, Opens in a new tab
, Opens in a new tab
, Opens in a new tab
Security · January 19, 2024
Guide to Cybersecurity for Small Businesses
Cybercriminals are setting their sights on small and medium-sized businesses, or SMBs, unleashing a barrage of cyberattacks designed to infiltrate systems and wreak havoc.
According to BlackFog's 2023 Cybersecurity Risk Management Report, 61% of SMBs surveyed experienced a cyberattack in the previous year. These weren't one-off attacks, either—87% reported experiencing two or more successful attacks during that year.
The importance of small business cybersecurity
While you may think hackers would prefer to target corporations with vast amounts of data and deep pockets, the reality is that SMBs are highly appealing targets for cybercriminals. Not only do most have valuable data—such as customer payment information—but many lack the level of cybersecurity defenses employed by larger companies.
These combined factors create a risky situation. Thankfully, it doesn't take deep technological knowledge or extensive resources to bolster your defenses. By understanding the key threats and addressing cybersecurity vulnerabilities, you'll be able to better safeguard your business.
Top cybersecurity threats
For SMBs, cyberattacks can come in many forms and occur through various methods. Here are the most common types of cyberattacks targeting small businesses.
Phishing
More than 90% of all cyberattacks begin with a phishing attempt, according to the US Cybersecurity & Infrastructure Security Agency. Based on data compiled by Cisco, 86% of businesses have had at least one employee fall prey to a phishing link.
Spear phishing
While phishing campaigns cast a wide net, spear phishing is a more targeted attack under the category of social engineering. Attackers thoroughly research targets on social media to gather background information, allowing them to craft highly convincing emails or texts that appear to come from trusted senders like colleagues. Even the most vigilant can be deceived, making this a particularly dangerous cyberthreat for businesses.
Malware
According to the BlackFog report, half of security leaders cite malware attacks as their biggest cybersecurity fear—and rightfully so, given how disruptive these attacks may be. Malware attacks typically begin with an email containing a link or attachment containing malicious software. Once installed, this software can enable criminals to spy, steal company intel, obtain sensitive data or commit fraud.
Ransomware
Panda Security data shows that 46% of SMBs have experienced at least one ransomware attack. Like with malware attacks, a criminal will trick an employee into installing malicious software. Once installed, the software will render a business's data and files unusable, and criminals will hold this data hostage in exchange for money. For SMBs, ransomware attacks can be quite costly. Of those that decided to pay a ransom, 43% surrendered $10,000 to $50,000, and 13% paid more than $100,000.
Business email compromise
Business email compromise is another type of social engineering attack that involves a person manipulating or tricking an employee into sharing sensitive data or sending funds. SMBs are particularly vulnerable to these attacks. According to the cybersecurity firm Barracuda Networks, businesses employing fewer than 100 people will experience 350% more social engineering attacks than larger companies.
Insider attacks
This type of cybersecurity threat involves employees, contractors or stakeholders either purposely or inadvertently using their authorized access to cause harm to a business. In some cases, the employee might be unaware that their credentials have been stolen and used for criminal purposes.
Cybersecurity vulnerabilities
While these attacks differ in approach, they all stem from a common set of cybersecurity vulnerabilities criminals seek to exploit.
Lack of cybersecurity awareness
According to a 2022 CNBC Small Business survey, 6 in 10 business owners say they don't think they'll be the victim of a cyberattack. Many assume that they're too small to target or that their business simply doesn't have any data that would interest hackers. However, cybercriminals often prey on SMBs precisely because so many underestimate the threat.
Limited resources
Unlike large organizations, many SMBs don't have an in-house IT team at their disposal. In fact, almost half of businesses with fewer than 50 employees lack a dedicated cybersecurity budget, according to the 2022 Risk Insights Index conducted by Corvus Insurance. As a result, the burden of cybersecurity often falls on small business owners themselves—and 25% of them admit that they don't have the bandwidth to devote to cybersecurity, according to a 2023 report from Digital Ocean.
