Recent trends indicate that cyberattackers are increasingly targeting small, startup businesses as larger companies have ramped up IT defenses in recent years. According to a report by cybersecurity firm, Symantec, “cyberattacks on small businesses with fewer than 250 employees represented 31% of all attacks in 2012, up from 18% in the prior year” (Link 1). As soon as a business sets up its website and email domain, cyberattacks are triggered almost immediately. In fact, by the time a business is five months old, it has already been targeted by hundreds of spam phishing messages and Malware attacks and, within ten months, most companies will have been infected with Malware. (Link 2). Hackers will also use attacks known as Ransomware, where an attackers locks up company computers and networks demanding a ransom to stop the attacks. Computers are not the only targets of these attacks, however. With the proliferation of smart phones and mobile devices in the business world, many attackers are now using malicious software to infiltrate these mobile devices in order to steal valuable information. Verizon’s RISK team has indicated that this trend of increasing attacks on small startup companies has been relatively consistent over the past six years (Link 1).
Larger corporations have the time and resources to devote to IT security that small businesses and startups just don’t have. Startup businesses in particular have enough concerns related to gaining market share and generally keeping their doors open and generally can’t devote enough resources to IT security. Further, despite the statistics, many small business owners falsely believe they are boring targets for cyberattackers due to their size. However, small businesses can be extremely lucrative and easy targets for these types of attacks. Most often, cyberattackers are after customer credit card numbers, contact information, intellectual property, or money from company bank accounts that are specific to the individual target company (Link 2). However, many hackers target small firms with a much bigger prize in mind. Increasingly frustrated with the beefed up security at larger firms, cyberattackers are using smaller firms as an entry point as they are often customers or suppliers of larger firms. Once a smaller firm is infected, it can spread viruses and other malicious software to a larger firm by way of emails and other exchanges throughout the course of normal business operations. Another way attackers are attempting to use smaller companies as bait is through the strategy of infecting startup companies in growth industries like tech and healthcare. The attackers then lie and wait hoping these infected companies will be gobbled up through mergers and acquisitions, which have been increasing as of late with the improving economy and availability of cheap debt. The attackers are essentially using the acquired company as a sort of trojan horse strategy to then infect the acquiring company and steal its valuable information.
Whatever specific tactic is used, startup companies have been increasingly targeted by cyberattacks as of late. In terms of time and resources, these new companies are stretched thin enough as it is. In-house IT departments are very expensive as is externally sourced internet security software sufficient enough to fortify these companies against sophisticated attacks. In light of this, what is a small business owner to do? Can they take steps to not be infected without professional help? Or is IT security spending now just an operational cost of doing business that can’t be avoided?