Beyond Home Depot: Cyberthieves target smaller companies

Data breaches at big retailers including Home Depot and Target may be grabbing attention, but mom-and-pop businesses shouldn't feel like they're in the clear. Hackers also have their eye on smaller businesses, according to experts.

The latest business to be hit by a breach is Jimmy John's. The Champagne, Illinois-based sandwich chain on Wednesday said it has learned of a possible security incident involving consumers' credit and debit card data, which was compromised after an intruder stole log-in credentials from the company's point-of-sale vendor. That information was then used to remotely access point-of-sale systems at approximately 216 locations between June 16, 2014 and Sept. 5, 2014.

Smaller merchants, meanwhile, also have been the target of cyberthieves. In 2013, targeted attacks aimed at small businesses with up to 250 employees accounted for 30 percent of all hack attacks, compared with 18 percent in 2011, according to data from Symantec, a tech security company.

Read More'Potpreneur' pipe dream? Better think twice

And data breaches can be costly, especially for smaller employers. In 2014, companies on average paid $145 for each lost or stolen record containing sensitive and confidential information, according to the Ponemon Institute's 2014 Cost of Data Breach Study. The institute focuses on research related to privacy, data protection and information security policy.

Whether you're a big-box retailer or smaller merchant, payment data is gold to cybercriminals, says Rob Sadowski, director of technology solutions for cybersecurity firm RSA. And because protection is often lacking among smaller companies, they can be an easy target among hackers.

"Criminals know that small businesses are less likely to be protected with a large security staff that has made a big investment insecurity," Sadowski says. "If a business is handling payment card data—that is the most valuable commodity in the criminal underground."

Read MoreAs Alibaba soars in debut, Jack Ma acknowledges the little guy

And cybercriminals use tried and true methods to lure potential victims.

Anup Ghosh, founder and chief executive of Invincea, a security software company, said nearly all of the time responders deal with a security incident and clean up the mess, the threat often originated through an email or web browsing. "This isn't anything new—we are seeing 'malvertising' or serving up malicious ads, and cybercrime gangs are paying for those ads to serve up malicious content," Ghosh says. "It's spear-phishing on a browser."

And the damage can spread from there. If a computer is hit with malicious software advertising, the machine will be compromised, making it easier for hackers to drop malicious code onto corporate accounts.