Everyone knows all about hacking from movies, TV, and the news. Hackers are bored teenage geniuses, international spies, or unknown government agencies. They target lonely grandmas looking for love, deface megacorporations that cut down rainforests, and shut down critical infrastructure on behalf of a foreign power. Your small business doesn’t even factor into their calculations.
At least, that’s what they want you to think.
In reality, anywhere between 40-80% of all breaches involve a small business. There’s no true way of knowing because the consensus is that the majority go unreported. Some estimates indicate that up to 80% of small businesses (SMBs) of under 500 employees will be impacted by a cybersecurity incident, with one occurring every 7 seconds in the United States. Experts expect this figure to increase even more now that AI has entered the picture.
So let’s debunk some myths:
Reality: Where there is money, there is a cybercriminal looking to steal it.
Data shows that small businesses are actually highly targeted since a hacker can safely assume that there is not a cybersecurity professional looking through logs, changing passwords, and training employees on best practices. Hedgerow Cybersecurity Consulting has seen attacks targeting payroll for a single employee–an attack that would net them roughly $2,000 a month if successful. For someone overseas living in a developing country, this is a substantial amount of money.
Additionally, depending on the organization, hackers might not be after money. Cyberattacks have been conducted on nonprofit organizations simply because they support a cause that hacker activists (AKA “Hacktivists”) disagree with. Sometimes hacks are conducted just for fun.
No matter what, you can never assume that your business or organization is under the radar of a hacker.
Reality: You can outsource as many systems as you want, but you cannot outsource your liability.
It is not wrong to think that outsourcing your email server to Google Workspace or your password management to LastPass is a security best practice. After all, your company has expertise in another field, and you are paying experts to do work that they have expertise in. But they do not have responsibility over all of your risk. For example, if an employee is terminated but no one removes their access to the company Facebook page, Meta would have no indication that they are not authorized to login. A third party vendor is better suited to build and maintain its own software or system, but you are responsible for having strong passwords, managing users, maintaining acceptable use, and more.
Furthermore, a third party vendor is still susceptible to hacks, and if they are compromised, so are you. Recent data shows that around half of all breaches originated from a third party. Any business with a digital supply chain or online presence is susceptible to cyber attack, from an artist selling art on Etsy to a digital marketing company.
Reality: Cybersecurity best practices can be implemented in a cost effective manner as long as you know what to prioritize.
It’s true that some defensive measures are expensive. There are firewalls and antivirus platforms that can cost hundreds of thousands of dollars. Luckily, for most organizations these are complete overkill.
When roughly 70% of cyberattacks have some element of human error involved in their execution, ranging from failing to update a default password to clicking on a suspicious link, most incidents can be stopped in their tracks by proper training, no fancy equipment required.
Of course, relying on training is not enough. Technical measures should also be implemented, but these can be done cheaply and effectively. Password managers, Multi-Factor Authentication, data back-ups, and encrypted messaging can all be set up cheaply.
This is where Hedgerow Cybersecurity Consulting comes in. We know that you don’t have the means, nor the business case to spend half a million dollars on cybersecurity. That’s why we focus on the things that will most effectively mitigate your risk while not breaking the bank. Things like phishing prevention training, account access audits, policy implementations, Dark Web scanning, and more.
Schedule a 30 minute consultation with me here.