When Elana Graham started selling cyber-security software to small companies five years ago, business was relatively slow.
Now demand is booming, driven by a rapid expansion in remote work that has left small firms vulnerable to attack.
Business at her firm has tripled since the start of the year, she says, reaching an all-time high.
“It was a total head-in-the-sand situation. ‘It’s not going to happen to me. I’m too small.’ That was the overwhelming message that I was hearing five years ago,” says Ms Graham, co-founder of CYDEF, which is based in Canada. “But yes, it is happening.”
Cyber-crimes are expected to cost the world $10.5tn (£9.3tn) by 2025, according to cyber-security research firm Cyber Ventures.
On the current trajectory, small businesses will absorb most of the hit.
They are three times more likely to be attacked by cyber-criminals compared to large businesses, cloud security firm Barracuda Networks has found.
And the risks shot up during the pandemic.
Between 2020-21, cyber-attacks on small companies surged by more than 150%, according to RiskRecon, a Mastercard company that evaluates companies’ cyber-security risk.
“The pandemic created a whole new set of challenges and small businesses weren’t prepared,” says Mary Ellen Seale, chief executive of the National Cybersecurity Society, a non-profit that helps small businesses create cyber-security plans.
In March 2020, at the cusp of the pandemic, a survey of small businesses by broadcaster CNBC found that only 20% planned to invest in cyber-protection.
Then the Covid-19 lockdowns came into force and firms scrambled to move operations online.
Working remotely meant more personal devices like smartphones, tablets and laptops had access to sensitive corporate information. However, lockdowns strained budgets, limiting how much companies could spend to protect themselves. Costly in-house experts and cyber-security software were often out of reach.
The result was weak cyber-security infrastructure that was ripe for hacking.
“A lot of the attacks now are coming through them because bad guys know larger organisations have done a pretty good job of protecting their infrastructure. The weakest link is small businesses. And it’s really easy to get in there,” Ms Seale says.
Small Business USA
If it’s true to say the US is the engine of the world economy, then small and medium-sized businesses are the fuel that drives that engine.
Small businesses create nearly two-thirds of new jobs in the workforce and account for 44% of US economic activity. So what’s the secret to their success? What challenges do they face and which are the best cities and regions for them to thrive?
For would-be criminals, such attacks are low risk and high reward, since they are less likely to catch the attention of authorities and often the companies themselves.
It typically takes 200 days from the moment of the hacking until discovery, says Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas. In many cases, customer complaints are what alert companies to a problem.
And with one compromised supplier, criminals can access networks of organisations further up the supply chain.
“Large businesses depend on small businesses,” says Ms Seale. “They are the lifeblood of the United States, and we need a wake-up call.”
Small businesses account for more than 99% of companies in the US and employ nearly half of all Americans, playing a critical role in the global economy.
Dr Kim says they are like the economy’s “Achilles heel”.
“They may be a small company but what they sell to large businesses could be very important. If they’re hacked, [their product] won’t be fed into supply chains and everything will be affected,” says Dr Kim.
Cyber-attacks can be devastating to small businesses, prompting their products to be removed from supply chains and triggering legal fees, investigations and regulatory filings.
About 60% of small businesses shut down within six months of facing an attack, the National Cybersecurity Alliance estimates.
“The cost could reach thousands of dollars. Some companies simply can’t pay that kind of money,” Dr Kim says. “They just can’t handle it.”
But although small businesses are the most vulnerable, Ms Graham says that most cyber-security tools have been made for big companies, and are often difficult to understand and install without an in-house expert.
“That’s a huge challenge for small companies that don’t understand what these people are trying to sell them,” she says.
Experts say there are simple steps small firms can take to improve their protections, such as creating basic response plans and identifying what and where critical data is.
Educating employees on how to avoid and detect attacks is also important, since the vast majority of data breaches involve human error.
Attacks in which cyber-criminals hacked into business emails were the costliest cyber-threat during the pandemic, amounting to $1.8bn in reported losses, according to the Federal Bureau of Investigation.
Also known as spear phishing, such hacks use a targeted attack, unlike more traditional strategies like spam, which reaches large numbers of people. Ms Graham describes the tool as “the new frontier in criminal activity” and says it has become the most common type of cyber-attack her clients face.
But firms should not despair, says Ms Seale.
“The biggest thing is to convey to small business that it’s not hopeless. It’s not an unsurmountable task,” she says.