4 Cybersercurity Risks Facing Small Business | Tory Burch Foundation

Operate my business

4 Cybersercurity Risks Facing Small Business

2019 Tory Burch Foundation Fellow Heather Stratford on keeping your online business safe.

Cybersecurity is becoming more and more important for businesses. Increasingly we hear the news reporting ransomware attacks and private data for sale on the web. Small businesses are not immune to cybersecurity risks, with 43 percent of small businesses having suffered a cyber attack in the last year. Despite this, 91 percent of small businesses do not carry cyber insurance.

With the recent pandemic response requiring businesses to shift employees to work from home, cybercriminals have profited from the opportunity of weaker security. Since the beginning of 2020, the number of cyberattacks against business has increased exponentially. According to a recent University of Maryland study, hackers attack every 39 seconds (an average of 2,244 times a day). Bad actors are being opportunistic and capitalizing on the mistakes many businesses are making, allowing breaches and attacks to flourish.

Working from home does not mean defaulting to an individual’s personal cybersecurity practices. There are a number of tips that can help fortify the essential areas of a business and help prevent needless loss of time, money and reputation from a breach of data or customer information.

Four of the biggest cyber risks for businesses, specifically for online and eCommerce, are: Phishing attacks, BEC (Business email compromise), Stolen Data and Fraud, and E-skimming.



Over 90 percent of malware is delivered to businesses through email. That is a staggering number. It is the number one, most vulnerable area because it involves all of the employees, not just the technical team. Whether a company is large or small, the quality, training, and internal procedures they institute for employees is a critical factor in the protection of the whole company.


Assign someone in the organization to train employees and or be responsible for the task. There are many products that are designed to help educate all staff. Don’t think because a company is small that bad actors will not attack.



This is type of scam that involves tricking employees into changing wire transfer or supplier information. In the past, this type of attack was also called man-in-the-email scams. Bad actors use social engineering to find out people’s names, job roles, significant dates and interests to guess passwords. They use this information to cleverly attack and make critical financial changes. These attacks are often targeted toward owners or senior management who might be older and less tech-savvy. The loss of funds can be crippling and often is not able to be located or returned.


Slow down and confirm any urgent request, especially ones involving money or access. Contact the person making the request directly via the number you have (not one the message provides) to confirm the request.



eCommerce sites function with credit cards or payment services which make them a valuable target. Stolen data can give bad actors the passwords and basic information from a person to fraudulently use.


Small businesses that heavily use websites need to follow the PCI standards (that is the Credit Card security standards), set basic limits regarding what can be spent in a day, add address verification systems, use password management systems, and require strong passwords. Also, make sure you monitor and regularly update your website. Bad actors can easily see what sites are vulnerable and easy to defraud.



E-skimming is when a bad actor steals a customer’s credit card or personal identifiable information right as they are entering it on a website. It is “skimmed” or immediately transferred to another domain under the control of criminals that then use the data to buy or purchase something else. Until caught, the credit card information appears good and is usable, causing problems for both its owner and the businesses who accepted it later.


Small businesses that heavily use websites need to perform regular updates to payment software, install patches or updates regularly, use anti-virus software and monitor and analyze weblogs. All of these services can be outsourced to a managed service provider. They do not have to be handled by the staff of a small business.

All businesses are at increased risk from cyber attacks due to the recent shift of working from home and the “new normal.” However, small businesses are more at risk, because they generally have less knowledge and fewer processes in place to spot and prevent attacks from happening. Training employees, hiring consultants or using managed service providers to help establish good safety practices can mean the difference between a growth year and shutting down a business. Know your risks and follow the solutions outlined above to minimize loss and keep your business secure.

For a list of terms you’ll need to know, check out this glossary: Cybersecurity Explained.