Cybercrime's easiest prey: Small businesses

small business cyber crimes
Small businesses are the 'most victimized'

Cybercriminals have picked their easiest prey: Small businesses.

A data breach investigations report from Verizon (VZ), released Tuesday, showed that small businesses continue to be the most victimized of all companies.

Of the 621 confirmed data breach incidents Verizon recorded in 2012, close to half occurred at companies with fewer than 1,000 employees, including 193 incidents at entities with fewer than 100 workers.

A separate report from cybersecurity firm Symantec (SYMC) confirmed that trend. It found cyberattacks on small businesses with fewer than 250 employees represented 31% of all attacks in 2012, up from 18% in the prior year.

It's a pattern that Kevin Thompson, senior analyst with Verizon's RISK team, says he has noticed for the past six years.

Larger corporations have upped the ante against cybercrime recently, investing heavily in sophisticated security strategies. That's forced cybercriminals to look for other ways in.

"A typical small business doesn't have a 50-person IT department and every computer protected," said Andrew Singer, director of Symantec's small business group. "They don't have the money for it."

Related Story: Shodan: The scariest search engine on the Internet

Hacking anything connected to the Internet
Hacking anything connected to the Internet

Increasingly, cybercriminals are using smaller businesses as a stepping stone. Smaller suppliers or partners of large companies often "offer the path of least resistance" into a major corporation's network, noted Singer.

Another tactic some more patient cybercriminals are using is targeting small companies in growth industries, such as health care or manufacturing. The bad guys hope that their targets could be acquired by a larger corporation in a year or two. Meanwhile, they lie in wait -- if and when the company merges or is acquired, they gain access to breach the system of the larger parent company.

Despite the statistics, too many small businesses think they're invulnerable. Some believe their small business would be a boring target for hackers.

That's a mistake, said Vikram Thakur, Symantec's principal security response manager. Small businesses can't afford to remain complacent or ignorant about the risk of being a cyberattack target.

"Small businesses retain very valuable information for hackers, like customers' credit card numbers, intellectual property, and money in the bank," he said. "Small companies are lucrative victims, too. That's making the target on their back even bigger."

The most common tactics cyberattackers use against small businesses include "ransomware" scams that lock computers and demand a ransom fee. Attackers also use malicious software designed to steal information from employees' mobile devices and malware that uses a small businesses' website as bait to gain access to a larger company's database.

As cyberattacks proliferate against them, Verizon's Thompson said the most important lessons for small businesses are the most basic: Use good passwords, update your antivirus software and don't expose your essential business services to the Internet.

-- Are you a small business that recently suffered a cyberattack that significantly hurt your company? Email your story to and you could be part of an upcoming story on

CNNMoney Sponsors