Think fast: are small businesses or large businesses better targets for hackers?
At first thought, large businesses may seem like the logical answer. After all, they have more financial resources to go after.
However, large businesses are more likely to have larger security budgets – or even a designated Information Security team. They’re more likely to have strong security programs in place – which makes an attack less likely to be successful.
As a result, it’s no surprise that the 2023 Verizon Data Breach Investigation Report found that small businesses sustained more incidents – and a higher percentage of incidents with confirmed data exposure – than larger enterprises.
| Small Businesses | Large Businesses | |
| Number of incidents | 699 | 496 |
| Number of incidents with confirmed data exposure | 381 | 227 |
(For the purposes of this analysis, ‘small businesses’ were classified as those with fewer than 1,000 employees, while ‘large businesses’ were classified as those with more than 1,000 employees. Mid-size businesses were grouped with the small business category.)
So: what else do small businesses need to know about the current cybersecurity landscape?
The top attack vectors were the same for both small and large businesses:
- System intrusion
- Social engineering
- Basic web application attacks
Most attacks – across both small and large businesses – were financially motivated.
However, large businesses experienced a handful of “ideologically” motivated attacks, which were not mirrored in the small business sector.
External threat actors were more commonly the cause of incidents at small and mid-size companies.
94 percent of incidents in the small business sector were traced back to external actors; this was slightly lower, at 89 percent, for large enterprises. Large businesses also had double the rate of partner-related threat actors.
Small businesses are increasingly using similar services and infrastructure to larger enterprises.
However, as Verizon points out:
“What is very different is the ability of organizations to respond to threats due to the number of resources they can deploy in the event that they are attacked.”
Smaller organizations are less likely to have a CISO (or other employee responsible exclusively for security and compliance). One- to five-person IT teams are more commonly tasked with identifying threats, implementing and testing security controls, and completing annual security audits. These resource constraints can leave them spread far too thin.
However, small teams can’t build an enterprise-class security program overnight. It’s more realistic for smaller businesses to prioritize low-hanging fruit where they can, working their way through manageable efforts that match their overall maturity level, risk profile, and tolerance. (A great place to start? The CIS Critical Security Controls Navigator.)
Let Curbstone Help with Some of the Burdens of Security and Compliance
At Curbstone, we’ve been in the payments industry for more than 20 years; we’ve seen countless payment card security threats come and go. However, our focus on secure credit card processing has remained the same.
We’ve helped small and mid-sized businesses process credit card payments without storing or transmitting the data on their own systems, which provides a higher level of security from cyber threats. At the same time, this helps take part – if not all – of their infrastructure out of scope for PCI audits. When they’re already working as hard as they can to keep up with their compliance requirements, it can save days – if not weeks – of effort when it comes to reporting and compliance.
Ready to start building a stronger payment card security program? Check out all the ways our technologies can help you securely process payments online, in person, and even over the phone, or start a conversation with a member of our team.
