Why would a hacker target my small business?

by Justin Massey, Sarina Bloodgood

November 8, 2022


A small business analogy

Imagine you’re running a small plumbing business. You’ve spent most of your savings to start, and a lot of time building a loyal customer base. Your storefront is small, containing only a few low-cost plumbing items and the equipment you need to do your job. You receive low foot traffic and know that the neighborhood has a minimal amount of crime, so you decide not to install any security cameras in the store. You never really think about the security of your business, until one day you return to find your business ransacked and burglarized.

With every window broken and all of your merchandise and equipment stolen, you remember that you purchased the weakest property insurance policy, and also skipped on business income insurance. You are now out of operation until you can assess the risk, and are financially reliable for most, if not all, of the damage. As a small business owner, you’re already struggling to make ends meet, and this could mean the end of your business.

Next door to your business is a small jewelry store. The sparkling gems in the window garner a lot of attention from people on the street. The store is a magnet for the wealthy and famous. The price of one ring in the window is worth the price of all of the merchandise in your store. There are security guards at every door, multiple security cameras inside and outside of the store, and appointment-only viewing for certain items. The place looks like a fortress next to your very small, and now damaged, storefront.

With expensive, valuable items right next door, it may seem foolish for a thief to target your small business. What would a thief want with a few plungers and valves? While there are many reasons why a thief may want to steal your items, such as economic hardship, thrill, or addiction, there is always a larger reason why you were their target in the first place.

Every day the news highlights another cybercrime against larger organizations, like the recent 2FA breach that affected password manager LastPass, Doordash's customer contact details exposure, or the $190 million loss for crypto startup Nomad. These attacks typically affect millions of users, so they’re top of the news cycle and known. However, each year 43% of data breaches happen to small businesses. Some firms see an incident response rate of up to 85% for small- and medium-sized businesses each year. These numbers don’t include the copious and dramatically rising amount of malware and ransomware attacks against small business owners, or the dozens of other ways cybercriminals and hackers manipulate owners to gain wealth, power, and attention.

So, why would a cybercriminal or hacker potentially target your small business?

1. You haven’t thought about cybersecurity, or take it seriously

Only 5% of business owners feel that cybersecurity is the biggest risk to their business. With such a small portion of businesses taking cybersecurity seriously, it only makes sense why thieves have started to stake out smaller operations in exchange for the larger. “The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture,” said FBI Supervisory Special Agent Michael Sohn. “So what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses.

4 out of 5 cybersecurity breaches are attributed to organized crime Highly skilled, trained cybercriminals are always coming up with new ways to exploit small businesses as they aren’t thinking about the threat they’re facing. All day, every day, these criminals operate in social groups to educate and grow their profession. Cybercriminals are some of the savviest people in the world, from former or current government employees to self-trained professionals. By employing psychological techniques, they gain a maximum benefit from the smallest risk possible. Knowing, understanding, and taking steps to fortify your environment against cybercrime is the first step toward eliminating the threat all together. The more educated and prepared you are, the less chance they will target your organization from the start.

2. You’re a victim, by proxy

Larger companies know that hackers will always target their business by proxy of notoriety. Being in the spotlight naturally catches the attention of bad actors, so many of these organizations employ security engineers, spend millions of dollars each year boosting their security posture, and offer bug bounty programs to minimize the chance of incidents and abuse. Hackers and cybercriminals have shifted to easier targets, like small-to-medium sized businesses, in an attempt to maximize the potential of smaller gains, or find easier pathways into the bigger players.

3. Your small business is a tunnel into larger organizations

As mentioned above, hackers know your small business is a potential stepping stone into larger organizations, and vice versa. Many small businesses rely on third-party software when they cannot afford to employ teams of highly skilled engineers to create custom software. Without complete control over your engineering environment, it is possible that the third-party software you employ contains vulnerabilities. Likewise, hackers can exploit vulnerabilities in your codebase to backdoor into third-party software. The more points of entry combined with a lack of control over an environment, the easier it is for a hacker or cybercriminal to gain entry and pass through unnoticed.

4. Ransomware against your small business is more likely to succeed

Ransomware attacks increased by 13% in 2022, the largest jump from year to year in the last five years. Organized cybercriminals are becoming more skilled at siphoning data and money from small businesses through ransomware attacks because they know that small businesses don’t have the time, money, or resources to educate their employees on security. If your small business is attacked, you are more likely to pay the ransom than a large organization who has access to legal and financial recovery options, and cybercriminals are very aware of this.

5. Your customer data is valuable in larger attacks

State-sponsored cybercrime involving small businesses is becoming increasingly more common and easier to execute thanks to cryptocurrency. Threatening to publish customer or financial data in return for money is a very common tactic that cybercriminals use. They may do this in a grouped attack against many organizations and institutions at once, making you a target by proxy.

Something as simple as vendor tooling, which helps power your small business, may be your ripest area for security failure. Antiquated technologies may be creating more good than harm. A quick move to full-time remote may have rushed infrastructure review by your IT and security team. An IT vendor may not have taken into account what threats are widely targeting your industry or even think about the threats you may face, at all.

Whatever the reason, now is the time to fortify against these attacks. Cyber threats are more prominent than ever for small businesses, with over 50% of IT decision makers seeing a rise in attacks since the start of the pandemic. That threat will only continue to grow as many businesses shift into remote-first and hybrid work environments with a lack of understanding for tooling, infrastructure, and employee interaction within that environment.

While some larger organizations face settlements that may last years after an attack, others have had to shut down permanently, the outcome of a cyber attack is far more likely to be catastrophic if you’re a small business owner. Statistically, over 60% of small businesses shutter within 6 months of a cyber attack. While it may never happen to you, the risk far outpaces the benefit of cutting temporary corners. Now is the time to find solutions, before an attack occurs.

How do I secure my business?

While there are many ways to secure your environment on your own, as a small business, you may not have the time, money, and resources to do this. If you need an extra hand, use Relay Hawk to assess your security controls and threats before they even occur.

Relay Hawk is a tool that helps secure your business without the need to employ a full-time security expert. Identify misconfigurations early, such as remote desktop servers, backend servers, and databases that should not be exposed to the internet. With always-changing laws, rules, and regulations, Relay Hawk helps you stay on top of compliance requirements like PCI and HIPAA. Secure your internal infrastructure and applications, implement security controls, and more.

Keep up to date

Get the latest cybersecurity news and tips from our experts