Light Dark
January 13, 2023 By Doug Bonderud 4 min read
Risk Management

Cyberattacks represent a serious problem for small to medium-sized businesses (SMBs).

Consider that in 2019, 43% of attackers went after small businesses, and in 2021, 60% of SMBs said they were victimized by a cyberattack.

Even more worrisome? For small and midsize businesses, cyberattack impacts go beyond downtime, lost data and reduced consumer trust. According to the U.S. Securities and Exchange Commission, up to 60% of SMBs are forced to close within six months of a cyberattack.

But it’s not all bad news. While security threats remain a key concern for SMBs, greater awareness of potential problems has set the stage for a more effective response.

In this piece, we’ll consider what makes SMBs such tempting targets, tackle what’s changed for these companies and explore how giving security a seat at the table can reduce total risk.

Small businesses, tempting targets

Large enterprises often seem like the more logical target for attackers, given the potential payout and the complexity of their IT stack. However, SMBs have actually become top-priority targets for attackers.

Three factors play a role in the habit of threat actors going after SMBs.

1. Reduced awareness and protection

Many small businesses can’t afford large, in-house IT teams. In some cases, they may have a team of one or two staff handling all tech concerns for the entire organization, or they may contract out this work to a third party. In other instances, non-tech staff may share the burden of trying to keep security on track.

The result is an ideal environment for attackers. Not only are many SMBs missing core security solutions such as security information and event management (SIEM) frameworks, but they may also be missing intrusion detection and next-generation firewall (NGFW) tools. And in some cases, SMBs haven’t even taken the steps to implement simple security measures such as two-factor authentication, which could help frustrate common threats.

2. High value-to-effort ratio

SMBs are also tempting targets thanks to a high value-to-effort ratio. For attackers, this means that the low bar of security compromise requires minimal effort. But if they can access critical data, the payoff could be substantial.

Consider an attacker who successfully phishes an SMB owner. Armed with legitimate credentials, they could access business networks to steal intellectual property and financial data, or encrypt critical operational data using ransomware.

Even if the ransomware payout isn’t much — tens of thousands compared to possible millions in the case of enterprises — the bar is so low that the effort is worth the earnings.

3. Lower chance of repercussions

Finally, attackers are less likely to get caught while attempting to breach SMB networks. Owing to the lack of security tools in place, the time between intrusion and detection is substantial. This may even allow adversaries to slip in and out unnoticed. The lack of existing defenses also increases the risk of attackers deploying advanced persistent threats (APTs) to monitor user behavior and select their ideal strike point.

What are SMBs doing differently?

So what’s different? What are SMB owners doing now that they weren’t doing last year or the year before?

Put simply, they’re paying attention. As noted by recent survey data, 67% of SMBs are more worried about IT security than last year. And this isn’t just an academic concern; these businesses are spending more to reduce their security risk. Consider that in 2021, just 32% of SMBs were investing the recommended 6-15% of their IT budget into cybersecurity. One year later, 68% of companies align with these recommendations. 46% plan to keep their spending the same over the following year, and 48% plan to increase their spending.

The result is an SMB market that sees the impact of cybersecurity threats both at scale and closer to home. This market is finally taking its security seriously by investing time and effort into key controls and skilled personnel.

In other words, they’ve taken the first step to solving the security problem: acknowledging there is one.

Giving security a seat at the table

Effective SMB security is all about table stakes.

In practice, this means identifying and implementing basic security tools and controls that help keep attackers at bay, coupled with an increased operational awareness of business vulnerabilities.

It’s certainly worthwhile for SMBs to consider more advanced threat detection and intelligence solutions. However, adopting basic cybersecurity hygiene practices is often enough to frustrate attacker efforts. Here’s why: Threat actors are all about low-hanging fruit. Consider the rise of Ransomware-as-a-Service (RaaS), which sees skilled attackers creating and then selling malware packages to less-skilled users.

These packages are ideal for compromising poorly protected SMB networks since they require minimal configuration and monitoring. But if businesses implement table stakes security tools that let them detect common threat vectors, the path to network compromise becomes more complicated. This, in turn, helps SMBs avoid simple attacks.

When it comes to more complicated threats, meanwhile, the use of intrusion detection tools coupled with regular assessments of security posture and examination of security data can help companies act before it’s too late. For example, by partnering with a leading managed security services provider — such as IBM — SMBs can detect the telltale signs of attacks on their networks and take action to reduce the impact. In addition, they can pinpoint common threat vectors and deploy targeted solutions to address the risk.

SMB security: Going up!

By seeing security as essential for both short-term survival and long-term business, SMBs have reached a tactical tipping point. This increased awareness has led to a commensurate boost in security budgets, putting small businesses in a better position to detect, identify and frustrate attacker efforts.

While this isn’t a magic bullet — attacks will still get through and data is still at risk — the upward trajectory of table-stakes spending suggests that SMB cybersecurity may (finally) be changing for the better.

 |  |  |  |  | 
Doug Bonderud
Writer

More from Risk Management
November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

November 12, 2024

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature