How to Identify and Prevent Small Business Cybersecurity Attacks

Picture this: You’re a small retailer and you purchase some unique items for resale from a local artisan. You exchange a couple of emails, an invoice and a payment. Because of a security breach in your supplier’s network, now yours is infected too. You’re a victim of a small business cybersecurity attack.

Your antivirus software is no longer sufficient to protect against the sophisticated threats that have evolved over the last two years, so your system is now compromised and is at risk for completely shutting down your business. It’s also possible that your customers’ information has been compromised. It’s a scenario that happens all too often.

The cost of data breaches is expected to reach $2 trillion by next year. While most business owners may think those kinds of attacks target big business, the Verizon 2017 Data Breach Investigation Report shows that 61% of breaches hit smaller businesses.

A UPS Capital report adds that most small businesses aren’t prepared.

Costs of Cyberattacks


of breaches hit smaller businesses


of small businesses fold within six months of an attack


of small businesses don’t use data protection for company and customer information

Small business cybersecurity attacks cost between
$84,000 and $148,000

Since 2004, October has been recognized as National Cybersecurity Awareness Month through a joint effort of the U.S. Department of Homeland Security and the National Cyber Security Alliance. The campaign is designed to make everyone more cognizant of computer security and deter as many attacks as possible. Unfortunately, the bad guys are at least as smart and well-armed as those trying to protect us.

As the world population becomes more and more dependent on forms of electronic communications and commerce, and cybercrime continues to rise, businesses worldwide will increase their investment in cybersecurity. Realistically, who doesn’t bank or shop from home via the internet nowadays? Statista reports that since 2010, spending on cybersecurity has increased three-fold, and many experts agree it will top $170 billion by 2020.

Get the FREE Infographic

SMB Cybersecurity Attacks Not Small Change

Believe it or not, an astonishing 87% of independent merchants don’t think they are at risk of a cybersecurity attack even though small businesses are desirable targets for hackers. Because they don’t devote much of their budget to security, including but not limited to employee training, they’re much more vulnerable than larger businesses or corporations.

Most retailers today looking to remain relevant in the marketplace do business online, which not only increases their bottom line but also increases the risk of a security breach.

“These issues represent an existential threat to some small businesses as firms could go bankrupt from the costs of responding to a cyberattack, or from the lost revenue and customers resulting from a business disruption,” Daniel Castro, the vice president of the Information Technology & Innovation Foundation, explains. “Moreover, these attacks are a drain on the economy.”

According to Small Business Trends, respondents to a survey indicated that during a 12-month period in 2015-16 55% said they had experienced a cyberattack, and 50% of those involved customer and employee information. Things have only gotten worse since then. The Better Business Bureau reported earlier this year that about 36% of the businesses that reported being hacked wound up losing money with an annual overall loss averaging nearly $80,000.

“Many businesses continue to think that they are too small to be the target of a cyberattack,” Russell Schrader, the executive director of the National Cyber Security Alliance, tells Technology. “These businesses lack the technology, resources, finances, and legal knowledge that they need to protect themselves.”

Or in the case of small businesses, they don’t realize there are advanced security solutions available to them at an affordable price.

Attacks are Hard to Detect

Many of the biggest, most sophisticated companies in the world often struggle to identify and solve cyberattacks. Many attacks aren’t discovered until weeks or months after the hackers gain entrance into a company’s network.

Ghosts in the Machine


In May 2014, eBay announced that 145 million of its users’ personal information – names, addresses, birthdates and encrypted passwords – had been compromised. The company said the perpetrators rummaged around in its system for 229 days.

Another infamous data breach started before Thanksgiving 2013 when Target stores were hacked. The thieves compromised the credit/debit card information of up to 110 million customers and the action wasn’t discovered for weeks. The ability to identify and respond to cybersecurity attacks has steadily improved, but it hasn’t stopped the disruptions.

Just this year, retailers Macy’s, Adidas, Under Armour, Saks Fifth Avenue, Saks Off 5th, Lord & Taylor and others have reported significant data breaches.

