Earlier this week, reports said two researchers from Bloomsberg University of Pennsylvania made their case for safe harbor rules and overall easing of regulatory penalties for small businesses hit by a cyberattack. Their argument, reports in the Wall Street Journal said, is that small businesses are held to the same standards as large corporates when they suffer a data breach — even if the small business is found to not be at fault.
Yet small businesses rarely have the resources to pay and survive fines of thousands or even millions of dollars. They also lack the finances to train staff, adopt cybersecurity technology, and implement sophisticated expertise to protect data. While small and mid-sized businesses (SMBs) must be diligent about data protection and cybersecurity, the professors suggest regulators design legislation proportionate to the size of the business.
Recent research from GoDaddy adds more data to illustrate the financial struggles of small businesses to manage their cybersecurity risks — beyond regulatory penalties. In what GoDaddy researchers described as a “website security paradox,” small businesses, they found, don’t have the resources to protect themselves, leaving them vulnerable to expensive cyber attacks.
In a survey of more than 1,000 “very small businesses,” nearly half told GoDaddy that they have suffered a financial loss as a result of a hack. One in eight reported those losses to be greater than $5,000.
“We refer to this as the small business website security paradox — small business owners lack the knowledge and their perceived notion of funds needed to more fully secure their website,” GoDaddy General Manager of Security Product Group Tony Perez said in a statement announcing the report. “But once the website gets hacked, it can lead to significant financial loss due to its effect on business reputation.”
Two-thirds of the small businesses surveyed by GoDaddy said they only spend between $1 and $500 a year on cybersecurity initiatives, and fewer than one-third said they regularly check for vulnerabilities on their website (40 percent said they rarely — if ever — do so).
Yet small businesses are the biggest target for cyber thieves. The majority of malware victims are small businesses, GoDaddy noted, with ransomware a rising threat to SMBs and their coffers, with one-in-five SMBs having fallen victim to a ransomware attack in the last year. GoDaddy’s report said this has cost small business owners millions of dollars, and cyber attackers show no signs of letting up.
GoDaddy analyzed thousands of websites and found that half of the more than 65,000 requests for assistance related to a compromised website last year involved sites with outdated software on WordPress and its content management system. In the cases in which GoDaddy was involved, security professionals had to clean up, on average, 110 compromised files per hack. One case, however, involved more than 35,000 compromised files.
Further, once infiltrated, cleaning up infected files will not always be enough to contain a cyber attack, with hackers able to re-enter a platform through a backdoor they created when they first hacked into a platform.
The financial implications of a cyberattack stretch beyond a ransomware payment, fines, or other fees associated with getting a company back up and running.
GoDaddy analysis explored the implications of the damage a small business’s reputation sustains following a cyber incident, and other long-lasting effects, including the threat of having a SMB’s website blacklisted from search engines and internet security companies.
“It’s the double whammy of website security: first the hacker steals, then a small business can’t make money because their website is invisible to customers,” GoDaddy said in its report, emphasizing the difficulty a small business has when trying to make money to rebound after a cyber attack — including the cost of SMBs getting off the blacklist.
Even worse, however, is that 90 percent of websites infected with malware were not flagged and blacklisted, according to GoDaddy analysis, meaning the small business owner of that site continues to face ongoing exposure to cyber thieves.
“This is where the paradox grows even deeper,” the researchers said. “Getting flagged or blacklisted for having malware effectively shuts down a small business’s website; not getting flagged with a website has malware leads to greater vulnerability to hackers.”