Why the huge increase? Smaller companies are simply easy pickings, and they don't fight back like bigger companies.
"Small businesses represent low risk and little chance of exposure for thieves," says O'Farrell. "They typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach."
And just because a company is small, that doesn't mean it can't net huge payoffs for attackers. Often, a breach against a small fry can yield useful data for attackers seeking to target bigger fish. So a series of easy attacks against more-vulnerable small businesses can ultimately enable a hacker to orchestrate a much bigger attack elsewhere, while uncovering plenty of valuable spoils—ranging from employee data and cloud logins to customer data and banking credentials—from the smaller players along the way.
No experience required
Meanwhile, finding victims has gotten easier for criminals. "The tools used by hackers and cybercriminals have become cheap and easy to acquire," says JD Sherry, vice president of technology and solutions at security software maker Trend Micro.
Worse still, these hacking tools have become so easy to use that one need not necessarily be a bona-fide hacker to use them. Instead, with minimal input from the user, a hacking app can initiate a series of scripts to probe many thousands of IP addresses across the Web, seeking out open ports on endpoint PCs; planting spyware or Trojan horse software on websites using widespread weaknesses in technologies such as Java and Flash; or firing off thousands of phishing emails with the aim of getting a few people to click through and receive a small nugget of malware that will leave their PC vulnerable to further attacks.
Yelm concurs: "You don't have to be very smart to do this."
But small-business owners do need to be smart, and that starts with understanding that the security landscape has changed. Small companies can no longer rely on security through obscurity, because automated hacking tools from all over the world are constantly scouring the Internet for vulnerable machines. Meanwhile, every company of any size now has an overwhelming abundance of connected devices and cloud-based services that present a feast of opportunity for attackers.
Unsecured mobile devices—especially Android phones and tablets—used as BYOD (Bring Your Own Device) business equipment make it all too easy for a cybercriminal to slip malware onto a device and collect usernames and passwords for social networks, business networks, and even banking systems. Once a cybercriminal gets a single sales rep's CRM login, he can wreak havoc with customer accounts.
According to the Ponemon Institute, which tracks data surrounding digital privacy and security, recovering from an attack on a customer database can cost an average of $194 for every compromised customer record. Those are just remediation costs, and that number doesn't account for additional costs due to reputation damage, lawsuits, and lost business. No wonder so many small companies go bankrupt after an attack. If the hackers don't siphon hundreds of thousands from your account, you may have to pay it out anyway just to fix the problems they cause.
Sign up for CIO Asia eNewsletters.