WSJ What’s News - How Small Businesses Can Fight a Growing Wave of Cyber Crime
Episode Date: August 10, 2025A surge in cyber attacks is increasingly hitting small businesses, the backbone of the U.S. economy. According to a forthcoming survey from Mastercard, nearly half of business owners have experienced ...a cyber attack, and nearly one in five that suffered an attack then filed for bankruptcy or closed their business. WSJ cybersecurity reporter James Rundle and Seyoung Jeon, lead cyber analyst at Security Intelligence Provider Dragonfly, discuss the vulnerabilities of small enterprises, what these attacks mean for the greater economy and what businesses can do to defend themselves. Kate Bullivant hosts. Further Reading Hackers Target Eldercare Homes For Some Companies, the Real Cost of a Cyberattack Is Telling Everyone About It New York Orders Local Governments to Start Reporting Cyberattacks Microsoft Alerts Firms to Server-Software Attack U.S. Tells Companies to Prepare for Iranian Cyberattacks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey, what's news listeners. It's Sunday, August 10th. I'm Kate Bullivant for the Wall Street Journal.
This is What's News Sunday, the show where we tackle the big questions about the biggest stories in the news by reaching out to our colleagues across the newsroom to help explain what's happening in our world.
On today's show, we're going to talk about how a surge in cyber attacks is increasingly hitting small businesses, the backbone of the U.S. economy.
It comes as the number of overall cyber attacks are ramping up,
thanks to more sophisticated ransomware and escalating geopolitical tensions
with countries such as China and Russia.
In just the past few months, we've reported how Microsoft was hit by, quote, active attacks,
targeting its server software, as well as the US government warning companies
to watch for increased cyber attacks linked to the conflict with Iran.
And while we often hear about how cyber attacks are hitting large businesses,
the impact these attacks are having on mom-and-pop shops can be overlooked.
There are constantly people, you know, trying to do these scams all the time.
It said that they need me to secure my account or I will lose access to it.
I get emotional because this took a huge financial burden on my family and myself.
It was the worst week of my life.
We literally sat there crying and just responding to people for days and days and days.
an eternity. According to a forthcoming survey from MasterCard, looking at over 5,000
small and medium-sized businesses across four continents, nearly half of business owners have experienced
a cyber attack on their current business, and nearly one in five that suffered an attack, then
filed for bankruptcy or closed their business. At the same time, the World Economic Forum reports
that a split is emerging regarding the resilience of small organizations to cyberhack.
compared with how their larger counterparts weather the storm.
To explore what's going on here and why small businesses are an appealing target for cyber hackers,
I'm joined by Journal's Cybersecurity Reporter James Rundle, as well as Siong,
who's the lead cyber analyst at a security intelligence provider Dragonfly,
which is part of Wall Street Journal owner Dow Jones.
James, I want to start by asking you how much of a critical issue has cybercrime become
for small and medium businesses?
Cybercrime has moved from a background risk
to a constant threat
for small and medium-sized businesses
and the big driver behind that is scale.
So in the past, an attack required planning,
patients, a pretty high degree of technical skill.
But today, artificial intelligence and automation
have really lowered the barrier to entry.
So an attacker with the right tools,
which you can easily find on the dark net
or even rent from cybercriminal gangs,
can generate tailored fishing campaigns
that are customized to imitate or target-specific people.
They can craft malware.
They can scan thousands of systems for weaknesses with very little technical know-how.
And that means attackers can hit hundreds of targets at once.
So small businesses are facing this critical issue,
and they're not being singled out because they're suddenly more interesting.
It's because they're caught in the nets due to the mechanization of cybercrime,
making everyone a target.
And Siyong, what are you seeing?
In my monitoring of these cybercrime and ransomware groups,
Something that is quite surprising is seeing how many small and medium-sized businesses
appear in their victims list, even though for these major cybercrime groups,
these wouldn't seem like obvious targets.
And it really just has to do with the fact that cybercriminals generally go for the path
of least resistance, meaning they are trying to get the biggest payout for the least amount
of effort.
