Just as the holiday shopping season neared, a toy company, Rokenbok Education, was navigating a nightmare situation: Its database files had been infected by malware.
Online criminals had encrypted company files, making them unusable, and were demanding a hefty ransom to unlock the data. Rokenbok, a California-based company that uses building blocks and even robotics to teach children how to think like engineers, lost thousands of dollars in sales in two days.
Rokenbok’s founder and executive director, Paul Eichen, was already struggling to adapt his seven-employee company to a fast-changing toy world. Even worse, the malware attack was not Rokenbok’s first. The company had been hit earlier with a denial of service attack that shut down the company’s website.
“I sweated that one,” Mr. Eichen said. “Customers’ first impressions are critical.”
Focusing on revenue over protection is far from unusual for small companies like Rokenbok. But it is an increasingly dangerous path, experts say. Limited security budgets, outdated security and lax employees can leave holes that are easily exploited by ever-more-sophisticated digital criminals.
The threat to small businesses is growing, some experts say. Sixty percent of all online attacks in 2014 targeted small and midsize businesses, according to Timothy C. Francis, enterprise leader of cyberinsurance at Travelers.
“Smaller companies are easier to hack,” said Clay Calvert, director of security at MetroStar Systems, a Virginia-based firm. “They don’t have the resources to set up protective barriers.” Big companies, which have the financial resources to upgrade their security, have become less vulnerable.
These days, businesses like Rokenbok are especially susceptible to a type of malware called ransomware, which holds data hostage in return for money. Data is slowly encrypted by criminals until the entire system is locked up. The process can take up to 42 days, Mr. Calvert said.
Rokenbok’s ransomware...