In a way, “small” business is a misnomer. SMBs account for half of GDP1 in the U.S., and nearly 60 percent of GDP in many European and Asian nations. And the customer information and financial data they possess and process is just as vital and valuable as it is in any large organization. The customer that has their data exposed isn’t going to care how large the breached company was.
Yet, according to a white paper2 by the cyber security firm FireEye, assets possessed by SMBs are startlingly vulnerable:
There is a combination here of wishful thinking and practical limitations. On the one hand, SMBs tell themselves a harmful breach won’t likely happen to them. On the other, even if they do respect the danger, they don’t have the resources to mount an adequate defense.
As FireEye says, “Small and midsize businesses are facing the same cyber threats as large enterprises, but have a fraction of the budget to deal with them.” At a small company, IT duties might fall to someone whose primary role is something entirely different; that person ends up handling the company’s tech because, well, someone has to. Even when there is a dedicated IT staff, it can be just one or two people, charged with everything from fixing the faulty Wi-Fi to keeping all company software up to date to making strategic plans for the company’s data foundation. And with a massive to-do list like that, defending against data-stealing robots and unseen criminals on the other side of the world may not seem like a top priority. Not to mention the skill set required — large companies have a difficult enough time finding and retaining top-notch security resources, let alone an SMB.
This is the situation cyber criminals are keen to exploit. Global digital security firm Symantec reports5 that 31 percent of the victims of cyber attacks in 2012 were businesses with fewer than 250 employees — triple the number of attacks on SMBs in the previous year.
The writing is on the wall: If they rely on wishful thinking or meager protection, small and midsize businesses simply will remain unsecure and prime targets.