Are Small Businesses Protecting Customer Data?

Today’s cyber-attacks are simple enough to be deployed at a large scale, and hackers are using them to target small businesses that typically have a moderate amount of data with minimal security.

Editor's note: Data Privacy Day is an international event that occurs every year on Jan. 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Israel and 47 European countries. The following story is relevant to this topic.


Small businesses certainly aren’t immune to cybercrime. The cyberthreat landscape has evolved; attacks don’t stem from only rogue hackers hoping to get access to corporate secrets from large businesses. Instead, small businesses are just as likely to be the victim of cyber-attacks as large corporations, with organized crime groups targeting points of weakness in the hopes of making quick money.

Today’s attacks are simple enough to be deployed at a large scale, and hackers are using them to target small businesses that typically have a moderate amount of data with minimal security.

A Better Business Bureau study found that even the smallest of businesses are at risk. Of respondents representing businesses with 0 to 5 employees, 16% have faced a cyber-attack, and 9% don’t know if they’ve been targeted. Similarly, about 12% of survey respondents from organizations with 6 to 10 employees have been attacked, and 14% are unaware if they’ve ever fallen victim to a cybercrime.

No Small Threats Anywhere

Cyber-attacks don’t represent small threats, either. A Kaspersky study indicated that among small businesses, the average direct cost of recovering from a data breach is $38,000. The direct costs commonly associated with data breaches are far less significant than the “hidden” costs.

Companies must also consider the operational implications of a cyber-security incident. Businesses rely on data. In fact, the Better Business Bureau survey found that only 35% of businesses could maintain profitability for more than three months if they were to permanently lose access to critical data.

It doesn’t take much to run into a data loss incident, either. Ransomware is more likely to create sizable data loss than a hard disk failure, and it is emerging as one of the most common types of attacks.

Beyond data loss, organizations must also contend with reputation-related damages, legal costs, customer defection and similar issues when impacted by a data breach.

The threat for small businesses is real and growing. The Identity Theft Resource Center found that the number of tracked U.S. data breaches reached a new high in 2017, as the figure climbed 44.7% year over year.

Taking cyber-security seriously isn’t just important in preventing damages. It can also create a positive starting point with customers by showing you care about the security of their private information.

With risk rising at an astronomical pace, small businesses must prepare themselves to not only keep attackers at bay, but to also respond effectively in the event of a disaster. This process begins by understanding the entire threat climate.

Data Point Question No. 1: Which industries are most at-risk for cyber-attacks?

Any type of organization may be threatened. However, a few industries stand out as being highly targeted based on data from the Identity Theft Resource Center. These industries include:

General businesses: The average business is the biggest target for attacks. The Identity Theft Resource Center found there were 1,579 tracked data breaches in the U.S. in 2017, with 870 of those breaches impacting enterprises. If that number seems low, remember that it covers only reported and tracked data breaches—not the many attacks that go unnoticed or are kept quiet.

Health care: The study indicated that approximately 24% of all data breaches in 2017 happened at health care industry businesses. These statistics aren’t limited to hospitals and care networks; 83% of physicians polled by the American Medical Association said they’ve faced a cyber-attack.

Banking and finance: Banks and financial institutions are heavily targeted by cyber-criminals seeking to hack into the accounts of customers. Organizations in this sector were struck by 8.5% of all breaches.

Retail: While not mentioned in the study, the rise of e-commerce is leading to a rapid increase in the number of attacks targeting merchants online and through attacks at the point of sale.

Data Point Question No. 2: What data are hackers targeting?

Beyond knowing what industries are most at risk, it’s important to identify what data is targeted most often. For example, the information stored on mobile devices. Many smartphones and tablets lack the same security protections offered by traditional computers.

What’s more, many users rely on passwords as the sole form of protection for their devices and applications. But passwords are faulty and often poorly created. The Better Business Bureau study mentioned earlier found that 33% of data breaches impacting respondents lead to the theft of passwords or similar data.

For small business owners, losing control of a customer’s account information can lead to an immediate loss of trust. Not only are you failing customers, you’re also leaving their private information exposed, potentially leading to further problems. This can damage your brand, force you to spend on credit monitoring or lead to legal problems.

The costs and long-term damages can be substantial, and even a small incident can escalate quickly because of the types of attacks cyber-criminals employ. In simplest terms, hackers are attacking data that allows them to take control of your identity. If they’re able to retrieve password data, they can use it to force their way into email accounts. Once there, they can reset passwords to accounts that use email for a login.

If they steal payment card data, they can claim a person’s identity and set up accounts or make purchases. For small businesses, these attacks can put customers at considerable risk. If an employee email account is compromised, for example, then hackers can gain access to your back-end systems where customer information is stored. From there, they can use the data to target your clients.

The result of these tactics is an increase in other types of identity fraud. The Identity Theft Resource Center found that credit card attacks increased 88% from 2016 to 2017. According to FICO, attacks on debit cards rose 10% year over year in 2017. Payment credentials aren’t alone in being attacked. Social Security numbers, for example, were attacked eight times more often in 2017 than they were in 2016. As a business owner, you are responsible for the safekeeping of your customers’ credit card and debit card information, so the fact that these types of attacks are increasing is even more reason to stay vigilant.

Data Point Question No. 3: What methods do hackers use?

There are several types of cyber-attacks. However, a few stand out as particular threats for small businesses.

Malware: According to the Kaspersky study mentioned previously, approximately 24% of businesses have been hit by malware. Malware is malicious software that accesses a system and resides in the background sending data to attackers. For example, keyloggers—applications that record all keystrokes a user makes—are a common malware system. They are used to steal passwords that users type repeatedly.

Phishing attacks: Ten percent of those polled in the Kaspersky study said they were hit by phishing scams. Phishing tactics use fake emails to get users to click a link or open an attachment, often to get malware or ransomware onto a system. For example, an email may look like it has come from an equipment supplier and ask one of your workers to reset a password. When the worker does so, it gives the hacker access to your system.

Ransomware: This is a relatively new type of malicious software designed to block access to a computer system. When ransomware gets onto a machine, it turns the data in the system into a coded format. From there, the attacker demands a ransom from the victim in order to get the data decoded.

Software vulnerabilities: Sometimes software will have a glitch that moves data around in an unsafe way. These vulnerabilities let hackers get into systems they otherwise wouldn’t be able to access. It’s important to keep up with patches and software updates to avoid these problems.

These attack types are particularly problematic for small businesses because they don’t take much skill to use. Because they’re easy for criminals to employ, hackers have no problem using them at large scale to attack many organizations, regardless of size. Being a small business won’t keep you off attackers’ radars. It’s time to adapt and employ modern security strategies.

Data Point Question No. 4: What’s the solution?

There isn’t a single strategy to deal with cyber-security. However, you can get help to mitigate these threats as fully as possible.

QuickBridge, for one, can provide businesses with the supplementary capital needed to invest in cyber-security measures. The funds can be used to hire additional IT staff, train employees, update your software or purchase cyber-security insurance to safeguard against the after-effects of a breach.

Approximately 60% of small businesses shut down within six months in the aftermath of a data breach, QuickBridge said.

Cyber-attacks tarnish both your customer’s trust and your business’s reputation. Allocating resources toward data protection can give you a competitive advantage by demonstrating how strongly you value your customers’ data and limit your business’s liability.

Other small business loan providers with online platforms include Lendio, LoanBuilder, Headway Capital, Kabbage and a list of others.

Editor’s note: This is an edited version of an industry whitepaper researched and offered to eWEEK for publication by QuickBridge, which provides a small business loans platform called Smarter Funding to provide business owners with fast access to working capital.