Cisco Systems said in its “2017 Midyear Cybersecurity Report” that the industry average for detecting cyberthreats is 100 to 200 days.

What to do

The survey of 2,000 consumers and 1,100 businesses found that awareness of the potential of a cybersecurity attack is high – 93% of BBB-accredited business owners know of risks such as ransomware, phishing, malware, et cetera. Nine out of 10 of those businesses have some form of cybersecurity in place.  Antivirus (81%) and firewall (75%) protection on their networks are the easiest and most used forms of protection. Roughly 47% added employee education programs.

However, when it comes to ongoing management of their network, regular audits, dedicated IT security, outside cybersecurity contractors, and a cyberattack response plan, businesses are woefully outgunned in cybersecurity warfare. Only 20% regularly manage their network security, just 17% have dedicated IT staff or hire an outside cybersecurity prevention firm, and just 15% have a security incident response plan or cybersecurity insurance.

Cisco also recommends these simple security measures:

Identify mysterious emails

Note unusual password activity

Identify suspicious pop-ups

Report a slower-than-normal network

Cybersecurity is a threat to all small businesses but taking steps to prevent it isn’t as overwhelming as it might seem. Many companies that provide digital business platforms also offer network security services. Most offer some form of cybersecurity, while others provide automated network monitoring and maintenance.

It’s important to have a managed, multi-tiered approach to security. Having simple antivirus, patch management and backups on your PCs isn’t enough these days. The bad guys have gotten very sophisticated, especially in the past couple of years. With ongoing monitoring, managed network services will automatically identify and prevent breaches in real time, well before the customer knows there was a threat.

Update your system and protect your information: Merchants should regularly update computers – including desktops, laptops, mobile devices and point of sale systems. For added protection, consider outsourcing network management to the security professionals whose business it is to maintain the security of your systems.

Regular Backups: Protect your point of sale data against disaster. After you close for the day, many digital platform providers go to work backing up application databases, including accounts receivable, inventory, sales tax information, customer data, etc., to secure off-site data hosts, along with all the other important data stored in a point of sale system.

Adopt a Multi-Tiered Approach to Security: It’s not enough to rely on just antivirus software these days. Many companies offer affordable solutions that allow merchants to employ multiple security strategies from multiple manufacturers, which will drastically improve their security posture.

Educate employees: Merchants should establish basic, but essential security practices and policies for employees. Internet and email guidelines, along with strong user passwords, are vital to protecting a business’s digital security.

Limit access: According to the Ponemon Institute, human error is responsible for 80% of business data breaches. Many of the leaks are caused by employees browsing the web or opening unsecured emails. One errant click can be fatal to a business network.

High-Security Industries


Healthcare, manufacturing, financial services, government agencies and education are all value-rich targets, because they store so much valuable data.

Retail is also an information-rich target for hackers looking for consumer information. Retail giants eBay, Target and Home Depot are all listed on’s list of the 17 biggest data breaches in this century, and consumer information was the target of those thefts.


As the future of retail leads all consumers more and more toward electronic interconnectivity, the threat of small business cybersecurity attacks grows. As more small businesses adapt to the digital marketplace with web browsing, online sales, online banking, email and digital marketing programs, the more vulnerable they are to cyberattacks.

Improving cybersecurity isn’t like buying a new delivery van. You can’t plunk down cash and drive it until the wheels fall off. Cybersecurity requires constant vigilance and improvement to keep up with changes in technology, trends and the hackers.

Valuable Cybersecurity Resources

The Federal Communications Commission, Small Business Administration, Better Business Bureau and other organizations all offer resources and tips on how to prevent small business cyberattacks.

PCI Security Standards Council: This resource provides small businesses with awareness on protecting payment card data, which small merchants rely on for transactions. The resource features a variety of guides for small merchants.

NCSA (National Cyber Security Alliance): The NCSA offers a resource that helps your business safeguard its operations from cyberattacks, privacy breaches, and other threats.

John Oetinger

Director of Managed Network Services, Paladin Data Corp