Which businesses are the most likely to get hacked?

It seems that every day, we hear about another major cyberattack or other digital security incident that exposes the personal and financial information of thousands of people to hackers and other cyber-criminals.

Yahoo, Equifax, Uber, Marriott Hotels, Home Depot. It’s easy to get the impression that it’s only mega-companies that are targeted by hackers, because those are the cases we hear about on the news. But what does it all mean to your family restaurant, healthcare, plumbing or online retailing business? You don’t have hundreds of thousands of customers. Are you at risk for a cyberattack? How much could it cost? And what can your business do to protect itself?

In 2017, Statistics Canada conducted a survey of businesses in 23 different sectors, and overall, larger businesses were significantly more likely to respond that they had been impacted by some kind of cyber security issue. In fact, 41% of large businesses (those with more than 250 employees) said they had been victims. About 28% of medium businesses (50 to 249 employees) said they’d been hacked, and about 19% of small businesses (10 to 49 employees). A 2018 cira survey put those numbers at 66, 50 and 42%. Regardless of which numbers you believe, the risk seems to increase as your business grows, so that is something to be aware of for your small but growing enterprise.

The other interesting finding from the cira survey was that IT managers were much more likely to report their business had been hacked than business owners at the same business. Only 24% of business owners said they’d been hacked in the last year, compared to 50% of IT managers. This suggests that the smallest businesses, which likely don’t have someone dedicated to IT, may under-report hacking, because they may not even know when they are being victimized.

The question isn’t “Which industries are most targeted?” as much as “Which industries stand to lose the most from a cyberattack?” Cyber-criminals today are not a homogenous group. There are hackers that will spend months and months trying to extract data and funds from one specific company, and there are those who target hundreds of businesses at the same time with phishing emails and other tactics, hoping to get a handful of curious employees to click on a mass email link, then extort some money with a denial of service attack, and move on to the next batch of potential victims.

Dedicated cyberattacks are most likely to target larger, high-profile businesses (sometimes just for hacker bragging rights), online gaming platforms (because that’s the world where hackers live), and financial services (yeah, because of the money). Any business or individual is vulnerable to the second type of mass hacking, no matter the industry, and this type of attack is what you should be worried about. It’s much more likely. The fact is that you’ve probably already been targeted, and if you haven’t been targeted yet, you’re on someone’s list.

A 2018 IBM study looked at 477 businesses from 15 countries that had experienced some kind of data breach, and asked them about how these cyber-incidents affected the business. In terms of total losses from a breach, the healthcare industry is by far the most vulnerable. In fact, this industry reported average costs of more than $400 per customer record that was compromised. Financial services was a distant second, at just over $200 per record. These numbers make sense given the nature of the data that these businesses hold about their customers. However, even the least affected sectors reported costs of $75 per customer or more.

Again, the fact is that the most likely attack for the overwhelming majority of businesses is a simple ransomware, malware or denial of service attack. These attacks don’t target data, they target your operational business systems. So what you need to think about is, what would happen if your website was down for a week, or your payroll system, or your CRM. What if you couldn’t process customer orders? Although in most cases, ransom may be a few thousand dollars, and you may choose not to pay it, this kind of attack can cost your business tens, even hundreds of thousands of dollars in lost productivity and lost customers, and hundreds of man-hours in trying to diagnose and fix the problem.