NEW YORK -- Randell Heath isn't sure how hackers got into his company's website -- all he knows is a supplier called, saying the site had become an online store selling Viagra and Cialis.
The problem might have been at the company that hosts the site. It might have been that Heath's passwords weren't strong enough. But the invasion taught Heath a lesson that computer experts say many small business owners still need: Keeping your company's computers and online sites safe isn't a one-time operation, but requires continual vigilance as new kinds of attacks emerge.
"I'm planning on attending a 'Cybersecurity for Small Business' briefing," says Heath, president of Coldsweep, a Mountain Green, Utah-based company that uses dry ice to clean surfaces.
The chances of a small business being invaded, of having computers, smartphones, tablets and even bank accounts hacked because of poor cybersecurity, are rapidly growing. And some of the very things small businesses are encouraged to do to make themselves more visible, like having blogs, can also make them vulnerable.
Symantec, a maker of computer security software, analyzed threats and cyberattacks that its network encountered and found that 43 percent of all cyberattacks in 2015 targeted small businesses.
Just from 2014 to 2015, Symantec saw a 36 percent increase in new malware, and a nearly 80 percent increase in new variations of the malware targeting Android users. The company also counted one instance of malware in every 220 emails, a bigger risk than one in 244 in 2014. And even after all the warnings, a primary culprit was attachments or links that employees click on, allowing hackers to damage or delete files, track a user's actions or steal data like passwords.
Invasions that render a computer's files unusable unless the user pays a ransom have also surged. Cybercriminals who use this method are aggressive -- one variation of ransomware attacked an estimated 100,000 computers a day within weeks of its release last year, according to the FBI.
The costs of an invasion can be steep. Heath estimates he lost $10,000 in business because the site was down. He didn't have to pay to have the website rebuilt, because his business was part of an incubator where tech help was available for free. But recreating a website could run a business well into the thousands of dollars.
Many owners believe they don't have the resources -- human or financial -- to keep their companies safe, which takes keeping up with frequent security updates for software and equipment.
"The CEO is also the marketing person and also the (information technology) person. They simply don't have the wherewithal to manage computing platforms day to day," says Tom Desot, chief information officer at Digital Defense Inc., which helps companies protect against cyberattacks.
Desot estimates that a company with 30 to 50 employees might have to spend upward of $50,000 initially to give all its equipment the best possible protection, which includes sophisticated software and firewalls to keep intruders out, and then thousands each year to keep their security up to date. Smaller companies would have a much lower expense, but many owners still shy away from a cost that can seem prohibitive.
One solution small businesses use is to hire a company that monitors computer systems and/or websites and makes sure they stay up to date. The cost for many small enterprises can be several hundred dollars a month.
But computers can still be vulnerable. Owners often don't take the simplest precautions such as making sure passwords they and their employees use are hard to find or guess for thieves using computers called bots that search for vulnerabilities, says Rick Hogan, CEO of Bleevit Interactive, a website design company based in Reston, Virginia.
But many problems have solutions. Owners can start by looking for the same kind of briefing Heath sought out. Setting up a virtual private network, or VPN, can make it safe to conduct your business over public Wi-Fi, suggests Aaron Hanson, a product marketing executive with Symantec.
Businesses can also back up their data with a security company that could restore most if not all of their files in the event of ransomware or other attack.