The 3 Root Causes of Small Business Data Breaches

In 2016, the Ponemon Institute completed a study on the “State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” The study had many interesting findings, with highlights including:

  • 55% of small & medium business suffered a cyber-attack in the past 12 months
  • 50 % reported data breaches involving customer & employee information in the last 12 months
  • 3 out of 4 reported that exploits have evaded their anti-virus solutions

The results align with what we see with organizations that call us for incident response & recovery services:

  • Small businesses aren’t educated and aren’t prepared on cyber risk
  • Anti-virus and/or a firewall solutions are not enough anymore

That said, I want to focus on a part of the study that isn’t getting much attention: the root causes of SMB data breaches. In summary, there are 3 root causes (in order of frequency) of SMB data breaches:

  1. Mistakes, Errors or Negligence
  2. Unknown Cause
  3. Malicious Attack (from external hacker or insider)

These results are also consistent with what we see every day. First, that small businesses are targets of opportunity, not targets of interest. Contrary to what you read in the news every day, the LEAST common cause of a small business data breach is a malicious, targeted attacked. Instead, most attacks are caused by mistakes. Mistakes range from a negligent IT person without security training configuring a router or computer and unknowingly making it vulnerable, to a user visiting a website they shouldn’t or clicking on a link in an email or on social media. The fact is, cyber criminals aren’t directly targeting small businesses; it’s not worth their time to do so. What they are doing, is sending out tens of thousands of phishing emails, placing links to malicious websites on social media, or automatically scanning the web for known vulnerabilities (often created by mistake) in your routers and computers. They then take inventory of the “targets of opportunity” that click the links or register vulnerabilities on their scans, and determine if they have interesting data worth breaching. An analogy to the physical world is leaving valuable property in your parked car with the doors unlocked in a bad neighborhood, then being surprised when a criminal walks by, sees the valuable property (aka target of opportunity), check your doors and steals it. The internet is a bad neighborhood, don’t make it worse by being an easy target (of opportunity).

A quick note on the second most likely root cause of a small business data breach: Unknown. You may be asking yourself how can a business not know the cause, but this is fairly common as many small businesses do not have in place the security to 1. catch a data breach and 2. collect and store the necessary information required to recreate what happened. Many small businesses have been breached and don’t even know it, and the longer a breach goes on without being caught, the necessary information to recreate what happened is purged from the information systems. Once the information is purged, it is difficult for even the best digital forensics personnel in the world to determine what happened, when and why.

So what should you do to take yourself out of the “target of opportunity” category. Simple, be a responsible business owner and think about the risk now, rather than after something happens. In the famous words of Ben Franklin, “an ounce of prevention worth a pound of cure. “ Act now, and cyber criminals will leave you alone and move on to easier targets of opportunity, of which there are plenty.

The full study can be found here.