You don’t think your small business will get hacked? New study says you’re wrong

CHICAGO - Yahoo's been through it. So has the Democratic National Committee. More recently, it was Equifax.

But it's not just large businesses and organizations that are targeted by hackers. In fact, one in five small businesses has been targeted by a cyberattack, according to a study published this month by the Better Business Bureau.

'It's not a matter of if, but when a small business will be hit with a cyberattack,” said Steve Bernas, president and CEO of the Better Business Bureau of Chicago and northern Illinois. 'Education is the most important thing, not just to educate yourself, but your employees.”

Many businesses don't know they have been hacked - because hackers are trying to use them to get into bigger companies in the supply chain, according to BBB.

'Small businesses have limited resources and expertise to address these problems,” Bernas added. 'With so much information out there, they really don't know what is the best way to protect their business.”

While the majority of businesses at risk for criminal hacking are major institutions that deal with a lot of data - such as banks - the idea that small and midsized businesses aren't a target is mistaken, said Richard Sypniewski, CEO and managing director of Sagin, a management consulting and IT management company.

At greater risk are not-for-profit institutions as their information technology departments usually aren't very sophisticated, Sypniewski said.

'Their defenses are probably not very strong and they are easier targets,” he added.

That's because they typically have large databases of donors, several of whom might be high-net-worth donors, making a cyberattack even more attractive to criminals. Other not-for-profits have affiliated organizations - the Art Institute of Chicago's School of the Art Institute, for example, has a trove of student information as well, Sypniewski said.

According to the study, 90 percent of cyberattacks on business come from phishing emails and 90 percent of those phishing emails are ransomware, in which scammers breach a company's operating system with software designed to block access or hold data hostage until a sum of money is paid.

In other cases, criminals have scattered USB drives in large parking lots, expecting that people will pick them up and put them in their computers to see what is stored on them.

On average, cyberattacks cost small businesses almost $80,000 a year.

In the BBB survey of 1,100 businesses nationwide, nine out of 10 respondents said they had some sort of cybersecurity measures in place - most often, anti-virus software, firewalls and employee education.

The best protection, according to Sypniewski, is farming out IT management and data storage to a third-party cloud system.

'It's not foolproof, but it's 98 percent to 99 percent better than you managing your (IT and cybersecurity) on-site and housing your own servers,” he said.

Cybersecurity awareness among small businesses has come a long way in recent years, according to the report, with 76 percent of businesses in the study aware of the risk of phishing.