Small and Mid-Sized Businesses Face Greater Cyber Risk
 

Small and mid-sized businesses (SMBs) find themselves between the proverbial rock and a hard place when it comes to cybersecurity. On the one hand, cybercriminals are turning their attention to smaller firms as larger, higher-value corporate targets have improved their cyber defenses. On the other hand, many SMBs are under pressure to rein in technology spending, leading to cuts or limits to their cybersecurity budgets. 

Mounting Threats to SMB Resources 

The net result is a dramatic increase in cyber risk for companies at the smaller end of the spectrum. The most recent Cyber Readiness Report from insurance provider Hiscox warned that “companies with revenues of $100,000 to $500,000 can now expect as many cyber attacks as those earning $1 million to $9 million annually.”[1] 

The mounting threats to SMBs come with serious financial implications. The average cost of a data breach for a company with less than 500 employees was estimated at $2.98 million, according to IBM’s annual Cost of a Data Breach report from 2021 (the last year the report broke out costs by employee size).[2] Yet some small business owners mistakenly believe they can fly under the radar. A 2022 survey of businesses with 500 employees or less found that just 42% said they have some cybersecurity measures in place.[3] Of those with no cyber defenses, 59% said they believed they were too small to be targeted.

Meanwhile, SMBs have increased their adoption of cloud-based solutions for capabilities like email and collaboration, which can deliver significant cost and efficiency benefits and provide some built-in security. But the massive uptake of cloud software also offers efficiencies for cyber adversaries as well, as they can focus their exploits on more centralized infrastructure and common vulnerabilities of widely adopted email services, for example.

Cybersecurity has “become more and more complex for all organizations, but it’s the smaller ones and the medium-sized ones that are, especially in today’s economic environment, under pressure from a resource perspective,” Mimecast CEO Peter Bauer recently explained in an interview with Information Security Media Group (ISMG) at the 2023 RSA conference. However, there are some new integrated security options that can help small and mid-sized business leaders better secure their environments.

SMBs Emerge as Soft Targets

The Hiscox Cyber Readiness Report paints a dire picture for SMBEs: while attacks against larger companies fell slightly in 2021, they increased for all others as “hackers have directed more of their attention to mid- and small-sized businesses”. According to the report, businesses of 250-to-999 employees averaged 69 attacks, up from 45 in 2020; companies with 10-to-49 employees averaged 56, up from 31; and those fewer than 10 employees saw attacks increase nearly fourfold, from 11 to 40.[4]

FBI Supervisory Special Agent Michael Sohn explained the phenomenon during CNBC’s Small Business Playbook virtual event in December 2022: “The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture. So, what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses.”[5]Sohn noted that majority of victims filing complaints with the FBI’s Internet Crime Complaint Center (IC3) were small businesses.

That’s reflected in Mimecast’s The State of Email Security 2023 (SOES) report. Seven in 10 smaller businesses (those with 250-500 employees) said a ransomware attack had harmed their business, compared to 46% of large enterprises (those with 10,000 or more employees) surveyed.

SMB Spending: More Cloud, Less Cybersecurity

The move to remote working has prompted many smaller businesses to adopt cloud solutions for the first time. That’s made it more cost efficient for cybercriminals to go after these smaller fish. They can exploit vulnerabilities in cloud applications or attack the cloud providers themselves.

But even as SMBs have increased their investment in cloud solutions, some have pulled back on cybersecurity investments. Enterprises with 1,000 or more employees poured more money in cybersecurity — 65% more, according to the Hiscox report. Companies with between 250 and 999 employees doubled their cybersecurity budgets. However, companies with between 10 and 49 employees actually cut their cyber spending in half from an average of $411,000 to $225,000. And those businesses with fewer than 10 employees stripped their cyber coffers nearly bare, with spending falling from $150,000 to $29,000.[6]

It's not surprising, then, that this year’s SOES report found that respondents from smaller companies lagged their counterparts in larger enterprises in putting adequate defensive technologies in place. For example, just 36% of respondents in smaller companies said they have systems to monitor and protect against data leaks and exfiltration in their outbound email, compared with 63% of respondents working in bigger companies.

Complex Problems, Integrated Solutions

Managing cyber risk is a complex challenge for any organization, no matter the size. The threat is multifaceted, as companies must contend with a range of threats including phishing, ransomware, credential harvesting, insider threats, and more. Effective protections, likewise, must be layered. That can be a particular challenge for smaller firms that lack the cyber resources and expertise of their larger counterparts. 

Since 90% of cyberattacks start with email, email security is a good place to start. But there’s a new reality facing SMBs that in the past may have hosted their email on-premises and invested in a secure email gateway. Now that they’ve implemented a cloud email solution, there may be less clarity about how best to secure it (or whether the security built into the solution is enough). “It’s not just your grandad’s email filtering anymore,” said Mimecast’s Bauer during the interview with ISMG. "It’s a multifaceted set of activities that can be quite confounding for your average SMB.”

One investment that can help SMBs, in particular, are gateway-less email solutions designed to integrate nearly instantly into a company’s cloud email environment. These relatively new offerings can provide the same robust security stack built into on-premises email gateways — but designed for the cloud. Indeed, many of the earliest adopters of gateway-less email protection are SMBs looking to bolster the security capabilities built into their email solutions without adding resources or complexity. Gateway-less email protection can offer out-of-the-box capabilities like pre-configured settings, one-click remediation, and user-friendly threat dashboards.

The Bottom Line

Cybercriminals are increasing their focus on SMBs as the adoption of common cloud solutions for email and collaboration tools offer them an easy way in. New gateway-less offerings like Mimecast’s Email Security, Cloud Integrated solution, which currently secures the Microsoft 365 environment, can empower SMBs to address their specific security challenges such as increasingly sophisticated email-borne attacks, an expanded cloud attack surface, and limited resources. 

[1] “The Hiscox Cyber Readiness Report 2022,” Hiscox

[2] “Cost of a Data Breach Report 2021,” IBM

[3] “51% of small business admit to leaving customer data unsecure,” Digital.com

[4] “The Hiscox Cyber Readiness Report 2022,” Hiscox

[5] “The FBI is worried about a wave of cyber crime against America’s small businesses,” CNBC

[6] “The Hiscox Cyber Readiness Report 2022,” Hiscox