It seems like every week we are hearing about another company falling victim to some sort of data breach. Whether it is a cryptoware exploit or coordinated cyber-attacks, one thing is for sure, it’s happening. So, who exactly, is experiencing this? If you listen to the news, it might seem like only large companies are at risk — but is that the real story? Let’s explore the data and expose the companies that are really at risk of being breached.  

Target Company Breakdown 

Based on the news reports, it’s easy to believe the majority of breaches occur in large companies. Unfortunately, this is not actually the case. Large companies are definitely breached, but they are not the most targeted. In fact, a number of large data breaches were actually perpetrated by first breaking into smaller vendors (think Target). According to the 2016 Data Security Incident Response Report from BakerHostetler, small and medium-sized businesses (SMB) make up over 50 percent of all the attacks…

with private companies accounting for over 60 percent of those attacks.

And while you may think health and finance companies are the ones being targeted, that is not really the case anymore as the attacks are spreading across many industries. 

And this is just the attacks we know about. As Mark C. Greisiger, President of NetDiligence states, “A good many data breaches go undetected and others are willfully unreported. Often, the data breach incident is a denial of service attack, which companies don’t report because they aren’t obligated by law to do so.” 

Timothy Francis, enterprise lead for Cyber insurance, has stated there are about 34,529 known computer security incidents per day in the U.S. And he goes on to suggest, “It’s not if a breach will occur, it’s when.” 

Why SMBs Are a Target 

Well for one, SMBs are a target because in normal circumstances they do not have the budget to hire the resources necessary to secure their environments from sophisticated attacks. But sophisticated attacks are rarely the problem. In all actuality, small businesses make easy targets because of missing processes and procedures around security.    

Take, for example, the most common causes for data breaches according to Sutcliffe & Company:  

  1. Weak and stolen credentials 
  2. Back doors, application vulnerabilities  
  3. Malware (cryptolocker) 
  4. Social engineering 
  5. Too many permissions — credential management 
  6. Insider threats 
  7. Physical attacks 
  8. Improper configuration/user error 

Over half of the most common causes can be almost completely avoided with new business processes and employee training. Unfortunately, for a lot of SMBs, the policies and processes are not put in place, making them easy targets for data theft.   

And it’s no wonder when you consider that small business makes up:  

  • 99.7 percent of U.S. employer firms, 
  • 63 percent of net new private-sector jobs, 
  • 60 percent of American payroll, 
  • 46 percent of private-sector output, 
  • 37 percent of high-tech employment, 
  • 98 percent of firms exporting goods, and 
  • 33 percent of exporting value. 

Bottom line is that small and medium-sized businesses are highly targeted by attacks — they just don’t get the press that the larger companies receive. This is both good and bad. Good, because there is less customer exposure if they are compromised, but bad because SMBs have their guard down thinking it will not happen to them. If this is you, it might be time to prioritize your security efforts. Waiting until it’s too late could be disastrous.