Fewer safeguards
Another significant vulnerability is a lack of knowledge. According to the BlackFog report, 39% of business owners say they don't adequately understand the challenges posed by cybercrime. Because many are short on time and knowledge, SMBs often lack essential safeguards like antivirus software, password security protocols and multifactor authentication, or MFA.
Lack of employee training
No formal employee training can also leave many SMBs vulnerable to cyberattacks. Employees are often a company's first line of defense against fraud and cybersecurity threats, underscoring the importance of education. When businesses don't train their employees on cybersecurity best practices, employees can more easily be fooled by the increasingly sophisticated scams criminals employ.
The cost of a cyberattack
It's no secret that a cyberattack can be incredibly disruptive and costly. According to BlackFog, 4 in 10 businesses lost customer data following a cyberattack, while 58% suffered from business downtime.
For companies with less than 500 employees, the average cost of a data breach was $3.31 million in 2023, according to IBM's annual Cost of a Data Breach Report—an increase of 13.4% over the previous year.
Beyond the quantifiable financial burden associated with lost or exposed data, cyberattacks often result in reputational risk, which can be just as harmful to a business. According to BlackFog, 1 in 3 companies lost business following a cyberattack. And according to the National Cybersecurity Alliance, 60% of small businesses that experience a data breach permanently close within 6 months of the attack.
Creating a cybersecurity plan
When it comes to cybersecurity for small businesses, planning is an essential first step. A well-structured plan can help identify cybersecurity vulnerabilities, establish protective measures and educate employees on best practices.
While your small business cybersecurity plan should be tailored to your business, your industry and the types of data you collect, make sure it includes the following components.
BYOD policy
Create a bring-your-own-device policy that includes security measures for employees accessing company information on their own phones or laptops.
Remote work policy
Your remote work policy should clearly outline cybersecurity best practices and protocols so company data isn't vulnerable when employees are working outside the office. Specify required precautions regarding unsecured Wi-Fi networks, file sharing and other risks.
Password policy
Implement a robust policy that outlines best practices for password management, establishes minimum password difficulty requirements and requires the use of MFA and periodic password changes.
Data breach response plan
A data breach response plan that identifies what needs to occur and who's responsible for overseeing these tasks is essential for every business. Your plan should include any outside support that may be required, such as legal, cybersecurity or crisis management consultants. As you develop your data breach response plan, you should also evaluate the benefits of cybersecurity insurance.
Employee training
According to the World Economic Forum, 95% of all cybersecurity events can be traced to human error, underscoring the importance of employee education. Conduct regular employee training sessions focused on cybersecurity best practices and key threats. By teaching employees how to spot common red flags and respond properly, you can more effectively safeguard your business.
Technical safeguards
To help your business reduce vulnerabilities, consider the following tools and technologies as part of your overall cybersecurity plan.
- Antivirus software: Choose programs that are designed to protect businesses from sophisticated cyberattacks.
- MFA: This provides an extra layer of security by requiring employees to verify their credentials and identities.
- Virtual private network: The use of a virtual private network, or VPN, creates a secure connection between employee devices and the company network.
- Encryption: Use encryption technology to keep customer data safe in the event of a data breach.
The bottom line
Cybercrime presents a very real problem for small businesses, and the problem isn't going away. To help protect your business, create a comprehensive cybersecurity plan, make technological changes to boost your company's digital defenses and train employees to identify and respond to threats.
Insights
Financial insights for your business
Security
Tips for Building a Cybersecurity Plan
Develop a plan to prevent the most common cyberattacks businesses face to help keep your company safe.
While today's cybersecurity threats aren't much different from those in the past, hackers are now using more sophisticated means to automate how they attack devices and systems.
Insurance
Why You Need Cyber Insurance
Cyber insurance can help your business recover after a security breach.
A cyber insurance policy may cost significantly less than recovery costs associated with a security incident.
Security
Is Your Business Prepared for Common Risks?
Companies need to prepare for risks like PR crises, supply chain failures and legal challenges.
The World Economic Forum expects that business uncertainty will remain high in the near future as companies continue to grapple with many types of business risks.
