Why small businesses are big targets for cybercriminals — and 6 steps to protect them this holiday shopping season

What’s worse than receiving one of those letters in the mail informing you that the business you’ve entrusted with your information has fallen victim to a data breach?

Perhaps it’s being the business to have to send that letter in the first place.

For small business owners — and particularly micro businesses and solopreneurs with tight cash flow — that can be devastating. The average cost of a cyberattack can range from $120,000 to $1.24 million per strike,  according to a recent report on the state of IT for small and medium-sized businesses, and in 2023 alone, nearly 43% of all cyberattacks were directed at smaller businesses.

And when small businesses take a hit, we all take a hit. They’re the backbone of economies and are critical to sustaining livelihoods around the world, accounting for 90% of all businesses, providing 60% to 70% of jobs and creating half of the global gross domestic product.

An ever-growing number of these businesses are now part of the digital economy — in fact, Mastercard has helped 50 million more small businesses securely pay, get paid, access capital and digitize their operations since 2020. And while many have implemented robust cybersecurity practices to safeguard their sensitive data, maintain trust, and ensure a smooth and secure shopping experience for their customers, some still believe they’re small enough to evade notice by hackers and fraudsters. That’s just not the case. And with peak holiday shopping season upon us, the increase in online transactions brings a rising risk of cyberattacks.

Small businesses are targeted by hackers precisely because of their size, says Jane Prokop, Mastercard’s global head of small and medium enterprises. These businesses are often too small to hire IT or cybersecurity specialists, and business owners wear too many hats to keep track of the latest updates or research the best network monitoring software.

Even for businesses that can cover the cost of the breach, reputational harm can be ruinous, Prokop says: “Local businesses thrive on personal relationships and loyalty. Trust that took years to build can be shattered in seconds — and may never be restored.”

Cybersecurity concerns are a top threat for 60% of small business owners, yet just 23% say they are very prepared to handle a cyberattack if one occurred, according to the U.S. Chamber of Commerce and MetLife’s Small Business Index.

Digitization has been a boon for small businesses, but many owners are overwhelmed by the cacophony of offers and solicitations for tech solutions, which creates more opportunities for bad actors to pounce.

“More and more small businesses are taking steps, but they still are targets,” says Thomas Sullivan, the vice president of small business policy at the U.S. Chamber of Commerce. “Small businesses want the ‘easy button.’ They get a little bit frustrated about being upsold all the time, but they continue to look for the ‘easy button’ when it comes to a number of things, not the least of which is cyberattacks.”

As small businesses around the world continue on their digitization journey, the cyber threat they face increases exponentially. Here are six tips to help small businesses keep their data — and, critically, that of their customers — secure.

01
Update your devices

Boost your digital immunity against threats such as viruses and spyware by keeping your systems up to date. Software updates can include the defenses against the latest security threats, so set your devices to update automatically to stay protected.  

02
Think beyond simple passwords

Use passphrases only you would remember instead, and use multi-factor authentication such as passcodes, biometrics or other authentication tools to secure your accounts and give you enhanced protection against hackers.  

03
Prevent phishing and malware

Anti-virus software and ad blockers can protect your systems against malicious activity. Using a VPN provides an additional layer of security because it can protect your online activity by encrypting your data.  In the event your system is breached, your data will be much harder for your attackers to decipher. 

04
Back up and recover

Up-to-date backups are critical for recovery from these cyberattacks (and are generally very good business protection). Additionally, store your backups in a second location or on a separate device that isn't connected to the computer you're backing up. 

05
Protect your mail and reputation

Protect your email addresses and domain name from imitators by using a DMARC (Domain-based Message Authentication, Reporting, and Conformance) tool. This email authentication protocol helps protect domains from unauthorized use such as email spoofing.  

06
Know your weak spots

Protect your data and systems from being compromised by knowing the security of your supply chains and third-party risk. Check the cyber risk of external systems that are interlinked with your own using a solution such as My Cyber Risk powered by RiskRecon to help you understand any exposure and act on those risks.

Digitally enabling small businesses can power economies, but a security-centric approach is critical for collective success. Taking proactive steps now ahead of the busy holiday season can help prevent costly breaches and downtime.