The Effects of Lack of Cybersecurity on Small Businesses

Malware attacks and security breaches have been regular news over the past few years. There have been a number of high-profile cybersecurity incidents, largely spearheaded by computer hacking groups such as LulzSec (Liu et al., 2012). Due to such abuses and privacy infringements as well as massive security breaches of credit cards and other financial information, customers have become increasingly sensitive on how to collect, use, store, secure and transmit their personal information (Singer & Friedman, 2014). With the continued technological developments, the number of gargets linked to the Internet is also growing, leading to security concerns. Such security concerns worry the market, and the effects of the lack of cybersecurity are especially felt by small businesses (Singer & Friedman, 2014). Small businesses are increasingly becoming susceptible to cyber-attacks due to the fact that: i) their partnership with large companies provides an easy gateway to the systems of these large corporations, ii) they have limited resources, and iii) they do not effectively guard essential business information. The current paper investigates the problem of the lack of cybersecurity in society today and how it is affecting small businesses.

The Lack of Cybersecurity in Society Today and how it is Affecting Small Businesses

With the increasing use of networked computers and the Internet, and novel technologies such as cloud computing allowing for greater advances in technology, the incidence of cybercrime is projected to grow as cybercriminals seek to exploit vulnerabilities within key business networks. Cybercrime particularly refers to a crime that makes use of a computer typically connected to the Internet as the target accessory or weapon for attacking businesses, individuals, and groups, as well as their property. According to Singer and Friedman (2014), cybercrime costs the international economy nearly $445 billion each year. Simply put, network outages, computer viruses, data compromised by hackers, and other technological incidents continue to affect the lives of computer-users in undesirable ways. As the number of mobile users, data networks, and digital applications increase, the accompanying opportunities for exploitation also increase, calling for more advanced security systems (Liu, Xiao, Li, Liang, & Chen, 2012). Therefore, cybersecurity (information technology security) focuses on the protection of computers, networks, data and computer programs from unauthorized or unintended access, destruction or change. What is evident is that virus creators have produced increasingly harmful and sophisticated viruses over the years, changing from the relatively harmless “I Love You” and ”Melissa” viruses of the early 2000s and late 1990s to the Stuxnet virus of 2009 that was intended to damage Iran’s uranium enrichment facility (Liu et al., 2012). However, the effects of lack of cybersecurity are especially felt by small business. While most previous attacks targeted large corporations, small businesses are becoming painfully cognizant that their small size does not offer protection from the risks of cyber-attacks.

Discussion

The current more sophisticated hackers can attack any target. A survey by the National Cybersecurity Alliance established that about 50 percent of small businesses in the United States have suffered from cyber-attacks and 71% of all security breaches are directed at small enterprises (Raghavan 2016). Besides, analysis by Experian – a credit data provider company – reported that 60 percent of all small businesses collapse in a period of less than 6 months after suffering from a security breach, while the U.S. Department of Commerce found a sharp increase in the number of attackers and adversaries that target small businesses. Small businesses are particularly attractive to hackers since they have lax online security and often operate with poorly protected systems. Even though all enterprises are aware of the need for cybersecurity, many small enterprises are yet to take adequate measures to guard against cyber-attacks. Typically, they do not take enough time to devise a response or contingency plan, and often lack the resources required to recover from an incident in case it happens (Raghavan 2016). A single cybersecurity occurrence could shut down the whole business network for several days until the issue is examined and fixed. In other cases, small and medium enterprises do not even know that they have been attacked until it is already too late. In this light, a small business cannot have the ability to withstand the loss in income or have the insurance that caters for liabilities or costs that arise from security breaches.

In his article, Kshetri (2015) identifies three major reasons why hackers target small businesses. First, small enterprises are not adequately equipped to handle a cyber-attack due to their limited resources. Second, their partnerships with large corporations provide a back-door gateway to the systems of these large businesses which are the hackers’ true targets. Lastly, small businesses do not effectively guard critical information that is desired by hackers such as intellectual property, credit card credentials, and personal information. What is evident is that small businesses are increasingly doing business online, though do not always ensure that their systems have strong encryption technology. This combination of factors provides cybercriminals with the leeway to access sensitive data with ease. The emergence of cloud computing enables small enterprises and their personnel to work from anywhere using a number of devices. Workers are able to videoconference globally by using Skype and other media, send files using Dropbox, and remotely access work from their tablets and smartphones (de Bruijn & Janssen, 2017). However, many small businesses continue to learn painfully that the benefits of such collaboration offer the potential for costly data breaches. If the small enterprise conducts business with some of the Fortune 500 companies, then it provides an easier entry point to large amounts of data. A good example is the security breach at Home Depot where cybercriminals used the access of a relatively small vendor in the company’s supply chain as the entry point to major credit card data theft (de Bruijn & Janssen, 2017).