And the reality is a lot of small and medium-sized firms have invested less in cybersecurity protections
and are less equipped to respond to these sorts of incidents.
And James, as Siong pointed out, you'd
think that hackers would have bigger fish to fry here. Why are hackers targeting small businesses
in the first place? Well, they still go after the bigger fish. That's absolutely still happening.
But the risk calculus has changed. And that's really the irony here. As big companies have
improved their cybersecurity and actually done what they've been told to do for years,
that's shifted the criminal focus downstream. Small businesses often have weaker offenses.
They have smaller budgets, but they have just as much valuable data as larger companies.
And also many are also suppliers or service providers to larger companies, which makes them attractive both as direct targets and as potential beachheads or entry points into those bigger clients.
For a lot of small and even medium-sized businesses, they don't really have specialized cybersecurity departments.
They'll have IT staff, maybe a couple of people working on this.
But no one that actually has a lot of experience necessarily in things like instant response or more advanced cybersecurity setups.
So this means that when you have a small business that experiences a cyber attack,
they are usually less able to mitigate the impact of it early on.
So when an attacker gets into a company's internal networks,
you can limit the scale of the damage by, for instance, isolating them
and preventing them from accessing a lot more system files.
But when you don't have people who are able to respond to that readily,
especially since cyber attacks also happen out of office hours,
that's why small and medium-sized businesses can be so heavily affected.
Okay, so small and medium-sized businesses are clearly more vulnerable.
James, is that across the board,
or are some sectors even more susceptible to a hack?
There are some hacking groups that have been in the news lately, such as Scathod Spider,
which has a modus operandi of going after specific industries such as airlines, retail, gaming,
but some are more susceptible than others.
Healthcare is a good example of this.
It's a constant target, and small practices really are no exception.
As we saw during the cyber attack and change healthcare last year,
even a revenue interruption of a few weeks can seriously imperil smaller healthcare providers.
and they just can't afford downtime generally, not just financially.
If systems go down, then patient care stops.
And that urgency makes them more likely to pay quickly to restore operations.
Medical data is also uniquely valuable on the black market for all purposes.
You can't simply cancel your health records or your social security number
in the way you can cancel a credit card.
So once a small or medium enterprise has been hacked,
why are the consequences more dire for them?
Apart from just being unable to limit the impact of the attack,
There is also a lot of ancillary effects like the cost of notifying customers of a data breach that's occurred.
That's a very common effect of a ransomware attack.
And even a small business can have clients all over the world,
which means that they would have to comply with different data privacy regulations and notify the customers accordingly.
And doing that can become very, very expensive.
There is also, of course, reputational damage, especially in industries where privacy is considered very, very important,
things like law firms, health care companies.
There's also the potential legal fallout of failing to report a cybersecurity breach on time.
Coming up, we step back for a look at the wider consequences of when small businesses
fall victim to cyber attacks and what they can do to defend themselves.
That's after the break.
As we've been discussing,
cybercrime has moved from a background threat to a constant risk for small and medium-sized businesses.
I want to zoom out for a moment. James, we've already mentioned that small businesses are the backbone of the US economy.
They account for over 40% of US GDP. At what point does this become an issue for the wider US economy?
And do we see politicians doing anything about it?
Well, we're already there. It is a wider economic issue. Cyber attacks on small businesses.
they disrupt supply chains, they delay deliveries, they have a tendency to ripple into larger
communities and companies. And that's why policymakers are paying more attention if the municipal
state and federal level, they're offering grants, guidance, and in some cases even tax incentives
for better cybersecurity. But it's important to say that there is a limit to what the government
can do. It can set standards. It can provide resources. It can even introduce regulation in
some critical infrastructure sectors. But it can't be the cyber cop for millions of
small businesses. Ultimately, companies do have to take responsibility for their own defences
with the government creating an environment that makes that achievable. If we're looking at what
companies can do to protect themselves, it's striking that a report from the World Economic Forum
found that more than a third of small institutions consider their cyber resilience inadequate.
