Seems just about everybody loves the small business. And who wouldn’t? The small business is both the engine and the jewel of the U.S. economy, accounting for more than 99% of all businesses in America. They’re a job engine too, generating 64% of net new jobs over the past 15 years, representing 44% of total U.S. private payroll and 40% of high tech workers. And they’re the innovation engine, producing 13 times more patents per employee than large firms.
But amongst the crowds of adoring fans hides a growing legion of more sinister admirers. They’re the hackers, identity thieves, and cyber crooks who now see your small business as their big payday.
Smaller firms seem to be under attack from all sides – their computers, their bank accounts, and even their websites. A 2011 study by Verizon of more than 800 investigated data breaches found that the vast majority of these breaches occurred not at multinational giants but at small businesses.
In its report, Verizon concluded that "Small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets.” This finding is supported by Visa which claims that 95% of its credit breaches occur at its smallest businesses.
Data isn’t the only thing the crooks are after, and money is still a respected currency in the cybercrime underground. According to Tom Wills, fraud analyst with Javelin Strategy & Research "The low-hanging fruit for these overseas criminal syndicates is clearly small and medium-sized businesses, which, because of inadequate and antiquated security controls at 99 percent of U.S. banks, combined with the larger bank balances that businesses typically hold, represent much better financial yields to the fraudsters than when consumers are targeted.”
So why is everyone picking on the little guy? Security experts point to a variety of factors:
Unlike larger enterprises, a single security incident, even a minor one, could be the death knell for a small business. According to research firm the Ponemon Institute, a single data breach or exposure of just 1,000 customer records costs the breached entity an average of $194 per compromised record, or $194,000. Few small businesses could afford such a loss.
For most small businesses, their website is their store front. For hackers, the website is a back door, and an often-too-easy way to break into a business from the comfort of an armchair half way around the world - hackers who want every last piece of customer, employee, and personal information that might be accessed through that website.
And a poorly protected website is not just an easy way for hackers to steal customer and employee information, it’s also one of the most favored ways to spread malware to surfers and shoppers. Known as drive-by downloads, hackers will jump at the chance to install sophisticated malware on unprotected websites. This hidden payload will then silently infect any visitors to that website with a variety of dangerous malware.
Not only is it an easy way to infect thousands of web users, but guess who gets the blame if the malware is detected? And even if your business is not directly punished for this lapse, it could sure feel like it. Major search engines like Google and Bing scan millions of websites every day looking for sites that might be unwittingly hosting malware.
And what will they do if they find such malware on your website? They’ll start by sending your business to the sin bin - blacklisting it so your infected website won’t appear in any search results. Blacklisting protects surfers from catching whatever bugs might be lying in wait on your website, but it also stops your customers from finding your site. Which makes the point of having a website, well, pointless.
And it’s only going to get worse. As users become more wary of emails laden with infected attachments, hackers are increasingly turning to drive-by downloads instead. And security experts are worried. In January 2013 the European Network and Information Security Agency (ENISA) identified the drive-by download as the number one cyber threat worldwide.
Small businesses are especially vulnerable to this threat because they’ve never really had many good options when it comes to securing their websites. Until recently they either had to choose between enterprise level security solutions that were very expensive and required a lot of technical knowledge and oversight. Or they had to settle for more affordable but bare-bones protection that provided little real resistance to even amateur hackers.
But all that’s beginning to change. Thanks to innovators like SiteLock®, small businesses can now have the best of all possible worlds: access to enterprise-class web scanning services that can detect malware hiding on a website, probe for security vulnerabilities, and even make sure the website is not faced by the dreaded blacklist; advanced security that still requires no technical knowledge or resources and no effort or time on the part of the business; and best of all, so affordable that even the smallest business would find it hard to resist.
With so many small businesses now being impacted by cyber attacks, it’s no longer difficult to find a small business owner with a harrowing story.
Take Anthony. It’s not his real name because he’s still scared of retaliation, and he’s even reluctant to identify the nature of his business or even the state he’s based in. Anthony started his business a little over four years ago and does all of his business online, delivering his products directly to consumers and other small businesses.
Starting nearly three years ago, Anthony suffered the first in a series of devastating attacks on his website that were so severe, he ended up being blacklisted by search engines. No matter how hard Anthony tried, hackers were still able to infect his website with dangerous malware that was capable of infecting any visitors to the website.
That resulted in his site and business being blacklisted or blocked by the major search engines. That’s because in order to protect their reputation and surfers, search engines constantly scan the internet for small businesses that have significant vulnerabilities or have malware lurking on them.
Because search engines lead visitors to these websites, they don’t want to lead them to infected websites. So they blacklist those sites, at least temporarily, so that visitors won’t be able to find the site until the security problem has been fixed.
It’s bad enough if it happens once, but if it happens repeatedly, as in Anthony’s case, it can be devastating. Being blacklisted means your customers simply can’t find your website, even though they know exactly who and where you are.
For Anthony, his website isn’t just his storefront, it is also where he generates his leads. He was investing more than 40% of his marketing budget in lead generation, through everything from Google search engine marketing to social media. But those leads were now worthless because they couldn’t find that storefront.
Each attack, which Anthony believed was targeted and malicious, put the web side of his business on hold for up to a week. And each time that happened, it would cost him up to $30,000 in downtime and lost business. Not to mention the long-term damage to his reputation and goodwill.
And as if things couldn’t get any worse, the search engines don’t forget. Once placed on a list, a business can stay on that list. The search engines want to make sure that when a security hole is plugged, it’s plugged properly and permanently. But being on that list also pushed Anthony’s business further down the search rankings. Which is a double whammy because he’s still losing more business while at the same time having to spend even more marketing dollars to claw his way back up the rankings just to get back to where he used to be.
In spite of spending more than $2,000 to hire a security company he found on the internet, the attacks kept coming. So far his losses have topped $300,000. When he finally found SiteLock, they recommended he use something called a web application firewall, or WAF, that helps filter out such attacks in the first place.
Finally, something worked. For just a couple of dollars a day, Anthony has been able to stop the attacks cold. And while he still worries that it can happen again, at least he’s free to start rebuilding – not just his business and website traffic, but the trust of his customers and the search engines. It’s a slow process but one that many thousands of businesses may also be facing. And like Anthony, are too afraid to come forward for fear the publicity will do even more harm.
Security doesn’t have to be difficult in order to work. In fact, as security technologies become more advanced they become more automated – meaning that technically challenged business owners don’t have to worry about learning new skills or technologies.
There are at least a dozen simple steps any business owner can take and repeat that will minimize the risk of an attack on their website. Here are some tips to help online businesses get started.
One of the easiest and most affordable is a web scanning service. SiteLock, for example, provides comprehensive and automated website protection, that’s enterprise grade, for as little as $10 per month. And it’s always-on security, meaning your website can be watched and guarded all day every day, and any vulnerabilities found are acted on quickly.
SiteLock is a global website security technology and services leader, protecting more than 700,000 online businesses. SiteLock finds, fixes and helps prevent malware and other threats from affecting websites and their visitors. As a member of a number of cybercrime awareness and prevention associations, including the Anti-phishing Working Group (APWG), the Online Trust Alliance (OTA) and StopBadware.org, SiteLock continually strives to educate the small business market about the risks to their websites and help prevent them.