cybercriminals can be very successful specializing in breaching one technology or solution and working their way through the small businesses that use it.”