The security firm, FireEye, has a very eye opening report titled “Big Threats for Small Businesses Five Reasons Your Small or Midsize Business is a Prime Target for Cybercriminals”
The report addresses a common misconception that small businesses have:
I’m too small to be a target
“The ‘I’m too small to be a target’ argument doesn’t hold water,” the Verizon report states. “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no staff at all.
Small and midsize businesses are facing the same cyber threats as large enterprises, but have a fraction of the budget to deal with them. More than 40 percent don’t have an adequate IT security budget, according to a November 2013 survey by the Ponemon Institute.
The statistics are clear: a small or midsize business is more likely—not less—to face a cyber attack compared with large enterprises.
The defenses most SMBs have in place today are ill equipped to combat today’s advanced attacks. Firewalls, next-generation firewalls, intrusion prevention systems (IPS), AV software, and gateways remain important security defenses. But they are woefully ineffective at stopping targeted attacks
A data breach can put you out of business
A staggering 60% of small businesses go out of business after a data breach.
…a 2012 study by the National Cyber Security Alliance, which found that 60 percent of small firms go out of business within six months of a data breach. Cyber attacks are growing more sophisticated and, more often than not, target small and midsize businesses (SMBs). One unlucky click—a malicious email attachment, a link to a legitimate but compromised website—could result in a costly data breach that drains your bank account and customer trust.
Fireeye gives some good recommendations to lower the chance of being a victim
Assume you’re a target
Cyber attacks against small businesses rose 31 percent in 2013 versus the year before, making them the fastest-growing group of targets.
By assuming that you are in cyber attackers’ crosshairs, you can better prepare yourself against the inevitable attack.
Identify your most value assets and links
You would never hire bodyguards and forget to tell them whom they are supposed to be protecting. In the same way, defending your systems starts with identifying your most valuable assets.
Identify potentially valuable data and how it could be vulnerable to well-funded, highly organized attackers. That crucial step will help spot the weakest links in your security system and highlight what you need to do to protect your assets.
Deploy a security platform capable of identifying and blocking today’s attacks
A widening gap between threat actors’ offensive abilities and badly outdated defenses has left organizations more vulnerable than ever. Today’s attacks exploit previously unknown, zero-day vulnerabilities, easily bypassing signature- and reputation-based defenses. And file-based sandboxes, touted by legacy vendors as their fresh approach to security, are constrained by many of the same flaws as traditional security products.
SMBs must take a radically different approach. They need a security platform that can detect and block both known and unknown threats with real-time, coordinated security.
A first critical step for small to midsize businesses is to realize that they are a target of cyber criminals. The data you store on customers, clients, patients and employees is very valuable to criminals. Being small does not make you less of a target, it actually makes you more of a target. They best way to understand the risk of a data breach to your company is to perform a security risk assessment. A security risk assessment will identify critical data, determine how you are currently protecting that data and recommend additional security to better protect the data.
Understand a HIPAA / Meaningful Use
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process