When massive organizations like Sony, Home Depot, and the Office of Personnel Management are hacked they grab equally massive headlines. Yet, while they rarely grab headlines, small and middle-market companies are particularly susceptible to hacks, said Chris Crellin, Senior Director of Product Management at Intronis, a data protection firm, because many SMBs can't afford to employ a security team, or are uninformed of the risks posed by attackers.
"A lot of companies rely on the idea of 'security through obscurity,'" said Crellin. "They're focused on running their business and probably don't spend a lot of time thinking about hackers."
These attackers probably aren't interested in any one particular small business, said Crellin, but they tend to rely on a shotgun strategy. "Small and middle-market businesses are targets because there are so many of them. It's like a thief in a parking lot looking for one unlocked car." If your organization is unlocked, he said, you're a likely target.
Common methods of hacking—phishing, brute-force password attacks, keylogging spyware, and social engineering—can cost small and medium businesses thousands of dollars. According to the National Small Business Association 2014 year end report, both the frequency and cost of small and middle-market business hacks are on the rise. In 2013 the cost of an average cyber-attack for a small business was just over $8,000 per attack. In 2014, that number jumped to over $20,000.
When integrating your service with other web tools, Gary Chou, founder of New York-based incubator OrbitalNYC, strongly recommends using tested and widely-used services. For example, if your company needs to process payments, "don't try to host solutions yourself," he advised. "Keeping [services] patched and secure is a full-time job, which can be hard to do as a small business. Use a service like Stripe for payments so that you don't need to store customers credit card numbers."
Chou had three other basic security tips for small business owners:
1. Don't assume anything is secure. "If you have something hackers want (e.g. passwords, bank account numbers)," Chou said, "they will find a way to get it. Be selective about the information you choose to store in a database, whether it's sensitive financial information or confidential data around customers."
2. Change company and personal passwords regularly. Use a password that is long and difficult to guess. Strong passwords can equate to stronger security. Password managers like 1Password and Dashlane store and manage the keys to websites you visit frequently. A few bucks for an app, said Chou, can save thousands over time.
3. Use Open Source solutions whenever possible. "If you're building a technology product, the value—and security—of open source projects is critical. [Open source projects] are most likely to find and quickly patch any discovered security flaws," said Chou. "You can build faster and stay secure on reliable open source code."
For many small and middle-market businesses the true cost of good security is time. But technology experts like Chou say good security doesn't have to be expensive, and security best practices can be implemented for free or at low-cost. "Don't try to simultaneously be a technology company alongside your core business," he said.
Chris Crellin agrees: "Good security can be expensive, but locking your 'car' is free and can save your company a lot of money in the long run."
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.