According to a new report by Hewlett Packard and the Ponemon Institute of Cyber Crime, hacking attacks cost the average American firm $15.4 million annually, twice the global average of $7.7 million. Too many small businesses assume their companies are too small to be attacked—too small for hackers to bother with. That’s not only wrong, but that kind of thinking could be catastrophic for your small business. Just one cybercrime could be the end of your company—and that threat is all too real—according to a 2015 Endurance International Group survey 31 percent of small businesses have experienced a cyberattack or an attempted cyberattack.

Bitdefender shares its insight and expertise on how small businesses can better protect themselves from cybercrime.

Q: Many startup entrepreneurs think their new companies are too small to be targeted by cybercrime. Is that true?

Bitdefender: Cyber-criminal groups focused on financial gains do not differentiate between targets. Many times, they rely on a “shotgun approach” in which they blindly direct malware at all potential victims, regardless of size and status. For these groups, every infected computer can be monetized.

Q: Are some industries more vulnerable to cyberattack than others?

Bitdefender: State-sponsored cyber-actors are focused on specific services (healthcare, energy, government organizations and so on), but commercial-grade cyber-criminals do not differentiate between these targets.

Q: Why does a startup need to be concerned about cybersecurity?

Bitdefender: Since they are just starting on their path to success, a startup needs to leverage all its efforts into bringing a product or service to market. A security incident would have an enormous impact on the company’s credibility—a database of leaked customers would deal a huge blow to the company before it even manages to achieve relative success. Startups have limited funding and IT resources to buy their way out of a cyber-attack, so prevention is key until the company builds a reputation.

Q: Do ecommerce startups have more to be worried about?

Bitdefender: The main two concerns for an ecommerce startup would be customer information and service availability. The company needs to make sure that customer data (especially payment info) does not leak out and that the website does not get knocked offline by DDoS attacks during peak activity periods, when most of the revenue is registered.

Q: Startups are generally price-sensitive. How can they get the security they need without breaking the bank?

Bitdefender: Most security and cloud companies offer discounted products to support start-ups. Some have a pay-as-you-grow policy that lets you get all the security your start-up needs to date and add additional packets as your business expands. This offering is complemented by professional IT services that would offload your IT department and let them focus on developing the product.

Q: Many startups have staff or contractors who use their own computer devices (BYOD). How can you protect your business from that?

Bitdefender: BYOD should not be a problem in most cases, but the IT department should have a policy on what is permitted and what is not when the BYOD devices are storing company and customer data.

Q: What about mobile devices? Does using them make a startup more vulnerable to cybercrime?

Bitdefender: Mobile devices can easily be lost or stolen along with all the information stored on them. All mobile devices should have a security solution installed that would allow their owner to remotely locate and wipe the device when it is found missing. Lock screen policies should also be enforced.

Q: Startups can’t generally afford IT staff (or even one employee). Where do they get help?

Bitdefender: Startups can outsource IT services (especially security) on a monthly basis.

Q: When it comes to cybersecurity, can you start small and scale up as your business grows?

Bitdefender: Your business should be built around security. You can start small and then scale up as you’re expanding the number of computers on your premises. However, it is mandatory that you also secure the other parts of your IT infrastructure (gateways, virtual servers and so on).