CHICAGO — Yahoo’s been through it. So has the Democratic National Committee. More recently, it was Equifax.
But it’s not just large businesses and organizations that are targeted by hackers. In fact, 1 in 5 small businesses has been targeted by a cyberattack, according to a study published this month by the Better Business Bureau.
“It’s not a matter of if, but when a small business will be hit with a cyberattack,” said Steve Bernas, president and CEO of the Better Business Bureau of Chicago and Northern Illinois. “Education is the most important thing, not just to educate yourself, but your employees.”
Many businesses don’t know they have been hacked — because hackers are trying to use them to get into bigger companies in the supply chain, according to BBB.
“Small businesses have limited resources and expertise to address these problems,” Bernas added. “With so much information out there, they really don’t know what is the best way to protect their business.”
While the majority of businesses at risk for criminal hacking are major institutions that deal with a lot of data — such as banks — the idea that small and midsize businesses aren’t a target is mistaken, said Richard Sypniewski, CEO and managing director of Sagin, a management consulting and IT management firm that is an accredited member of the bureau.
At greater risk are nonprofit institutions, since their information technology departments aren’t very sophisticated, Sypniewski said. “Their defenses are probably not very strong and they are easier targets.”
That’s because they typically have large databases of donors, several of whom might be high-net-worth donors, making a cyberattack even more attractive to criminals. Other nonprofits have affiliated organizations — say, for example, the Art Institute of Chicago’s School of the Art Institute, which has a trove of student information as well, Sypniewski said.
According to the study, 90 percent of cyberattacks on business come from phishing emails and 90 percent of those phishing emails are ransomware, in which scammers breach a company’s operating system with software designed to block access or hold data hostage until a sum of money is paid. In other cases, criminals have scattered USB drives in large parking lots, expecting that people will pick them up and put them in their computers to see what is stored on them.
On average, cyberattacks cost small businesses almost $80,000 a year.
In the BBB survey of 1,100 businesses nationally, 9 out of 10 respondents said they had some sort of cybersecurity measures in place — most often, antivirus software, firewalls and employee education.
The best protection, according to Sypniewski, is farming out IT management and data storage to a third-party. “It’s not foolproof but it’s 98 percent to 99 percent better than you managing your (IT and cybersecurity) on-site and housing your own servers,” he said.
Cybersecurity awareness among small businesses has come a long way in recent years, according to the report, with 76 percent of businesses in the study aware of the risk of phishing.