During our discussion with small businesses, we frequently come across many interesting questions. I will go through some of them in series of blogs to get an understanding of reality vs what people think.

We are small business: what can an attacker gain from us?

One of the biggest misconception is that only large businesses are under attack. What treasure a restaurant or a yoga clinic can offer to hackers? Well, if a business is storing business critical data or information about customers like Personal identifiers, payment card information or users accounts then it is fair game for hackers.

A survey of small-business owners by Nationwide found only 13 percent of respondents believed they had experienced a cyber attack. However, when owners were shown a list of specific examples of attacks, including phishing, viruses and ransomware, the figure of those reporting attacks increased to 58 percent.

If you need more proof then look at this Verizon report which mentioned that 58% of malware victims are SMB’s. In a way, it makes sense as well. Small to Medium Businesses are low hanging fruits for hackers. Most large establishments have proper cyber security team and they spend large amounts of money on monitoring and firewall etc.

On the other hand, especially small businesses have very small IT team which also double as security experts and no separate budget for security. In the absence of any monitoring they even don’t know that they are under constant attack and may already have been compromised. Nationwide survey shows the cyber attacks on small business by category.

e that securing IT infrastructure requires investment. So the next question is how much money a small business can afford to

put in securing an infrastructure and whether it is worth it. This question come under the purview of Risk Assessment which we will discuss in later articles. First thing is to understand th

at there are two aspects to any data breach or system compromise: Regulatory and Business critical

Regulatory:

Under the new brave world of GD PR, any breach of user data can be fatal for businesses in monetary or reputation terms. Under GD PR, Information commissioner office can fine an establishment up to €20 million or 4% of annual global turnover, whichever of both is highest. Reputation damage can be much higher especially for businesses that rely on online model for revenue generation. GD PR has also widened the definition of personal data so it is very important for small business to understand what data they hold.

Business Critical:

action is stored in either local servers or somewhere in cloud. These data includes everything from employee’s personal files, customer’s detail, legal documents to business inventory. Imagine one day entering the office and realizing that all the files on your server has been encrypted by hacker with million dollar demand. It may be the end for some businesses. Ponemon 2017 state of cybersecurity in SMB estimated that in 2017, cyber-attacks cost small and medium-sized businesses an average of $2,235,000.

Another aspect which is often overlooked is that some professional cyber criminals can use a small businesses to

gain access to large organization. One of the prominent case is of a small air-conditioning company which was used to gain access to american giant Target and hackers manged to steal millions of credit card information. The small company had a network account which was used to monitor air conditioning units at Target’s stores and hackers used that credential to breach the security at Target.

The truth is that small businesses have the same level of threat as large organizations and the attack vectors are also similar. In some cases, S

MB’s can be very tempting for attackers as there may not be any security for the infrastructure.