OWASP, Application Security Verification Standard, ASVS, 3.0, OWASP ASVS

Because the media mostly focus on bigger data breaches, small business owners may assume that hackers only pursue companies with huge amounts of data, and that their own company would be of little interest to hackers.

In reality, this is simply not true.

Small Businesses – An Interesting Target

  • Small businesses store valuable data
    Most small businesses store financial information that can be used for fraud, or personal details that can be used for identify theft. They are also likely to have interesting customer data or intellectual property.
  • Small businesses are more likely to pay ransoms
    Many small businesses lack proper backup routines, and few have the capability to independently recover from a ransomware attack. This makes them more likely to pay ransoms if critical data get encrypted by malware and a hacker demands money to restore access to it.
  • Small businesses can be used as a gateway to larger partners
    Because larger businesses can be hard to penetrate directly, hackers are shifting their resources toward smaller businesses that might be a weak link in the supply chain. Information gained from smaller businesses can then be used to penetrate the defenses of their larger partners.
  • Small businesses tend to have lower security defenses
    Due to a lack of financial and human resources, small businesses tend to have lower security defenses. With limited or no IT department or personnel, devices, networks, websites and servers may run on outdated software. And no one is ready to take control of the situation if an attack should occur. Although the reward from breaching smaller businesses may be smaller than from breaching larger enterprises, the odds of actually achieving a reward are much greater.
  • Small businesses are less likely to catch hackers
    To detect an attack as it occurs, security personnel and proper technology needs to be in place. Small businesses are far less likely to have resources for such security measures. Many of them do not even have technology for creating and protecting audit logs and other data needed to perform forensic analysis and establish admissible evidence. This greatly reduces the chances of a hacker getting caught, arrested and punished for attacks toward small businesses.