Small businesses are under siege from cyberattacks

Stacey Vanek Smith Apr 8, 2024
Heard on:
HTML EMBED:
COPY
dikushin/Getty Images

Small businesses are under siege from cyberattacks

Stacey Vanek Smith Apr 8, 2024
Heard on:
dikushin/Getty Images
HTML EMBED:
COPY

Kaila Uli grew up near Los Angeles. Money was always tight in her family and a major source of stress. But Uli had a plan. When she was just 5 years old, she had a revelation about how she would never have to feel money stress.

“I learned that there were, like, 7 billion people on the planet and I remember thinking, ‘If I could get all those people to give me $1, my problem would be totally solved.’”

An entrepreneur was born. Five-year-old Uli started selling rocks and pine cones to the neighbors, and by her mid-20s, she was a bona fide entrepreneur. By then, Uli had graduated from pine cones to vintage sunglasses. She’d created an online store called Brillies, which sold sunglasses from the 1980s and 1990s. 

Uli was moving a lot of sunglasses. Four years in, Brillies was making more than $1 million in sales a year. It had been featured in Vogue, Harper’s Bazaar and Sports Illustrated. Movies and TV shows were contacting her, so were celebrity stylists. Uli loved every minute of it: She was passionate about vintage. She felt this spark when she would talk about it.

“When my sales hit six figures a month, I was like, ‘Oh my God, what a dream!’ And then … boop!” 

That boop happened in June 2021, when Uli woke up to something strange. “ There had been no sales overnight and I was like, ‘That is so weird.’” Normally Uli would wake up to hundreds of sales. She figured maybe it was just a slow day. She kept checking. But a few hours later, she still had no sales. “I was losing my mind trying to figure out what was going on,” she said. 

Then she checked her website and realized she was under cyberattack. Basically, an army of zombie computers, or bots, kept sending requests to Brillies, over and over again, in a “denial of service,” or DDoS, attack.

“In a DDoS attack, your site gets flooded with bot traffic, and it overwhelms your servers. So the reason my sales were gone was because I was knocked offline.” 

 Uli did have cyber-insurance. She contacted her provider, who told her for an attack like this, she basically needed to wait it out.

“The first day I was like, ‘This will be fine. This will all pass and I’ll just get back online,’” recalled Uli. “When it got around to like Week 2, I was like, ‘This is getting really scary.’”    

Uli checked her accounts, but no money had been stolen and her customer data was safe. Uli didn’t understand: What did the attackers want? Why her? Brillies was tiny. Uli had just three employees.

“Honestly, it could be anything,” said Chris Hojnowski, head of technology at Hiscox USA, which sells cyber-insurance. “If you’re a small company thinking like, ‘Hey, nobody’s going to notice me,’ that’s not really the case.”

Cyberattacks against businesses have been on the rise for years, and most of the companies that get targeted are not big, multinational corporations with armies of tech workers. Most are small. In fact, more than 40% of small businesses fell victim to a cyberattack last year. And a lot of those businesses don’t have a big IT team or a financial cushion to deal with an attack. 

Hojnowski said attacks like this happen for all kinds of reasons. Sometimes just money. Sometimes an attacker wants to use a smaller company to get to a larger company it does business with. Sometimes the attack comes from a rival business or an angry customer. And sometimes it’s just someone who wants to make chaos. 

One thing is for sure: These attacks are happening a lot. And while the big, public companies might be stealing all the headlines, “below the fold, smaller companies get attacked regularly and with higher frequency,” Hojnowski said. “That’s just because maybe the controls aren’t in place on these smaller companies that they have at larger places.” 

Brillies did not have an IT department, and although Uli was pretty tech-savvy, she felt very out of her depth and very alone as day after day, the attacks kept coming. 

“It felt relentless,” said Uli. “They just wouldn’t stop.”

Months went by with almost no sales, no money coming in. Uli tried recreating Brillies at another URL, but the attacks started up at that website, too.

“And then I was like, ‘I’m toast. I’m toast.’” 

Uli closed Brillies for good in early 2022. She never found out who attacked Brillies or why.  She was devastated. ”I was just like, ‘Man, what did I do to deserve this? Like I thought I’d made it. I thought this was gonna be my love-of-my-life business.’”  

Stories like Uli’s are playing out all over the world. One report out of the U.K. found that more than half of the country’s small businesses that were hit with a cyberattack didn’t survive. The reason: The costs of a cyberattack can be staggering. If a data breach happens, a small business can expect to pay, on average, about $3 million, according to a study from IBM. But the real cost is much higher. 

“It’s very hard to calculate the financial losses,” said Jamie MacColl, a research fellow at the Royal United Services Institute, a defense and security think tank.  In a recent report, MacColl and a team of researchers from the University of Kent examined the true cost of a cyberattack for businesses. They specifically focused on ransomware attacks. There was often the cost of the ransom, overtime for IT, sometimes legal fees. But other costs were less tangible.

“There’s your reputation being irreparably damaged,” MacColl said. “There’s the months of downtime from your business; the psychological impact on your staff, which may be less productive in the future. You might have people who leave.”

MacColl spoke with many small-business owners who brought in PTSD counselors after a cyberattack to work with staff, and a few small-business owners even confided to MacColl that they felt suicidal after the cyber attack. 

Kaila Uli said she mostly felt numb. She thought she was done starting businesses. After all those months of struggle, she didn’t think she would ever feel that entrepreneurial spark again. She dipped into her savings to take a little time to reassess. She did a little consulting.

And that is how she came across a struggling business that was looking for a buyer. It was priced to move and it was called Worldsugliestslippers.com. Uli was intrigued. “I had to laugh when I saw them. They’re like what a cartoon character would wear,” she said. “They are just the most silly shoe you’ve ever seen. It’s like big, old, puffy moon boot slippers.”

The second Uli saw the slippers, she felt that spark. “I was like, ‘I can do it. I can do it.’”

Uli used her savings to buy Worldsugliestslippers.com (which she quickly renamed PuffieSlippers.com). Uli was careful to build her business with cybersecurity in mind. Her site is locked down. And those puffy slippers are selling. 

“So the first month was $7,000 in sales, and then it just has kind of compounded every month since then. It’s looking really good.”  

After all, there are now 8 billion people on the planet. That’s, like, 16 billion slippers. 

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.