CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Why small businesses are vulnerable to cyberattacks

By Linda Comerford
small-business-freepik1170.jpg
May 25, 2022

Small businesses are attractive targets for cybercriminals because they usually lack the cybersecurity precautions of larger organizations. Forty-three percent of all cyberattacks target small businesses, and the consequences of these breaches can be extremely costly, from lost productivity to company reputation. In fact, 60% of all small businesses victims of a data breach permanently close their doors within six months of the attack. 


new study found that 47% of businesses with fewer than 50 employees do not have a dedicated cybersecurity budget. And only 18% of companies with more than 250 employees have a dedicated cybersecurity budget. 


The IBM Cost of a Data Breach Report 2021 found that the average cost of a data breach increased 10% in 2021 to $4.24million. Costs were lower for organizations with more robust cybersecurity policies than organizations with little security infrastructure. The report also found that remote work due to the COVID-19 pandemic increased the average total cost of a data breach. With COVID-19, suddenly companies were using remote desktop protocol (RDP) for remote access. Quite often, multi-factor authentication (MFA) was not turned on. This led to a rise in cyber threats, as it was an easy entry point for threat actors. Working remotely also lengthened the time it took to identify and contain data breaches compared to businesses with more workers back on the worksite.


Reasons Small Businesses are Vulnerable to Cyberattacks

In many cases, small businesses do not take cybersecurity seriously. Many businesses feel “too small” to be affected by a cyber incident. If an incident does occur, many do not realize the severity of a breach until it is too late. Small business owners do not see the need to invest the time or money in a cybersecurity plan for many reasons, including:

  • They do not think that they would be a victim of a data breach
  • Budgeting for cybersecurity programs is minimal
  • Systems are outdated and unsupported
  • Special software needed for outdated devices is no longer supported


During the COVID-19 shutdowns, many small businesses had to switch to remote work, opening these businesses to many cybersecurity issues, from workers using personal computers for work-related tasks to relying on the cloud with little or no IT staff or resources. 

Cybercriminals can easily manipulate small businesses. Additionally, these organizations cannot say no to ransomware attacks because they do not have a backup system to recover data if they are attacked.


Human error is the leading cause of data breaches at small businesses. The IBM report also found that compromised credentials were the most common way cybercriminals initially attack a company’s data. Since small businesses do not focus on cybersecurity training, employees can be easily tricked into falling for social engineering scams, malicious threats, or sharing logins, sensitive data and other company and customer information since they do not know what to look for to identify suspicious cyber activity.


Types of Cyberattacks

According to a Small Business Administration survey, 88% of small business owners felt their business was vulnerable to a cyberattack. Yet many companies cannot afford professional cybersecurity solutions or do not know where to start. 


A cyberattack is a deliberate assault on a computer system or network that uses malicious code to make unwanted modifications or steal data. Cyberattacks are constantly evolving. Some of the most common examples of cybercrimes include:


  • Social Engineering Scams: This type of cybercrime deceives or manipulates someone into divulging confidential or personal information for fraudulent purposes. There are many types of social engineering scams, including:
    • Phishing
    • Spear Phishing
    • Baiting
    • Spoof Websites
    • Caller ID Spoofing
    • Smishing
  • Malware: Malicious software is a type of cyberattack that installs harmful software on a user’s computer after clicking on a harmful link or opening an unknown email attachment. Malware can lock down a computer, block access to files and other critical network components, and obtain sensitive data. Ransomware, a common and highly disruptive type of malware, locks computer files through encryption, until a specific ransom is paid for a key to decrypt the data. Other types of malware are Trojan horses and drive-by attacks.
  • SQL Injections and Other Web Application Attacks: A Structured Query Language (SQL) injection is a cyberattack that involves a hacker “injecting” malicious code into a service that uses SQL, forcing it to expose information it would normally not display, including customer details, user lists and other confidential company data.
  • Denial-of-Service (DoS): This attack occurs when hackers overload a system’s resources and cause it to become unresponsive to service requests and inaccessible to authorized users. 
  • Botnets: A botnet can drive a cyberattack by using bots to steal personal information, spread spam, and deliver viruses into the computer network. 

  

Cyberattack Prevention 

With cybercrime growing and becoming more advanced every year, it is more important than ever that small businesses understand how these types of attacks can impact their operations and take the proper steps to protect themselves. Early detection of a data breach is critical to saving a company’s reputation and thousands of dollars in damages. 

Small business cybersecurity best practices include: 

  • Employee Training: Employee cybersecurity training should not be a one-and-done situation. Businesses should consider continuous training to educate all their employees on potential security vulnerabilities, recognizing and avoiding scams, creating strong passwords, and protecting sensitive customer and company information.
  • Update Security Software: Companies should utilize firewalls, anti-virus software and anti-spyware programs to help ensure sensitive data cannot be easily accessed by hackers. These security programs also require regular updates to keep them free from vulnerabilities, so check any software vendors’ websites to learn about upcoming security patches and other updates.
  • Protect Your Data: Because many data breaches happen due to employee error, staff should only have access to vital information to their particular role. Companies should consider record retention programs requiring employees to properly purge or archive files. Regularly back up data on all computers and have a recovery system in place if the information needs to be retrieved due to a cyberattack. Segmenting a network is another way to keep from data sharing across the entire network. This way, if a section of the network is compromised, everything is not compromised due to the segmentation.
  • Password Protection Program: Small businesses and their employees should use strong passwords for every site accessed daily. Passwords should never be shared between employees or written down where others can see them. 
  • Data Encryption: All data via personal devices, computers, or servers should be protected by proper encryption in case there is unauthorized access attempts. When the data is encrypted at rest, it is protected from being viewed unless the user has the proper credentials and code. This is very important for any HIPAA-regulated data. 
  • Multi-factor Authentication: Multi-factor authentication requires additional verification information, for example, a security code sent to your phone, to log into networks, systems and computers. Wherever possible, it is important to utilize MFA. Turning it on for email, VPN access, Firewall, and software access leads to a more secure system.
  • Cyber Insurance Coverage: Cyber insurance can greatly assist with protecting small businesses from the potential extreme costs that arise from a range of cyberattacks and the financial and reputational damage incurred from data breaches. Cyber claims handlers are there to hold your hand during the stressful process and help introduce vendors who have been carefully chosen to best assist based on the event.


Protect Your Company from a Cybersecurity Attack

Ultimately, cybercriminals are trying to get at a person’s or company’s data, and the risk for a data breach at any organization has become increasingly higher. Companies need to be more aware of their cyber threats and be proactive by following specific cybersecurity procedures to help protect their brand, productivity, reputation and customer loyalty. 

KEYWORDS: business continuity cyber security malware risk management small and medium business (SMB) security social engineering
Linda comerford

Linda Comerford, Assistant Vice President, Cyber Services and Incident Response, joined AmTrust in January 2022. She manages vendor relationships, and collaborates with the insured, privacy counsel, forensic firm and notification vendors to ensure superior cyber claim service throughout each critical stage of the incident response process.

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!