What can these institutions do to be more prepared? Well, in terms of what companies can actually
do to protect themselves, a lot of cyber attacks occur through social engineering. So it's by convincing
people to click on links or to download certain files that are malicious that allow an attacker
into that system. Now, the internet is pretty much built on connectivity, not security. So in a way,
it makes sense that a lot of people are susceptible to these types of attacks. Because if you see
a hyperlink, because it's highlighted in a different color, that invites you to click it.
That's why it's so important, especially even for small businesses, to remain very vigilant,
conduct things like regular fishing tests, and make sure that their employees are up to date
on what sort of tactics cybercriminals are using to compromise them, because these are changing so often.
So now, for instance, with the advent of generative AI tools, you have voice fishing becoming increasingly more common, where an attacker will simulate the voice of the trusted individuals in the company to try and convince someone to transfer funds or gain access into an employee's account.
In addition to just remaining vigilant for these sorts of social engineering attacks, keeping software up to date is also very important, and I'm sure every I team in the world knows this as well.
But attackers can use automated scanning tools to identify known vulnerabilities in a business's network and then reach them that way.
There's also like the very standard things of just maintaining regular data backups,
implementing multi-factor authentication for your employees, and also if you are concerned about
DDoS attacks, investing in anti-DDDOS protection services. A DDoS attack is essentially when an attacker
floods your network with a lot of traffic and takes a website down. And that can be really
detrimental, for instance, a small business if you are relying on online sales to generate a lot
of your revenue. And just to follow on, fundamentals really do go a long way. I can't tell you
how many times I've had very senior law enforcement and intelligence officials tell me that
75% of what they deal with would go away overnight if everyone followed the basics.
Like seeing said, strong passwords, multi-factor authentication, software updates, data backups, employee
training. These steps aren't expensive. They're not always cheap either, but they can drastically
reduce the odds of a successful attack. And having a basic plan for what to do when that happens
can really turn what could be a potential disaster into a manageable disruption.
Okay, so small businesses need the basics when it comes to their online security.
It makes me wonder where cybersecurity firms fit into this.
This is an industry that's doing well.
A couple of cybersecurity indexes have performed significantly better than the S&P over the past year.
A lot of cybersecurity firms can offer managed services for smaller companies
that may not be able to operate a full cybersecurity team.
So that's how they can mitigate against a lot of these risks.
But I also think that adding more and more software
into these business operations also increases the risk of things like supply chain attacks.
So let's say a business relies on a third-party vendor for cloud storage services.
So if an attacker breaches the vendor,
they could gain access to data stored by that business.
And a good example of this is actually the recent Microsoft SharePoint attacks.
So there was a previously unknown vulnerability in Microsoft SharePoint servers
that was first exploited by attackers a few weeks ago.
And now we have ransomer groups trying to encrypt the data on some of these servers.
And of course, some of this data belongs to companies and government agencies.
And James, what are you finding in your reporting?
Similar to what the World Economic Forum found is very much a cyber poverty line
between those you have and have not.
And what cybersecurity firms do for smaller companies as they fill that expertise gap.
Most small businesses, as seeing said, can't afford a dedicated security team,
but managed service providers who do this for many smaller companies,
they can offer enterprise levels protections like monitoring, endpoint security,
instant response at a scale and price that small businesses can use.
There are still issues in the vendor landscape,
particularly when you get into insurance and the gaps in coverage that exist there.
There are companies out there who make these services simple, affordable, and accessible,
so smaller companies can see them really as sort of essential investments
and not optional or overly complicated extras because they are these days.
That was Journal Cybersecurity reporter James Rundle and Siong Jun,
who is the lead cyber analyst at Security Intelligence Provider Dragonfly,
which is part of Wall Street Journal owner Dow Jones.
James, Siong, thank you both so much.
Thank you.
Thank you.
And that's it for What's News Sunday, August 10th.
Today's show was produced by Charlotte Gartenberg,
with supervising producer Sandra Kilhoff.
We got help from Deputy Editor Chris Zinsley.
I'm Kate Bullivant. We'll be back on Monday morning with a new show. Thanks for listening.