With regard to the mode of attack, small enterprises are often susceptible to email attacks that closely mimic those of banks or reliable institutions and citing an urgent need to log into an account or supply some other vital information (Kshetri, 2015). Business accounts do not enjoy the same level of guarantees and protections against theft and loss as those provided to consumers, which is a reality that small businesses only realize once it is too late. While consumers are protected by Regulation E, commercial accounts are covered by the Uniform Commercial Code which does not hold banks liable for unauthorized payments provided a commercially reasonable method of providing security is followed (Kshetri, 2015). As a result, most small enterprises that fall victim to theft from bank accounts do not recover those funds.

A successful cyber-attack accounts for great damage to the business. It can affect the business’s bottom line, as well as consumer trust and the overall corporate standing. The effects of the lack of cybersecurity in society today to small businesses can be broadly divided into financial, reputational, and legal categories (Thompson, 2014). Cyber-attacks often lead to considerable financial losses arising from the theft of business money, stealing of corporate information, cancellation of contracts, disruption of normal trading, and theft of financial information. Small businesses that suffer cybersecurity breaches also incur costs related to repairing the affected systems, devices, and networks. For instance, in 2013 alone, cyber-attacks cost small enterprises an average of 8,699 dollars per attack. However, these costs have increased and today the figure stands at over $20,752 per attack (Thompson, 2014). This significant increase in the costs of cybercrime is likely due to the increased sophistication in hacking and phishing schemes as well as an improving economy that finds high amounts of funds available in the bank accounts of many small firms.

Besides, trust is an important aspect in business. A single cyber-attack can damage the business reputation for small firms, and completely erode the trust that customers have in the entity. In turn, this could potentially result in declining sales, loss of customers, and reduction in profits. Such reputational damage could extend beyond the customers, largely affecting relationships with suppliers, investors, partners, and other third parties entrusted in the business (Hayes & Bodhani, 2013). Similarly, privacy and data protection laws require all businesses – regardless of size to manage the security of all personal data that they hold. If this data is deliberately or accidentally compromised, it implies the business has failed to integrate the required security measures and might face regulatory sanctions and fines (Thompson, 2014). Therefore, the best way for small enterprises to escape possible litigation in the case of a security breach is to prevent a security breach from occurring at first. In that, the security of customer financial and personal information should be the first priority of all businesses when assessing information security protocols.

Considering the effects of lack of cybersecurity, small businesses themselves should be at the forefront of minimizing the impacts of cyber-attacks on business. After a cyber-attack happens (whether successful or attempted) an effective cybersecurity incident response plan can help small businesses clean up the affected systems, reduce the impact of the attack, and get the business running in the shortest time possible, and reduce the likelihood of future successful attacks. However, to guarantee the security of business systems, Laudon and Traver (2018) highlight the importance of investing in user education, awareness, and training on an ongoing basis. It would be beneficial for small businesses to educate employees on how to identify and report phishing and other cybersecurity threats, and effectively prevent criminals from obtaining sensitive corporate data. Other cybersecurity risk management strategies for small business include strengthening barriers and improving passwords, regularly checking for weak codes, and securing Wi-Fi networks and IoT devices (Wu & Irwin, 2016). The rationale is that all businesses (including small enterprises) have sensitive information that they need to protect. While this is not an easy task in the current sophisticated technology landscape, investing in the latest security software and continuous internal training would help prevent most cybersecurity problems that small business encounter.

Conclusion

With the lack of cybersecurity in society today, small businesses are an increasingly attractive target for cyber-crime. While individual small enterprises might not appear to present an overly attractive target, small businesses collectively are a very lucrative target due to their joint economic impact. The effects of a single cyber-attack on a small business can be devastating. While large corporations have the brand recognition and financial resources to recover from negative PR and monetary losses, a small business is often disadvantaged. A comprise in online security will typically require a small enterprise ton pause its operations for a period of time, leading to loss of revenue. This can be a devastating reality for small businesses that are primarily based on the Internet. In this light, the best practice would be to educate employees on preventing cyber-attacks and incorporating strong encryption technologies.

References

de Bruijn, H., & Janssen, M. (2017). Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1-7.

Hayes, J., & Bodhani, A. (2013). Cybersecurity: Small firms under fire. Engineering & Technology, 8(6), 80-83.

Kshetri, N. (2015). Cybercrime and cybersecurity issues in the BRICS economies. Journal of Global Information Technology Management, 18(4), 245-249.

Laudon, K. C., & Traver, C. G. (2018). E-commerce 2017: Business, technology, society (13th ed.). Boston, MA: Pearson.

Liu, J., Xiao, Y., Li, S., Liang, W., & Chen, C. P. (2012). Cybersecurity and privacy issues in smart grids. IEEE Communications Surveys & Tutorials, 14(4), 981-997.

Raghavan, K. (2016). Cybersecurity in small businesses and nonprofit organizations. Retrieved from https://www.tscpa.org/docs/default-source/default-document-library/cybersecuritymarapril16-(1).pdf?sfvrsn=2

Singer, P. W., & Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know. Oxford University Press.

Thompson, R. (2014). The small business cybersecurity blindspot. Risk Management, 61(5), 8-9.

Wu, C. H. J., & Irwin, J. D. (2016). Introduction to computer networks and cybersecurity. Boca Raton: CRC Press.