Sure, cybercrime headlines go to multinational conglomerates that are breached by determined, sophisticated criminals. But small firms get hit more often, a fact that no doubt surprises their owners and customers.
Mom-and-pops often take fewer precautions, and when their customers also let down their guard, they all become easy prey. It might be more time-consuming to string together access to a lot of small businesses, but the prize – fat consumer financial accounts – is just as valuable as any stolen from big firms.
Security Polices Are Lacking
A recent survey of more than 1,000 businesses with less than 250 employees shows that nine in 10 have no formal policies guiding employees on how to avoid malicious sites that download malware. Commissioned by the National Cyber Security Alliance and Symantec, the poll also found that more than seven in 10 respondents have no guidelines for using Facebook, Twitter and other social media where cybercriminals will hijack accounts to distribute malicious links.
Privacy polices were also lacking. The survey found that 60% of the businesses had no guidelines for employees to follow regarding customer or employee information.
The Security Risks Are Obvious
Oddly, small-business owners understand the importance of Internet security.
Fully 73% said using the Internet safely was critical to their business, and 46% acknowledged it was very critical. In fact, nearly nine in 10 had one or more employees using the Internet for daily operations, with seven in 10 saying they were either somewhat or very dependent on the Internet for running their company.
Nevertheless, nearly 60% of the businesses had no contingency for handling a loss of customer or employee data, credit or debit numbers or intellectual property. Yet, nearly seven in 10 manage their own sites in-house, meaning if there's trouble, the small business is liable.
Size Doesn't Matter
So why the disconnect? Michael Kaiser, executive director of security alliance, said small businesses believe hackers are more interested in breaking into large companies that would seem to have much more valuable information.
"They may think their size protects them," Kaiser said.
What many small businesses don't realize is that hackers value information no matter the size of the company. They want names and passwords of employees' email accounts in order to identify customers and send them malware or links to malicious sites.
Small businesses “may not understand how the cybercriminal system works," he said. "A list of 200 customers may be incredibly valuable."
Of course, not all small businesses operate the same way. Those working with defense and financial firms are used to tighter security requirements, for example. More small businesses will have to upgrade to similar levels.
The Easy Pickings
Software powering electronic cash registers is a popular target. Last December, four Romanians were indicted in U.S. federal court for allegedly stealing credit-, debit- and gift-card numbers from the point-of-sale systems at 150 Subway restaurants and more than 50 other franchise and small retailers. The suspects were accused of charging millions of dollars to the accounts of 80,000 customers.
Chester Wisniewski, senior security adviser for anti-virus software vendor Sophos, said small businesses tend to fall behind in software updates that patch security flaws.
"A small business is a target that doesn't necessarily have any better security than my mom and dad," Wisniewski said.
Weak security by small businesses accounts for 90% of the payment data breaches reported to Visa. A study by Verizon found that nearly three-quarters of data breaches in 2011 involved businesses with fewer than 100 employees.
Share As Little Data As Possible
Put all the facts together and a person would be wise to share as little personal information as possible with a small business.
All business owners should consider the case of hotelier Wyndham Worldwide. It was sued this year by the Federal Trade Commission for failing to have adequate security to prevent the theft of payment card information of hundreds of thousands of customers.
There’s nothing to say a small firm can’t be victimized and then sued.
"I wouldn't store my credit card with anyone," Wisniewski said.