author photo
By Cam Sivesind
Thu | May 9, 2024 | 4:23 AM PDT

Small and medium-sized businesses (SMBs) face significant cybersecurity threats that are often overlooked. While large enterprises have more resources to invest in cybersecurity, SMBs frequently lack the budget, expertise, and personnel to adequately protect themselves from cyberattacks. This creates a dangerous situation where SMBs are increasingly targeted by malicious hackers.

StrongDM addressed this trend in its "35 Alarming Small Business Cybersecurity Statistics for 2024." Alarming is an understatement. See the full list at the link, but here are a few highlights:

  • 46% of all cyber breaches impact businesses with fewer than 1,000 employees. 
  • 82% of ransomware attacks in 2021 were against companies fewer than 1,000 employees.
  • 95% of cybersecurity incidents at SMBs cost between $826 and $653,587. 
  • 75% of SMBs could not continue operating if they were hit with ransomware.
  • 47% of businesses with fewer than 50 employees have no cybersecurity budget.
  • 29% of businesses that suffered a breach responded by hiring a cybersecurity firm or dedicated IT staff. 
  • Antivirus software (58%), firewalls (49%), VPNs (44%), and password management (39%) are the top four cybersecurity tools SMBs are adopting. (March 2022)

According to the 2022 Cyberthreat Defense Report by CyberEdge Group, 83.7% of organizations were impacted by successful cyberattacks in 2021. Alarmingly, SMBs with under 500 employees suffered more damage from cyberattacks on average compared to larger organizations.

The main cybersecurity risks facing SMBs include:

  1. Phishing attacks: Phishing remains one of the biggest threats, with hackers impersonating legitimate companies or authorities to trick employees into revealing passwords or installing malware. The 2022 Data Breach Investigations Report by Verizon found that 82% of breaches involved the human element of phishing.
  2. Ransomware: Ransomware encrypts an SMB's data and systems until a ransom is paid to the attackers. According to a report by Datto, the average ransomware payment demand increased 144% in 2021 to over $5.5 million. SMBs with limited backups are extremely vulnerable.
  3. Lack of cybersecurity expertise: Most SMBs cannot afford dedicated cybersecurity staff. A survey by Cybersecurity Insiders found that 27% of organizations lack the skilled personnel needed to maintain sufficient security measures.
  4. Legacy systems/software: Old, unsupported software and systems are a major risk factor. An AppRiver report found that around 92% of malware targets outdated software that no longer receives security updates.
  5. Remote/hybrid work: With more employees working remotely, attack surfaces have expanded dramatically. Insecure home networks and devices open new entry points for hackers targeting SMBs.

[RELATED: 'Cybersecure My Business' Program Trains SMB Owners to Manage Cyber Risk]

The U.S. Small Business Administration (SBA) has online resources dedicated to informing SMBs on how to bolster their cybersecurity.

According to the webpage's introduction:

"Cyberattacks cost the U.S. economy billions of dollars a year, and pose a threat for individuals and organizations. Small businesses are especially attractive targets because they have information that cybercriminals (bad actors, foreign governments, etc.) want, and they typically lack the security infrastructure of larger businesses to adequately protect their digital systems for storing, accessing, and disseminating data and information.

Surveys have shown that a majority of small business owners feel their businesses are vulnerable to a cyberattack. Yet many small businesses cannot afford professional IT solutions, have limited time to devote to cybersecurity, and don't know where to begin."

Some best practices the SBA suggests for preventing cyberattacks include:

•   Train your employees
•   Secure your networks
•   Use antivirus software and keep all software updated
•   Enable Multi-Factor Authentication
•   Monitor and manage Cloud Service Provider (CSP) accounts
•   Secure, protect, and back up sensitive data

The SBA stresses the importance of SMBs assessing risks, including:

  • Create a cybersecurity plan – The Federal Communications Commission (FCC) offers a cybersecurity planning tool (The Small Biz Cyber Planner 2.0) to help you build a custom strategy and cybersecurity plan based on your unique business needs.
  • Conduct a Cyber Resilience Review – DHS partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University's Software Engineering Institute to create the Cyber Resilience Review (CRR). This is a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either complete the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.
  • Conduct vulnerability scans – DHS, through its sub-agency Cybersecurity and Infrastructure Security Agency (CISA), also offers free cyber hygiene vulnerability scanning for small businesses. They offer several scanning and testing services to help organizations assess exposure to threats to ultimately help secure systems by addressing known vulnerabilities and adjusting configurations.
  • Manage information communication technology (ICT) supply chain risk – Use the ICT Supply Chain Risk Management Toolkit to help shield your business information and communications technology from sophisticated supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos, and resources, and is designed to help you raise awareness and reduce the impact of supply chain risks.
  • Take advantage of free cybersecurity services and tools – CISA has also compiled a list of free cybersecurity resources including services provided by CISA, widely used open-source tools, and free services offered by private and public sector organizations across the cybersecurity community. Use this living repository of resources to further advance your security capabilities. CISA also provides guidance for small businesses.
  • Maintain DoD industry partner compliance (if applicable) – Of special relevance to federal contractors and subcontractors is the ​Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) that is shared by the DoD. CMMC is a framework and assessor certification program that provides a model for contractors to meet a set of cybersecurity standards and requirements. It's based on a 3-tiered model (Foundational, Advanced, Expert) that requires companies to implement security measures (and be assessed accordingly), depending on the sensitivity of the information. Rulemaking is currently in progress, but it is essential for contractors to remain up to speed with requirements as a certain CMMC level will be required as a condition of contract award. 

Kevin Dreyer, IT Director and CISO for Maple Reinders Group, shared his experience leading security at an SMB at the SecureWorld Toronto conference on April 3, 2024. Here is his session abstract:

Challenges and Triumphs for Cybersecurity in SMBs

Small and medium-sized businesses (SMBs) face unique challenges, from shoestring budgets to limited staffing, leaving them exposed in a constantly evolving threat landscape. This session explores how to build an actionable strategy for building a robust cyber defense, even without a robust staff at your back. Get ready to:

  • Discover creative (and budget-friendly) strategies for attracting, retaining, and upskilling cybersecurity talent in the SMB domain; and why it’s OK to let team members move on to new opportunities
  • Learn practical ways to bridge the knowledge gap in your team, regardless of experience level.
  • Forge a culture of resilience: Build a foundation of security awareness that resonates with employees, from frontline teams to the C-suite.
    Speak the language of business: Master the art of communicating cyber risks and ROI to gain buy-in from even the most budget-conscious executive.
  • Learn to translate technical jargon into compelling narratives that capture the attention and support of leadership.

This session is not just about survival; it’s about thriving. Discover practical tools, actionable strategies, and inspiring peer-to-peer insights to transform your SMB cybersecurity platform from potential vulnerability to a source of strength.