Why SMBs Are Under-Prepared for Cyberattacks

Ransomware attacks, credential theft, corporate espionage, and data breaches are threats to companies of all sizes. But they can be particularly challenging for small and mid-sized businesses (SMBs). While corporate giants have the budgets to build extensive cybersecurity programs that help build cyber resilience, smaller organizations are more constrained. Without the internal resources to run big-company cybersecurity programs, how can SMBs mitigate cyber risks?

Big Cyber Risks for Smaller Companies

Leviathans such as eBay, Target, and Yahoo! have all hit the headlines in recent years due to security breaches. In early 2019, for example, eBay was a target for cyberattacks that enabled hackers to access the information of around 233 million customers.[1]

Such banner news stories may be one reason why it may seem that big corporations are the most at risk—after all, they can meet cybercriminals’ demands for a huge ransomware payout or provide a motherlode of personal data.

But it turns out that smaller companies are frequently targeted in cyberattacks—and they often suffer greater impact than bigger enterprises.[2] One study found that 43% of cyberattacks target SMBs.[3] In a 2019 survey by the National Cyber Security Alliance (NCSA), 28% of small companies said they had suffered a data breach in the last 12 months. Those breaches often have devastating effects: a quarter of the companies that experienced a breach subsequently filed for bankruptcy, and 10% went out of business altogether.[4]

Unfortunately, small and medium-sized businesses are much less prepared than larger companies to prevent and respond to those cyber risks. A Wall Street Journal survey found that fewer than two thirds of companies with under $50 million in revenue have a cybersecurity program in place, compared to 81% of companies with more than $1 billion in revenue.[5] Perhaps even more concerning, 15% of smaller companies have no plans to assemble a cybersecurity program in the future. Companies with revenues under $50 million also are much more likely to feel under-prepared for specific cyber threats such as ransomware, other malware, and credential theft. Compared to larger enterprises, about three times as many SMBs feel that ransomware threats are high risk.[6]

If SMBs survive a successful cyberattack, they can face significant remediation costs.  In the aftermath of a cyberattack, small companies may spend an average of $690,00 on cleanup costs, and medium-sized companies over $1 million, according to one estimate.[7]

Vulnerable Supply Chains Can Wreak Havoc

Because SMBs are often part of complex supply chains to much larger companies, an additional concern is the threat of cyberattacks on third parties—and the risk that a breach to an SMB’s systems can be used to target a bigger company. According to the Wall Street Journal survey, smaller companies are roughly twice as likely as larger companies to feel under-prepared for risks due to attacks on their third parties and supply chain.

Malicious actors, on the lookout for the simplest path into an organization’s systems and data, typically penetrate the weaker links in the supply chain—which often are SMBs—as a step toward reaching farther up the chain. Some high-profile breaches, like those at Home Depot and Target, were traced to attacks on their supply chains.[8] These breaches can compromise data and expose confidential business plans, personal information, and email contacts. The impact can linger for years.[9]

The Challenge of Building Cyber Resilience

A host of factors can make smaller businesses more vulnerable to cyberattacks. SMBs may have fewer IT staff, or even no dedicated IT staff. With smaller budgets than larger companies, they may have much less sophisticated computer and network security and backup procedures, and lack an overall security roadmap. Employees may lack security awareness, making them less likely to be able to detect social engineering attacks and email phishing scams. Those scams include impersonation attacks in which attackers send official-seeming email messages that entice victims to reveal sensitive financial and personal data.[10]

A Plan of Action for SMBs

Still, there are ways that smaller companies without deep pockets can step up their security preparedness. One key strategy is to embrace cloud-based security products for email security, malware protection, backup, and other protections. By doing so, companies can avoid capital outlay on specialized hardware and software, and the need to dedicate physical space for hardware. Cloud security products may also reduce the IT administrative effort required. It may also be easier to support remote working and ensure that data is always backed up.[11]

While there is no one-size-fits-all panacea, there are other ways that smaller companies can manage security on a tight budget, including:

• Online, interactive security awareness training for employees can significantly reduce risk. Most security breaches involve human error.
• Educate employees about cyber risks while traveling, and where possible remove sensitive data from devices before a business trip. Fold mobile device security into your plans.
• Conduct oversight of third-party connections to assess the threats from your supply chain and other business partners.
• Hire an external consultant to help assess and uncover risks and vulnerabilities, including testing systems that allow external access, like websites and cloud drives.
• Draw up a response plan so your staff knows how to handle cyber threats.
• Set up cybersecurity policies including best practices, from using unique passwords and reporting suspicious emails to implementing two-factor authentication.
• Update software promptly to combat online threats.
• Make sure remote workers are protected by a firewall.

The Bottom Line

Businesses are exposed to a wide range of cyber risks, from data theft to ransomware attacks. The threats are particularly dangerous for smaller companies, which lack the deep pockets needed to build resource-intensive cyber security programs. But there are ways that smaller businesses can build cyber resilience on a tight budget, including applying cloud-based security tools and security awareness training.

[1] “10 Companies Affected by Cyber Attacks,” Villanova University

[2] “Small and Mid-Size Businesses Need to Focus on Cybersecurity,” Security Magazine

[3] “43% of Cyber Attacks Still Target Small Business while Ransomware Stays On the Rise,” Small Business Trends

[4] “Small Business Cybercriminal Target Survey Data,” National Cybersecurity Alliance

[5] “Which Industries aren’t Ready for a Cyberattack?” Wall Street Journal 

[6] “Which Industries aren’t Ready for a Cyberattack?” Wall Street Journal 

[7] “Small and Mid-Size Businesses Need to Focus on Cybersecurity,” Security Magazine

[8] “Blockchain is Vastly Overrated; Supply Chain Cybersecurity is Vastly Underrated,” SupplyChain24/7

[9] “What is a supply chain attack? Why you should be wary of third-party providers,” CSO

[10] “What small businesses need to know about cybersecurity,” Microsoft 365

[11] “Cloud Computing and its Benefits for Small Businesses,” Cleverism