A Single Email Breach Can Bankrupt A Small Business. Here’s How to Prevent It.

Brian Wane · July 2020

Companies across the U.S. are in lockdown mode: employees working from home, offices shuttered, client interactions happening online. Amid this disruption to business as usual, one group sees a wealth of opportunity: cybercriminals.

Amid this disruption to business as usual, one group sees a wealth of opportunity: cybercriminals.

Even in non-pandemic times, the cost of cyber fraud to small businesses is devastating. Estimates run as high as $200,000 per cyberattack for U.S. companies on average, with 43% of all attacks aimed at small businesses (1). A 2019 study of companies with 500 or fewer employees that had suffered a data breach found that 10% went out of business and 25% had to file for bankruptcy (2). Smaller companies often don’t have the resources to implement cybersecurity measures, buy specialized protection software, or hire team members with expertise in defending against such threats (3).

Relying on email for external communications makes a company vulnerable at the best of times. But in the era of COVID-19, increased sharing of confidential data over email translates to even higher risk. Documents that would normally be shared as hard copies in an office are now being sent back and forth as PDFs through free applications like Gmail or Dropbox.

Tech-savvy business owners may believe they’re safe if they’ve created a 15-character password with all the bells and whistles – capital and lowercase letters, an ampersand and an exclamation point, a few out-of-sequence numbers. But if they send sensitive information to someone who has “password” or “123456” as their password, both parties are sitting ducks for hackers.

By the way, those aren’t parodies of bad passwords: they’re alarmingly common. Annual rankings of the year’s worst passwords, based on frequency of appearances in data breaches, confirm that far too many Internet users fail to create more complex passwords (4). According to a 2019 Harris Poll/Google survey, nearly a quarter of Americans have used easy-to-guess passwords like password, 123456, abc123, or iloveyou, or qwerty. More than half have used either a pet’s name or their own name. Only 37% said they’d used two-factor authentication. Alarmingly, up to two thirds of Americans use the same password for banking, email, and social media (5).

Small and medium-sized businesses are only as secure as the weakest link in their communication chain. With a circle of contacts that includes customers, vendors, business associates, partner organizations, and contractors, sensitive data that’s been sent over email can be compromised regardless of what precautions the sender took. Think bank account numbers, invoices, social security numbers, tax returns, medical records, investment holdings of mortgage applicants – information clients count on businesses to keep secure.

A cache of emails obtained by a hacker can lead to severe financial and reputational losses. As too many businesses have discovered, a cybercriminal who has access to a past invoice can create a convincing fake one, using real account numbers and wording that sounds legitimate. Invoice fraud and phishing scams have cost businesses billions – even Google and Facebook were tricked by a Lithuanian cybercriminal into paying $23 million and $100 million, respectively.

If a business is tricked into paying false bills, that’s costly in itself. But if the hacker has accessed private, personally identifiable client information and makes it public, the costs could grow exponentially: government fines, loss of clients, negative publicity. The California Consumer Privacy Act, which went into effect this year, assesses fines on companies doing business in the state of between $100 and $750 per consumer per incident, or actual damages – whichever is greater – in cases of theft or unauthorized disclosure of data.

A survey of consumers’ reactions to 2018 data breaches revealed that 67% trusted a company less after it had experienced a data breach, and 22% stopped doing business with a company after such a breach.

Establishing adequate protection against cyber attacks can be an overwhelming prospect, considering the costs, the time and effort it takes to implement security upgrades, and weighing the risks. For companies looking for simpler interventions that can still make a difference, encryption of communications is a good place to start.