January 13, 2023 By Doug Bonderud 4 min read

Cyberattacks represent a serious problem for small to medium-sized businesses (SMBs).

Consider that in 2019, 43% of attackers went after small businesses, and in 2021, 60% of SMBs said they were victimized by a cyberattack.

Even more worrisome? For small and midsize businesses, cyberattack impacts go beyond downtime, lost data and reduced consumer trust. According to the U.S. Securities and Exchange Commission, up to 60% of SMBs are forced to close within six months of a cyberattack.

But it’s not all bad news. While security threats remain a key concern for SMBs, greater awareness of potential problems has set the stage for a more effective response.

In this piece, we’ll consider what makes SMBs such tempting targets, tackle what’s changed for these companies and explore how giving security a seat at the table can reduce total risk.

Small businesses, tempting targets

Large enterprises often seem like the more logical target for attackers, given the potential payout and the complexity of their IT stack. However, SMBs have actually become top-priority targets for attackers.

Three factors play a role in the habit of threat actors going after SMBs.

1. Reduced awareness and protection

Many small businesses can’t afford large, in-house IT teams. In some cases, they may have a team of one or two staff handling all tech concerns for the entire organization, or they may contract out this work to a third party. In other instances, non-tech staff may share the burden of trying to keep security on track.

The result is an ideal environment for attackers. Not only are many SMBs missing core security solutions such as security information and event management (SIEM) frameworks, but they may also be missing intrusion detection and next-generation firewall (NGFW) tools. And in some cases, SMBs haven’t even taken the steps to implement simple security measures such as two-factor authentication, which could help frustrate common threats.

2. High value-to-effort ratio

SMBs are also tempting targets thanks to a high value-to-effort ratio. For attackers, this means that the low bar of security compromise requires minimal effort. But if they can access critical data, the payoff could be substantial.

Consider an attacker who successfully phishes an SMB owner. Armed with legitimate credentials, they could access business networks to steal intellectual property and financial data, or encrypt critical operational data using ransomware.

Even if the ransomware payout isn’t much — tens of thousands compared to possible millions in the case of enterprises — the bar is so low that the effort is worth the earnings.

3. Lower chance of repercussions

Finally, attackers are less likely to get caught while attempting to breach SMB networks. Owing to the lack of security tools in place, the time between intrusion and detection is substantial. This may even allow adversaries to slip in and out unnoticed. The lack of existing defenses also increases the risk of attackers deploying advanced persistent threats (APTs) to monitor user behavior and select their ideal strike point.

What are SMBs doing differently?

So what’s different? What are SMB owners doing now that they weren’t doing last year or the year before?

Put simply, they’re paying attention. As noted by recent survey data, 67% of SMBs are more worried about IT security than last year. And this isn’t just an academic concern; these businesses are spending more to reduce their security risk. Consider that in 2021, just 32% of SMBs were investing the recommended 6-15% of their IT budget into cybersecurity. One year later, 68% of companies align with these recommendations. 46% plan to keep their spending the same over the following year, and 48% plan to increase their spending.

The result is an SMB market that sees the impact of cybersecurity threats both at scale and closer to home. This market is finally taking its security seriously by investing time and effort into key controls and skilled personnel.

In other words, they’ve taken the first step to solving the security problem: acknowledging there is one.

Giving security a seat at the table

Effective SMB security is all about table stakes.

In practice, this means identifying and implementing basic security tools and controls that help keep attackers at bay, coupled with an increased operational awareness of business vulnerabilities.

It’s certainly worthwhile for SMBs to consider more advanced threat detection and intelligence solutions. However, adopting basic cybersecurity hygiene practices is often enough to frustrate attacker efforts. Here’s why: Threat actors are all about low-hanging fruit. Consider the rise of Ransomware-as-a-Service (RaaS), which sees skilled attackers creating and then selling malware packages to less-skilled users.

These packages are ideal for compromising poorly protected SMB networks since they require minimal configuration and monitoring. But if businesses implement table stakes security tools that let them detect common threat vectors, the path to network compromise becomes more complicated. This, in turn, helps SMBs avoid simple attacks.

When it comes to more complicated threats, meanwhile, the use of intrusion detection tools coupled with regular assessments of security posture and examination of security data can help companies act before it’s too late. For example, by partnering with a leading managed security services provider — such as IBM — SMBs can detect the telltale signs of attacks on their networks and take action to reduce the impact. In addition, they can pinpoint common threat vectors and deploy targeted solutions to address the risk.

SMB security: Going up!

By seeing security as essential for both short-term survival and long-term business, SMBs have reached a tactical tipping point. This increased awareness has led to a commensurate boost in security budgets, putting small businesses in a better position to detect, identify and frustrate attacker efforts.

While this isn’t a magic bullet — attacks will still get through and data is still at risk — the upward trajectory of table-stakes spending suggests that SMB cybersecurity may (finally) be changing for the better.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today