Most of the high-profile data breaches dominating the headlines these days involve iconic brands like Sony, Yahoo and LinkedIn.
Far more common, cybersecurity experts say, are the regular data breaches and risks faced by mom and pop operations and mid-sized businesses. It is precisely those under-the-radar businesses that are the most targeted.
More than 70 percent of cyberattacks occurred in businesses with fewer than 100 employees, according to a report from Verizon, and the fallout can be devastating.
"Hackers know those businesses don't invest as heavily or can't afford the cybersecurity offerings those large manufacturers offer because they are so expensive," according to Troy Wilkinson, CEO of Las Vegas-based Axiom Cyber Solutions.
"The big hardware manufacturing companies aren't trying to serve small- to medium-sized businesses, especially not at a low price point," Wilkinson said.
That’s why Wilkinson and his wife, Shannon Wilkinson, launched Axiom in 2015. The Las Vegas company is one of the few cybersecurity companies serving primarily small- to medium-sized businesses.
Wilkinson and Shannon Wilkinson, president of Axiom, both have extensive experience in cybersecurity: Troy previously worked for the U.S. State Department conducting cyber investigations in places like Kosovo and Serbia, and Shannon was the head of application development and support for the United Nations.
"We opened Axiom to try to solve the gap we saw in cybersecurity," Troy Wilkinson explained. "I started out in law enforcement. I love helping and protecting people, especially people who are the underdog."
According to the CEO, what unfolded at Equifax is like what happens at smaller organizations all the time: software updates were not applied, giving hackers a way into the business.
But how could companies that store valuable customer data fail to do something so simple as a software update, something most home computer users know to do regularly?
Because smaller companies cannot afford in-house cybersecurity monitoring, and so they leave it up to the IT department (often a department of one), which is often erroneously considered a catchall solution for any remotely computer-related problem, according to Shannon Wilkinson.
"It takes a specialized skill to stay on top of the latest threats and insecurities that businesses face," she said. "A lot of companies leave it up to their IT guy, but those people don't typically have skills for cybersecurity protection. Having your IT guy take on cybersecurity is like having your accountant audit their own books: They're never going to tell you that they're doing a bad job."
Small and medium-sized business owners often just don't know what cybersecurity is or how it's different than the IT person installing the Wi-Fi, according to Shannon Wilkinson. It turns out it's a totally different domain and set of skills to properly configure these systems.
"It only takes one vulnerability," she said.
Troy Wilkinson says that one issue they see frequently is ransomware, which operates by covertly encrypting all the data on a computer or shared network, then demands "ransom" payment in cryptocurrency, which is very difficult to track, especially as hackers have learned that the FBI can now easily follow bitcoin trails. They have moved on to more anonymous cryptocurrencies like Monero. And, sadly, the businesses often have no choice but to pay out.
"Ransomware encryptions are usually so good a business can't recover their files without the decryption keys from the hackers," the CEO said. "There have been a handful with flaws but with the majority of them, you either have to start from scratch without all of the data you've collected over time, or you get the keys."
He mentions the recent malware attack on the global shipping giant Maersk that forced the company to reinstall 45,000 desktop computers and cost the company upwards of $300 million. One of Axiom's own clients, the Horry County School District in South Carolina opted to pay the $10,000 ransom after 23 servers were locked up by ransomware.
"We have four businesses that decided to pay the ransom and we assisted them with getting the Bitcoin to pay," he said. "It's not something we like to do because we know that money is going to the hackers, but when you're a small business you're stuck between a rock and a hard place."
The loss of such data can be catastrophic for businesses like hospitals and doctors' offices that store patients' personal information, as well as small retailers that store customers' contact and credit card information. These are the kind of businesses that Axiom services.
"We are able to bring our prices down through the automation processes and software we've built," according to the CEO. "Businesses are paying thousands per month for these services, but we can do it starting at $99 per month. Otherwise, these businesses would have to assume the risk and go unprotected."
As much awareness as there now is around "phishing" schemes -- those emails from official-sounding source that sound an alarm over a person's account that requires them to login via the provided link – people still get taken by them all the time, and all it takes to infect a whole network is one person who clicks on the link, according to the Wilkinsons.
Stolen proprietary information and intellectual property is also a major concern, along with sensitive customer data. And it could all be prevented by taking such simple precautions as having up-to-date firewalls and antivirus software.
"Think about a hacker as someone trying to break into your house," Troy Wilkinson said. "If you put in a firewall and antivirus software and keep it all up-to-date, most of the time they're going to move on to an easier target. It's a numbers game for the hackers; they want to make money quickly and don't want to spend their time on something difficult."