Among the myriad misconceptions many small-business owners harbor regarding data security are these:

• “We have nothing that cybercriminals would want, so we’re safe.”
• “The only thing a cybercriminal would want to do is deface my website.”

Both of these ideas are dead wrong, especially for those small businesses in the healthcare industry.

The Ugly Truth

Although it’s true that hackers can make off with a bigger haul by successfully penetrating a large business, doing so is usually (but not always) more difficult than breaking into a small-business system:

• Large businesses tend to have more sophisticated security technology and practices.
• Small businesses may not observe, or even know about, the best security practices and often do not have the latest security updates on their systems.
• Small businesses often do not have a response plan for security breaches, and may not actively monitor their systems for signs of malicious activity; thus, a breach of a small-business system can go undetected for a long time.

Further, cybercriminals do have a major motivation to focus on healthcare entities, because of the high price they can get for individual medical records on the black market. They are not particularly interested in vandalism to a firm’s website, because that provides instant evidence that a breach has occurred; they are more interested in the saleable data they can access and steal, undetected, for as long as possible.

Hence, small businesses are in many ways more vulnerable to cybercrime than large businesses, because they are easier targets with data that’s just as valuable.

It Gets Worse

By some estimates, the average website is attacked over 50 times per day. Most of these are attempts by automated software agents, or “bots,” that attack as many websites as they can find by trying to exploit common vulnerabilities, such as administrative accounts with default or easily-guessed passwords, or unprotected software ports. The security provided by the web hosting provider easily thwarts most of these attacks and website owners never hear about them.

With the volume of attacks, it comes as no surprise that quite a few websites are infected—over 18 million at any given time, according to some analysts. Most of these infections are “filehacker” or ”backdoor” malware that quietly makes its home in the website’s back-end system, scouring the environment for data to steal, enabling further attacks later on, or providing a host from which to carry out attacks on other sites and systems.

Protecting Your Website

The good news is that most small-business websites are easily protected from most types of attacks. They tend to be simpler, without built-in web applications or extensive integration with other databases or systems.

The bad news is that many websites, even simpler ones, are making use of content management systems (CMSs) and social media integration. A CMS is a network of content servers that are used to serve media content, such as video, audio, and graphics files, rather than having these files served from the website itself. CMSs have vulnerabilities of their own that add to a website’s risk. At the same time, greater reliance on social media gives hackers more avenues to try to exploit.

Protecting your website involves several basic steps, and more important, the discipline to follow them as a matter of policy. These include:

• Keep web server software and related systems up to date. The web hosting provider should take care of much or all of this task. If you don’t know if it’s being done or how often, ask your hosting provider’s technical support. It’s wise to call them anyway and find out what security they provide as part of the hosting service, and what security tasks are up to you.
• Don’t use the same administrative password for your website, your business social media accounts, and your CMS (if you use one).
• Have a plan for responding to a successful cyberattack—and know that different types of attacks may require a different response. A ransomware attack, for instance, requires a different response than a breach of sensitive customer or patient data.
• Implement two-factor authentication wherever possible for your administrative accounts. With smartphones, this is easier than ever, and it means that hackers can’t rely on passwords alone to get what they’re after.

Hackers are trying right now to attack your website, and will eventually succeed if you don’t make security a priority. Constant vigilance is the key; if you don’t have the time or expertise to do it yourself, find a reliable, reputable provider who can do it for you.