How would your small business cope in the event of a hack attack? Are you ready for anything cybercriminals can throw at you, or would a security breach bring your company to its knees?

In 2015, hundreds of millions of people were affected by security breaches in organizations, including health insurance provider Anthem, extramarital affair-facilitating Ashley Madison, children’s learning tool/toy maker Vtech, and BlueCross BlueShield. Even hackers couldn’t catch a break: an Italian hacking organization named “Hacking Team” reported a data breach that compromised 400 GB of internal data, including source codes, client lists, and emails.

Even though high profile hacks on large enterprises make headlines, small businesses are more vulnerable and face even greater threats. A survey by Kaspersky Lab says that small and medium businesses spend $38,000 to recover from an attack. What’s worse, a 2015 study by security solution provider Symantec concluded that 60 percent of all target attacks were aimed at SMBs.

Here are just a few examples of how a hack or security breach can devastate a small business:

Credit card fraud

60 percent of attacks were targeted at small and medium businessesSymantec, 2015
Specialty t-shirt maker was hit by an attack that cost the company $200,000. It began when owner Kevin Stecko was contacted by credit card card company Discover and told him that users on his site had experienced some suspicious transactions. Stecko stopped collecting credit card data and got a forensic data team as well as the secret service involved.

No breach was discovered through the investigations, but that wasn’t the end of it. VISA and Mastercard contacted him again a few months later: there were more fraudulent charges and thousands of users’ personal data had been exposed. Aside from the $200,000, his company also lost sales due to only accepting PayPal while investigating the fraud.


Educational toymaker Rokenbok Education was hit right before the holidays: all of its data had been encrypted and infected with a form of malware called ransomware. In order to get access to the data, they would have to pay a sum of money to the hijackers.

Ransomware attacks, when compared to other forms of attack such as credit card number theft, are easy to monetize because there are no black market middle men or buyers. Ultimately, the company didn’t pay and instead remodeled their systems at great cost and time. It’s important to note that Rokenbok’s ordeal wasn’t unusual and ransomware attacks are on the rise.

Old school digital defacement

In September 2012, a site dedicated to news and advice for entrepreneurs, was hacked in an old school way: its website had been defaced with images, words in another language, and propaganda. worked for the next two weeks with their web hosting company, which was also busy helping other clients that had been affected.

The malicious code was buried deep within the site, and despite brief moments of respite (after deleting months of work), it kept reappearing. Although the hack was flashy and drew in negative PR, the sneakier hacks are the ones to worry about. The hack might have been a part of some sort of propaganda campaign, but plenty of hacks aren’t because of ideological reasons, but rather for straight out stealing and selling data or cash. And often those attacks aren’t discovered until long after the damage has been done.

Hacks: a small business’ worst nightmare

The cloud is a cost-effective way for small businesses to protect themselves, and there has been a constant shift towards web-based deployments in the last couple of years. According to a forecast by Gartner Research more than 30 percent of cybersecurity controls were estimated to be deployed through the cloud by 2015.

Even though small businesses are constantly progressing towards cloud-based offerings, the journey is hardly hitch free. Gartner’s Annual Global Risk & Security Survey 2015 (Figure 1) reveals that SMBs’ biggest worry is the concentrated risk of hacks associated with the cloud. One in seven organizations surveyed said that they are concerned about losing data in case of cloud crashes.

Figure 1: Most challenging issue with security and privacy in the cloud

Selecting the right cloud software provider can help protect against damaging attacks. Small businesses need to look for cloud-based service providers that offer visibility, data backup, compliance, and threat protection. GetApp offers security information about cloud vendors in its software listing pages, explaining the various security measures built into cloud applications in areas such as accounting, customer management, and HR.

How privacy breaches can cripple a company

A security attack can drain an organization’s financial resources, operational efficiency, and customer base. One significant hack can effectively kill a small business.

Gartner’s Risk & Security Survey (Figure 2) says that more than one third of SMBs are concerned about losing customers due to a privacy breach and the cost of maintaining security infrastructure to protect privacy.

To overcome these challenges small businesses need to shift from traditional standalone offerings such as firewalls to a more comprehensive Unified Threat Management (UTM) Platform, or adopt compliant and secure web-based offerings.

Figure 2: Privacy risk concerns

Which privacy protection processes are top priority?

Data breaches not only wreak havoc on internal operations, but can also lead to legal troubles for small businesses. Privacy policies are crucial to guiding the organization towards compliance and prevention.

But what privacy policies are needed to protect your business against an apocalyptic breach?

According to Gartner’s Risk & Security Survey the top process-related privacy policies for small and mid-sized businesses are:

  • Creating repositories of personal data (e.g. customer list, emails, internal documents, and credit card details), along with its storage locations.
  • Conducting privacy training for employees.
  • Developing organization-wide privacy programs.

Figure 3: Top 3 process-related privacy priorities

Combatting breaches through user authentication

Considering the widespread cases of identity theft affecting small and medium businesses, a user authentication system offers a quick antidote to prevent such breaches. Although there are plenty of different options when it comes to user authentication, there isn’t a “perfect solution” that offers complete protection and security.

So, how do you slam the door shut on unwelcome online intruders? The graphic (Figure 4) below provides a list of the most common user authentication methods used by small and mid-sized businesses. Research shows that ‘One-time password (OTP) hardware tokens’ is the most common user authentication method, followed by biometric authentication, and certificate-based authentication.

Figure 4: User authentication method usage

What can you do to protect your business?

Implementing the right user authentication methods and introducing privacy policies into your business are practical steps to help prevent the kind of risks we’ve outlined. But there are plenty of other measures you can take to ensure that the data you have in the cloud is protected.

We’ll publish more information on how to secure your small business and its software over the coming days on the GetApp Lab. Sign up for our free email newsletter to make sure you don’t miss these vital security tips.

Source: Gartner’s 2015 Global Risk and Security Management Survey included a total of 964 organizations in seven countries. The research was conducted between February 2015 and April 2015 to help Gartner understand how risk management planning, operations, budgeting and buying are performed, especially in areas such as risk management, information security, business continuity management, IT compliance and privacy.

Figures in this report were drawn from 340 organizations with less than 1000 employees.