Parsing Cyber Risks: Large Enterprises vs. SMBs

While all businesses need strong email security, the risks they face often vary depending on their circumstances. One of the most important ways this plays out has to do with the size of their organizations and their corresponding cybersecurity strategies

Cyberattacks at very large companies can affect hundreds of thousands or even millions of users, so they are the ones the media tends to spotlight. But in reality, at least half of all security breaches occur at small and midsize businesses (SMBs),[1] with some reports saying that smaller organizations with fewer than 500 employees endure three times as many attacks as larger ones with 10,000 employees or more.[2]

A key reason for this is that while many SMBs take cybersecurity seriously, they don’t always have the resources required for a robust defense. They may also believe that attackers are more likely to go after bigger fish. But often the opposite it true: Because large enterprises have more resources and can generally afford larger cybersecurity budgets and staff, they can be a tougher nut to crack for many cybercriminals, who prefer to go after low-hanging fruit.

Cyber Risks for David vs. Goliath

At the other end of the field, larger companies face certain risks that are less prevalent at smaller businesses. For instance, their supply chains are typically much more complex, with many more links in the chain. Consider a company like Walmart, for example, and the thousands of suppliers it deals with. Each of them represents a potential weak link in the company’s cybersecurity defenses.

Another example: Large enterprises often have sprawling operations and many more employees than their smaller brethren. This makes it much harder to identify and pinpoint any attack and also heightens the risk of internal threats, such as those posed by disgruntled employees.

Mimecast’s recently completed report on The State of Email Security 2023 (SOES 23) brings all of this into sharp relief. The report, which surveyed 1,700 companies in in 13 countries, includes interviews with information technology and cybersecurity professionals from 255 smaller businesses, with 250 to 500 employees, at one end of the spectrum (15% of the total), and 153 large enterprises with over 10,000 employees at the other (9% of the total).

Among the key differences:

• During the past 12 months, virtually all of this year’s SOES respondents (97%) were the target of a phishing attack, with the majority (59%) experiencing more attacks than in prior years. But among large enterprises with more than 10,000 employees, this is even more widespread, with fully 73% reporting a significant rise in phishing attempts.
• Two-thirds of this year’s SOES respondents also reported falling victim to ransomware, but in this case, smaller businesses were affected more severely. While 70% acknowledged that a ransomware attack had harmed their business, fewer than half of the large enterprises surveyed (46%) were similarly hurt.
• Although the large majority of SOES respondents said they are at least minimally prepared to deal with an attack that spoofs their email domain, only 29% of smaller companies said they are fully prepared to cope with a spoofing threat, compared with 35% for larger companies. Ditto for contending with a fraudulent website that mimics their own (28% vs. 33%), even though smaller companies are just as likely as larger businesses to be attacked in this way.
• Respondents both large and small said they are making extensive use of collaboration tools and see them as vital to their businesses. But smaller businesses are more likely to feel inadequately protected from the risks posed by these tools than their larger counterparts (60% vs. 51%), even though the latter is seeing the greatest increases in collaboration tool-based attacks (42% vs. 36%).
• Unsurprisingly, bigger companies are far more likely than SMBs to have defensive technology in place. For instance, almost 63% of large enterprises have systems to monitor and protect against data leaks and exfiltration in outbound email, compared with only 36% of smaller firms.
• Likewise, smaller companies are lagging larger ones when it comes to using artificial intelligence (AI) and machine learning (ML) for cybersecurity. While 43% of SMB respondents have incorporated some type of AI or ML into their cybersecurity programs, 52% of large enterprises have done the same.
• Conversely, smaller businesses are more likely to depend on cyber insurance than larger ones. Practically half (49%) see such policies as a “comprehensive safety net” for their cyber risks, compared with only 37% of large enterprises.

The Bottom Line

Businesses both large and small face daunting cybersecurity challenges — but their challenges are not identical. SMBs may struggle to marshal sufficient resources to defend themselves and end up targeted more frequently by cybercriminals as a result; enterprises may have to contend with more complex and elusive threats. While both need strong cyber preparedness, their plans should be tailored to their respective needs.

For more on how companies of all sizes are contending with today’s heightened cyber risks, download the complete State of Email Security 2023 report.

[1] “Cyberattacks and Your Small Business,” Business News Daily

[2] “Small Businesses Are More Frequent Targets of Cyberattacks Than Larger Companies,” Forbes