Light Dark
January 13, 2023 By Doug Bonderud 4 min read
Risk Management

Cyberattacks represent a serious problem for small to medium-sized businesses (SMBs).

Consider that in 2019, 43% of attackers went after small businesses, and in 2021, 60% of SMBs said they were victimized by a cyberattack.

Even more worrisome? For small and midsize businesses, cyberattack impacts go beyond downtime, lost data and reduced consumer trust. According to the U.S. Securities and Exchange Commission, up to 60% of SMBs are forced to close within six months of a cyberattack.

But it’s not all bad news. While security threats remain a key concern for SMBs, greater awareness of potential problems has set the stage for a more effective response.

In this piece, we’ll consider what makes SMBs such tempting targets, tackle what’s changed for these companies and explore how giving security a seat at the table can reduce total risk.

Small businesses, tempting targets

Large enterprises often seem like the more logical target for attackers, given the potential payout and the complexity of their IT stack. However, SMBs have actually become top-priority targets for attackers.

Three factors play a role in the habit of threat actors going after SMBs.

1. Reduced awareness and protection

Many small businesses can’t afford large, in-house IT teams. In some cases, they may have a team of one or two staff handling all tech concerns for the entire organization, or they may contract out this work to a third party. In other instances, non-tech staff may share the burden of trying to keep security on track.

The result is an ideal environment for attackers. Not only are many SMBs missing core security solutions such as security information and event management (SIEM) frameworks, but they may also be missing intrusion detection and next-generation firewall (NGFW) tools. And in some cases, SMBs haven’t even taken the steps to implement simple security measures such as two-factor authentication, which could help frustrate common threats.

2. High value-to-effort ratio

SMBs are also tempting targets thanks to a high value-to-effort ratio. For attackers, this means that the low bar of security compromise requires minimal effort. But if they can access critical data, the payoff could be substantial.

Consider an attacker who successfully phishes an SMB owner. Armed with legitimate credentials, they could access business networks to steal intellectual property and financial data, or encrypt critical operational data using ransomware.

Even if the ransomware payout isn’t much — tens of thousands compared to possible millions in the case of enterprises — the bar is so low that the effort is worth the earnings.

3. Lower chance of repercussions

Finally, attackers are less likely to get caught while attempting to breach SMB networks. Owing to the lack of security tools in place, the time between intrusion and detection is substantial. This may even allow adversaries to slip in and out unnoticed. The lack of existing defenses also increases the risk of attackers deploying advanced persistent threats (APTs) to monitor user behavior and select their ideal strike point.

What are SMBs doing differently?

So what’s different? What are SMB owners doing now that they weren’t doing last year or the year before?

Put simply, they’re paying attention. As noted by recent survey data, 67% of SMBs are more worried about IT security than last year. And this isn’t just an academic concern; these businesses are spending more to reduce their security risk. Consider that in 2021, just 32% of SMBs were investing the recommended 6-15% of their IT budget into cybersecurity. One year later, 68% of companies align with these recommendations. 46% plan to keep their spending the same over the following year, and 48% plan to increase their spending.

The result is an SMB market that sees the impact of cybersecurity threats both at scale and closer to home. This market is finally taking its security seriously by investing time and effort into key controls and skilled personnel.

In other words, they’ve taken the first step to solving the security problem: acknowledging there is one.

Giving security a seat at the table

Effective SMB security is all about table stakes.

In practice, this means identifying and implementing basic security tools and controls that help keep attackers at bay, coupled with an increased operational awareness of business vulnerabilities.

It’s certainly worthwhile for SMBs to consider more advanced threat detection and intelligence solutions. However, adopting basic cybersecurity hygiene practices is often enough to frustrate attacker efforts. Here’s why: Threat actors are all about low-hanging fruit. Consider the rise of Ransomware-as-a-Service (RaaS), which sees skilled attackers creating and then selling malware packages to less-skilled users.

These packages are ideal for compromising poorly protected SMB networks since they require minimal configuration and monitoring. But if businesses implement table stakes security tools that let them detect common threat vectors, the path to network compromise becomes more complicated. This, in turn, helps SMBs avoid simple attacks.

When it comes to more complicated threats, meanwhile, the use of intrusion detection tools coupled with regular assessments of security posture and examination of security data can help companies act before it’s too late. For example, by partnering with a leading managed security services provider — such as IBM — SMBs can detect the telltale signs of attacks on their networks and take action to reduce the impact. In addition, they can pinpoint common threat vectors and deploy targeted solutions to address the risk.

SMB security: Going up!

By seeing security as essential for both short-term survival and long-term business, SMBs have reached a tactical tipping point. This increased awareness has led to a commensurate boost in security budgets, putting small businesses in a better position to detect, identify and frustrate attacker efforts.

While this isn’t a magic bullet — attacks will still get through and data is still at risk — the upward trajectory of table-stakes spending suggests that SMB cybersecurity may (finally) be changing for the better.

 |  |  |  |  | 
Doug Bonderud
Writer

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature