When Pamela (not her real name) sat down at her desk one recent weekday morning, online security was the furthest thing from her mind. Sure, she had a basic knowledge of common-sense security practices. She wasn't the type to use insecure passwords or download dubious content from the Web. As chief financial officer for a small Chicago-based manufacturing company, she regarded her PC as a no-nonsense work tool. Still, somewhere along the way, a little snippet of malware slipped onto her PC, and it would soon threaten her company's survival.
According to Brian Yelm, CEO of Chicago tech services provider Technologyville, Pamela's malware did one nefariously simple thing: It caused her browser to redirect all bank URLs to a set of phony sites that looked just like their legitimate counterparts—a technique called phishing. When Pamela logged in to the look-alike site, a message prompted her to call customer service about a problem with her company's account. She dialed the number on the screen, and after a few simple questions from the agent on the line, every single penny in her company's account disappeared. More than $300,000, gone in minutes.
Pamela and the company were lucky. They immediately discovered the missing funds and pulled out all the stops to recover the money from their bank. And with Technologyville's help, they traced the IP addresses and phone calls back to a hacker group in Eastern Europe. Justice was served. The money was recovered. Pamela's company survived.
Not every company that gets hacked is so lucky. According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.
Now let's pause for a moment, and restate that another way: You've got a 20 percent chance of being hacked, and if it happens there's a good chance your business is finished.
Of course, not every small business is equally likely to fall prey to cybercrime. Attackers don't generally discriminate by company type, valuation, or any other characteristic of the business itself. Instead, they look for one thing: vulnerability.
"Most small business owners still don't get security, don't think it's an issue, and are pretty defenseless," says Neal O'Farrell of Think Security First, a security consultancy based in Walnut Creek, California. "They assume hackers would need to pick their business out of 27 million others, not realizing that the attacks are automated and focused on discovering vulnerabilities."
Smaller companies are increasingly attractive targets for attackers, too. Symantec's latest annual Internet Security Threat Report found that companies with fewer than 250 employees constituted a staggering 31 percent of targeted attacks in 2012—a massive jump from 18 percent the year before.
Sign up for CIO Asia eNewsletters.