A multinational enterprise is often the victim when a data breach makes it to the headlines. But if you think SMBs are out of the woods, think again.

According to the National Cyber Security Alliance, more than 70% of attacks target small businesses. Even more alarming, however, is that 60% of these businesses close down within only a year after the breach.

To protect your business and its data from breaches, you need to know where you are weakest. While a full security audit is necessary to get an objective picture, certain areas of your business can prove loose from a cybersecurity standpoint and require patching up.

Let’s look at three of the biggest data vulnerabilities in small business today.


Your employees can be a game-changer. Motivating while keeping them engaged can do wonders for your organization’s productivity, satisfaction, and innovation.

But did you also know that insiders also play a large role in the vulnerability of any business?

IBM’s 2016 Cyber Security Intelligence Index found that more than 60% of data breaches were carried out by insiders. Of these attacks, about 75% involved employees with malicious intent, so be careful who you let into your yard!

Sometimes, however, even honest employees can be inadvertent actors in a data heist.

We may be forced or tricked into clicking a malicious email, lose our company-issued smartphone, or accidentally reveal mission-critical information to a con-artist. All of the above scenarios (and more) can lead to a breach.

But inadvertent or not:

A breach carried out using an employee’s network access is way harder to detect and protect against than, say, a hacker trying to brute-force his way into the system.

Since the attack is coming through a supposedly trusted connection, it won’t trigger the security measures and tools in your network. Oftentimes, such data breaches are only discovered after irreparable damage has been done.

Mobile Devices

Bring Your Own Device (BYOD) is a workplace policy which allows employees to take their smartphone, tablet, or personal computer to work.

The trend has made major progress in the business world, with about 74% of today’s organizations allowing employees to use their personal devices for work purposes.

And why not!?

A BYOD workplace reduces hardware and networking costs, which is always welcome among small business owners.


Workers, on the other hand, use a device and interface they’re familiar with, reducing their learning curve. A study sponsored by Samsung found that using personal devices for work purposes saves employees 58 minutes/day and boosts productivity by 36%.

On the other hand…

A BYOD policy with poor implementation will do more harm than good for your business.

Mobile operating systems are known for not playing well with others, and these interoperability issues can get in the way of work.

But compatibility is the least of your BYOD concerns. The bigger worry is the cybersecurity risks it entails.

For starters, you have no way of knowing what’s inside your employees’ devices. They may have forgotten to enable encryption or install a reliable anti-malware app. Workers may also have poor cybersecurity hygiene such as:

  • Connecting to an unsecured public network to access work files
  • Indiscriminate downloading of apps
  • Not using a PIN or pattern lock
  • And more

And lest we forget:

Employees are also likely to lose or have their devices stolen.

A lost or stolen BYOD device, without the proper security tools, provides unauthorized users access to your business’ confidential information.

And depending on the industry you’re in, losing an unsecured BYOD laptop or smartphone is a direct violation of IT security mandates. Many healthcare organizations, for example, have been slapped with HIPAA violations after losing computing equipment which contains “individually identifiable health information.”

Third-Party Vendors And Service Providers

Outsourcing important business processes to suppliers are critical to the survival of a business. Such services include having a provider take care of your printers, supply, and stock food and drink vending machines, or delivery drivers supplying your stock to customers.

With the help of third parties, a business can widen their range of product/service offerings and increase their capacity – without the steep costs and the long cycle of hiring top talent.

But as outsourcing increases so too does the risk of hackers finding a way into your system through a third party.

Just how common have these breaches become?

According to a 2017 report by Ponemon:

About 56% of businesses suffered from a third-party data breach.

Let’s look at some of the high-profile data breaches in recent years, where hackers took advantage of a third party’s access and network credentials:


  • Target: When Target came under attack in 2013, the United States Secret Service had to help with the investigation. The hackers got into the discount store retailer’s system using the stolen network credentials of HVAC service provider.


In a report by NYT best-selling author and security expert Brian Krebs, Target could be facing up to $420 million in damages. Among many things, Target had to reimburse banks for issuing millions of replacement cards, pay for legal fees and credit monitoring for customers, and reckon with non-compliance penalties.

  • Hyatt: The international hotel-chain pointed to a “malicious software code from a third party” in their announcement. The malware took credit card information from 41 hotels across 11 countries. The breach affected customers who swiped in or manually entered their payment information at the front desk.
  • Uber: The popular ride-hailing and transport network company disclosed on November of 2017 that hackers stole information from Uber users around the world. The third party exploited this time was GitHub, a platform where programmers come and code together.

The hackers got into GitHub and found one of Uber’s Amazon Web Services login credentials. It turns out the account handled computing tasks for Uber. Once inside, the hackers took the confidential information of more than 57 million users and 600,000 drivers in the United States, including names and driver’s license numbers.

The hackers’ demands:

Uber must pay $100,000 in exchange for deleting their copy of the data.

The ransom money is chump change for a company valued at about $70 billion. But the attack was damaging, especially since the incident happened in 2016! Uber’s chief security officer, Joe Sullivan, reportedly hid the details of the breach, directly violating state breach laws.

About the Author:

Nathan Sharpe is the entrepreneur behind Biznas, a blog where he serves practical business advice and tips to readers. Learning and helping others learn is his passion.