Cyberattacks represent a serious problem for small to medium-sized businesses (SMBs).

Consider that in 2019, 43% of attackers went after small businesses, and in 2021, 60% of SMBs said they were victimized by a cyberattack.

Even more worrisome? For small and midsize businesses, cyberattack impacts go beyond downtime, lost data and reduced consumer trust. According to the U.S. Securities and Exchange Commission, up to 60% of SMBs are forced to close within six months of a cyberattack.

But it’s not all bad news. While security threats remain a key concern for SMBs, greater awareness of potential problems has set the stage for a more effective response.

In this piece, we’ll consider what makes SMBs such tempting targets, tackle what’s changed for these companies and explore how giving security a seat at the table can reduce total risk.

Small Businesses, Tempting Targets

Large enterprises often seem like the more logical target for attackers, given the potential payout and the complexity of their IT stack. However, SMBs have actually become top-priority targets for attackers.

Three factors play a role in the habit of threat actors going after SMBs.

1. Reduced Awareness and Protection

Many small businesses can’t afford large, in-house IT teams. In some cases, they may have a team of one or two staff handling all tech concerns for the entire organization, or they may contract out this work to a third party. In other instances, non-tech staff may share the burden of trying to keep security on track.

The result is an ideal environment for attackers. Not only are many SMBs missing core security solutions such as security information and event management (SIEM) frameworks, but they may also be missing intrusion detection and next-generation firewall (NGFW) tools. And in some cases, SMBs haven’t even taken the steps to implement simple security measures such as two-factor authentication, which could help frustrate common threats.

2. High Value-to-Effort Ratio

SMBs are also tempting targets thanks to a high value-to-effort ratio. For attackers, this means that the low bar of security compromise requires minimal effort. But if they can access critical data, the payoff could be substantial.

Consider an attacker who successfully phishes an SMB owner. Armed with legitimate credentials, they could access business networks to steal intellectual property and financial data, or encrypt critical operational data using ransomware.

Even if the ransomware payout isn’t much — tens of thousands compared to possible millions in the case of enterprises — the bar is so low that the effort is worth the earnings.

3. Lower Chance of Repercussions

Finally, attackers are less likely to get caught while attempting to breach SMB networks. Owing to the lack of security tools in place, the time between intrusion and detection is substantial. This may even allow adversaries to slip in and out unnoticed. The lack of existing defenses also increases the risk of attackers deploying advanced persistent threats (APTs) to monitor user behavior and select their ideal strike point.

What are SMBs Doing Differently?

So what’s different? What are SMB owners doing now that they weren’t doing last year or the year before?

Put simply, they’re paying attention. As noted by recent survey data, 67% of SMBs are more worried about IT security than last year. And this isn’t just an academic concern; these businesses are spending more to reduce their security risk. Consider that in 2021, just 32% of SMBs were investing the recommended 6-15% of their IT budget into cybersecurity. One year later, 68% of companies align with these recommendations. 46% plan to keep their spending the same over the following year, and 48% plan to increase their spending.

The result is an SMB market that sees the impact of cybersecurity threats both at scale and closer to home. This market is finally taking its security seriously by investing time and effort into key controls and skilled personnel.

In other words, they’ve taken the first step to solving the security problem: acknowledging there is one.

Giving Security a Seat at the Table

Effective SMB security is all about table stakes.

In practice, this means identifying and implementing basic security tools and controls that help keep attackers at bay, coupled with an increased operational awareness of business vulnerabilities.

It’s certainly worthwhile for SMBs to consider more advanced threat detection and intelligence solutions. However, adopting basic cybersecurity hygiene practices is often enough to frustrate attacker efforts. Here’s why: Threat actors are all about low-hanging fruit. Consider the rise of Ransomware-as-a-Service (RaaS), which sees skilled attackers creating and then selling malware packages to less-skilled users.

These packages are ideal for compromising poorly protected SMB networks since they require minimal configuration and monitoring. But if businesses implement table stakes security tools that let them detect common threat vectors, the path to network compromise becomes more complicated. This, in turn, helps SMBs avoid simple attacks.

When it comes to more complicated threats, meanwhile, the use of intrusion detection tools coupled with regular assessments of security posture and examination of security data can help companies act before it’s too late. For example, by partnering with a leading managed security services provider — such as IBM — SMBs can detect the telltale signs of attacks on their networks and take action to reduce the impact. In addition, they can pinpoint common threat vectors and deploy targeted solutions to address the risk.

SMB Security: Going Up!

By seeing security as essential for both short-term survival and long-term business, SMBs have reached a tactical tipping point. This increased awareness has led to a commensurate boost in security budgets, putting small businesses in a better position to detect, identify and frustrate attacker efforts.

While this isn’t a magic bullet — attacks will still get through and data is still at risk — the upward trajectory of table-stakes spending suggests that SMB cybersecurity may (finally) be changing for the better.

More from Risk Management

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read