Skip to main content

According to the 2018 Verizon Data Breach Investigations Report, 58% of cyber attack victims were small businesses. Think it can’t happen to you? Think again.

Why are small to medium businesses a target?

Small business owners may wonder why cyber criminals would target them instead of a large company with more clients and funds, and the reason for this is simple: criminals are opportunistic, and they know that smaller companies have less resources to dedicate to cyber security.

What’s more, the very fact that small business owners often assume that cyber criminals aren’t interested in them can mean they’re less likely to put substantial effort into cyber security, which makes them easier targets.

For some small to medium business owners, the most difficult hurdle to overcome in cyber security is this very attitude. The numbers show that cyber criminals do target small businesses, often at a higher rate than their larger counterparts. In particular, if your business has a relationship with a large firm, cyber criminals could see you as a gateway into a more lucrative organization.

Know Your Threats

To start, organizations should know their threats and how their systems, employees, and clients may be targeted. Companies should evaluate whether or not they are equipped to manage the biggest risks to their business, and if they aren’t, finding an external firm to manage cyber security is a good option.


A ransomware attack is when cyber criminals install malware in your network that prevents access to your data and systems unless a specific amount of money is paid. A ransomware attack could potentially shut down a small business, even permanently, if no segregated back-up of data exists.

Since the impact of ransomware attacks can be devastating for many businesses, many will choose to simply pay the ransom as they cannot afford any down time and haven’t taken adequate precautions; however, paying the ransom does not guarantee that your data will be returned intact – or at all – which highlights the importance of having a back-up of all your data.


Spear phishing is an email spoofing scam where criminals target a specific organization or employee with tailored messages, to gain unauthorized access to sensitive information, funds or computer systems. In a spear phishing scam, people within a company receive an email asking them to provide the sender with confidential company information. The email will look like it came from someone within the company, so they are more likely to trust them.

Business Email Compromise

Business email compromise (BEC) attacks are a type of phishing scam in which a cyber criminal poses as a trusted entity, often a client, vendor, or business partner, in order to facilitate the transfer of funds or information. The criminal will send credible-looking emails to an employee who likely has the authority to move funds in hopes of deceiving them into transferring money into a fraudulent account.

Get Outside Help

When working with cyber security providers, business owners should ensure they offer a mix of solutions focused on both prevention and detection. Good prevention measures can drastically reduce the risk of cyber criminals getting in. However, monitoring and detection measure are equally important, and you’ll need a firm that is able to quickly identify and deal with intruders before they’re able to make away with client information, material business information, or funds.

Educate Your Employees

Employee education is also an important consideration: hackers often target employees, third party partners, and senior leaders through phishing emails and other psychological manipulation tactics, so if you’re not able to give basic training on cyber security to your employees, consider outsourcing that to an external firm as well.

If paying for education isn’t an option, ensure employees are educated on key issues such as managing access and permissions, using technology for its intended purpose, and identifying and defending against current cyber attacks.

Consider Cyber Security Insurance

Cyber security insurance might be something you want to consider, but keep in mind that this is not a substitute for taking adequate precautions: in order to collect on a claim in the event of a major cyber incident, you’ll need to be able to demonstrate that your business had reasonable cyber security controls and prevention measures in place.

Mind the Cloud

Many small to medium businesses use cloud solutions to cut down on infrastructure and technical workforce costs. There’s nothing wrong with this, but be aware that using cloud doesn’t absolve your business of its responsibility to use proper security controls and configure the cloud correctly.

Businesses should use SAAS (Software as a Service) as much as possible, as the bulk of the security is handled by the cloud provider. Where possible, using a multi-factor authentication can reduce potential attacks as well. Making sure that very sensitive files are encrypted before being uploaded to the cloud can also help reduce the risk of them leaking if the provider is ever compromised. An external security firm can also help your business to manage its cloud risk effectively.

A Final Note

Business owners cannot afford to underestimate the importance of protecting their livelihoods from cyber criminals; a belief that they’re too small to be targeted, combined with a lack of resources available to dedicate to cyber security, can hinder effective cyber security practices in small to medium businesses. Taking the steps outlined above will improve your organization’s cyber security posture and put a serious wrench in the hackers’ plans.

However, no matter how extensive your cyber security measures are, occasionally, hackers still find a way through. Stay tuned for next week’s post on how to plan for and manage a cyber security crisis while prioritizing your client relationships.

October 7, 2019


Twitter LinkedIn Email