Just this past week was the news of the hack of the eastern U.S. pipeline where the systems were locked and a ransom demanded to unlock it. The pipeline, as of this writing, is still mostly shutdown. The ramifications are economically significant. We hear a lot of these stories in the media. They’re big enterprises, crippled. It cost Maersk, the shipping company, $3 Billion to recover years ago from the NotPetya attack. What we don’t hear very much, if at all, is the similar hacks that happen to small and medium sized businesses.
Small and medium sized businesses (SME’s) suffer from ransomware attacks , data breaches and other digital criminal activity far more often than big organisations. But we hear little about them. Why? There’s a number of reasons at play
The larger cybersecurity firms don’t have many services for SME’s because they aren’t seen as profitable due to the cost of the sale and the prices they charge are often out of reach for a SME. So the SME’s buy lower-level cybersecurity products such as virus detection software, or maybe a network security app here and there. They tend to have only one or maybe four IT people on staff and despite IT being so embedded in the organisation, budgets are often hard fought for and cybersecurity is seen as expensive (it doesn’t have to be.) Management also sees IT as a cost centre and SME owners tend to think they’re so small that hackers are only interested in large companies and governments. Except they aren’t.
SME’s are of great interest to hackers, especially in the area of ransomware. Of particular interest in Canada and the U.S. are veterinary clinics, dental practices, medical clinics, mid-size manufacturers and knowledge and services based businesses. Hackers like firms the most between $2Million and $50 Million in revenue. And they do their research first. While we hear of hospitals and other large enterprises being held ransom for hundreds of thousands or millions of dollars, SME ransoms are typically between $5,000 and $20,000. Enough to hurt the organisation, but usually enough to not be worth the efforts of law enforcement and an amount a properly insured SME can get compensated for. These hackers are sophisticated criminal networks that are also entrepreneurs who know their market. SME hacks are all about volume.
The favourite types of attacks on SME’s are ransomware, holding a network and the PC’s on it locked down for a ransom payment, phishing and spear phishing to get fake invoices paid and stealing data for resale on the Dark Web. As a SME with maybe only a few hundred or thousand client records, it’s easy to think this isn’t of value to a hacker, but when they’re stealing from a few thousand SME’s, it all adds up.
We all like to think that cyber criminals aren’t that interested in a small business, but as we’ve indicated, they are. Under Canadian law, if an organisation suffers a data breach, discovers it and fails to report it to the federal Privacy Commissioner, they can suffer a fine up to $100,000 and that’s not chump change. Steps can be taken to mitigate the risk and they don’t cost a fortune when done right.