CONTACT US
REPORT A CYBER INCIDENT
CONTACT US REPORT A CYBER INCIDENT
CyberCX Blog

Think your business is too small to be targeted by attackers? Think again.

Blogs from CyberCX

Chris Pogue, Director of Digital Forensics and Incident Response, CyberCX  United States

 

When speaking with small to medium businesses (SMBs) both in the United States and around the world about cybersecurity, I frequently hear some variation of the following, “We are too small to even be on a hacker’s radar. We only do $10M per year in revenue. Surely, there are better ways for them to spend their time than coming after us!”

The frequency of this response prompted me to dig a bit deeper into the question: are SMBs more or less likely to be targeted by Threat Actors (TAs)? 

I didn’t have to search very long or hard to find digital reams of data that all pointed in the same direction. If you think that your business is too small to be targeted by attackers, think again.

 

To attack or not to attack – dispelling myths around SMBs as cyber targets

For starters, we need to dispel the notion that the decision to target SMBs versus larger Multinational Corporations (MNCs) or governments is an either/or question. There is no mythical cyber scale where your business is weighed and measured against other potential targets and then stack ranked based on quarterly earnings or annual reports.

To attack or not to attack is not a question of either/or; rather, it’s a response of yes/and. TAs don’t face the dilemma of either going after large corporations or targeting small ones. The fact of the matter is they do both, and quite well. According to several threat reports, attacks on smaller businesses are actually orders of magnitude more common.

A quick Google search shows no shortage of sobering statistics for SMB owners…

According to an article by CNBC cyberattacks cost small companies, on average, $200,000 USD. The 2023 Verizon Data Breach Report, shows that 58% of all attacks where the business size could be determined, targeted small businesses (defined in the report as having 1,000 employees or less). Further, the Identity Theft Resource Center says a record 73% of small businesses reported a cyber-attack in 2023.

The consequences can be devastating. According to the US National Cyber Security Alliance, 60% of small businesses that suffer a cyber-attack go out of business within half a year.

Barracuda indicated that small businesses are 3x more likely to get hit with social engineering attacks.  And finally, the Federal Bureau of Investigation has indicated that they are concerned about the growing wave of attacks targeting SMBs.

I found all these statistics within five minutes of running an internet search.

In addition, according to the blog, 35 Alarming Small Business Cybersecurity Statistics for 2023:

1. 46% of all cyber breaches impact businesses with fewer than 1,000 employees.

2. 61% of SMBs were the target of a Cyberattack in 2021.

3. At 18%, malware is the most common type of cyberattack aimed at small businesses.

4. 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.

5. 37% of companies hit by ransomware had fewer than 100 employees.

6. Small businesses receive the highest rate of targeted malicious emails at one in 323.

7. Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.

8. 87% of small businesses have customer data that could be compromised in an attack.

9. 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info.

 

Why cyber security is an uphill battle for small businesses

Despite these staggering numbers, according to an October 24, 2023 article published by Yahoo! Finance, “Eighty-five (85) percent of small business leaders say they are ready to respond to a cyber incident despite a record-high 73 percent reporting an attack in 2023.”

Let’s unpack that response a bit, because in my opinion it’s not…entirely…accurate.

Being a smaller organization means, by definition, you have smaller budgets and less money to spend on cybersecurity. Being smaller also means you likely have a greater focus on your core competency and less time, energy, capability and capacity to focus on other things like regulatory compliance, IT infrastructure and cybersecurity.

This also means you are less likely to have full time cybersecurity staff, which also means that you likely spend less time, money and effort on cybersecurity. Often the result of this means you are less prepared to deflect, detect, react and respond to an attack. All of these things, while totally understandable from a business perspective, make you a softer target for TAs.

Just like any other skills-based profession, cybercrime organizations have employees at varying levels of ability. They have scores of newer team members with less experience working under the direction of more experienced mentors (think C.S. Lewis’ The Screwtape Letters). These are the TAs that are used to targeting much more numerous, much less secure SMB market, while the more experienced TAs go after the harder, yet more lucrative, larger corporations and MNCs.

 

What SMBs can do

The US Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity guidelines and best practices for small businesses. Most of these recommendations are either free or inexpensive, and only require the organization’s commitment and participation. Some of the recommendations include building a culture of security, having an Incident Response Plan (IRP) in place, and engaging in tabletop or threat simulation exercises. In addition, technology solutions such as password managers, multi-factor authentication, and enabling full disk encryption can also prove helpful.

Most importantly, albeit not free, is having cybersecurity experts on retainer, using them as your virtual Chief Information Security Officer. As outlined above, and as any SMB operator does not need me to remind them, for many small businesses the costs of hiring dedicated cybersecurity staff are just too high. However, putting an organization like CyberCX on retainer, and allowing our 1,400-strong global workforce to help you, is exponentially less expensive yet equally as impactful (in some ways, probably even more so).

The bottom line is that if you are a small business, your size does not offer you a natural defense to cyber-attacks. The cybersecurity industry is complex and fast paced, requiring specific, subject matter experts to navigate these complexities effectively. There are heaps of free and inexpensive things you can do to be better prepared, but if you lack the in-house expertise, you must augment your capabilities with external experts.

So, next time you have a conversation with a cybersecurity expert and think that you are too small to be a target, think again. Start asking some questions about what that relationship could look like. I have never, in my almost 30 years of experience, seen a single instance where underinvesting in cybersecurity was a good idea.

Next

Beyond spreadsheets and sticky notes

Other Cyber Security Resources

Middle East conflict: Cyber impacts of Iran-Israel military escalation

Read More

NTFS Usnjrnl Rewind

Read More

Beautifying Snaffler

Read More

PCI DSS 4.0 – How Do I Transition?

Read More

Ready to get started?

Find out how CyberCX can help your organization manage risk, respond to incidents and build cyber resilience.

Talk to an expert