Cyber assaults impacted approximately one-third of small and medium-sized businesses within the last year.
Cybersecurity Misconceptions Pose Significant Risks for Small- to Medium-Sized Businesses (SMBs)
A recent survey of 2,000 IT security product decision makers at U.K. and U.S. businesses with under 300 employees has highlighted some common misconceptions among SMBs that increase their vulnerability to cyberattacks.
One of the most prevalent misconceptions is that SMBs are too small to be targeted by hackers. However, over half of cyberattacks in recent years have targeted SMBs, as they often have weaker defenses and can be easier and more profitable targets. Cybercriminals also exploit SMBs as entry points into larger supply chains.
Another misconception is that relying solely on antivirus software is sufficient protection. In reality, antivirus alone cannot detect sophisticated or stealthy threats like phishing, ransomware, or zero-day exploits. Effective cybersecurity requires a layered defense, including firewalls, endpoint protection, regular patching, encryption, multi-factor authentication, network monitoring, and employee training.
Many SMBs also underestimate the risk of social engineering attacks, which manipulate trust and urgency to gain access. SMB employees often lack training to recognise phishing or other scam attempts, which hackers exploit to gain access.
Another misconception is that SMBs assume their security posture is effective without proper assessment. Without proper cybersecurity planning and risk prioritization, SMBs remain exposed to data theft, financial loss, reputational damage, and regulatory penalties.
SMBs often lack the budgets to invest in robust backup and recovery solutions, which makes them more likely to pay ransoms or suffer prolonged downtime after attacks, increasing their financial risks.
Despite these risks, more than 2 in 5 respondents believe that if their organization has already experienced a cyberattack, it is unlikely to be attacked a second time. This misconception can lead to complacency and a lack of investment in cybersecurity measures.
The survey also found that the majority of respondents (4 in 5) intend to increase cybersecurity spending. The top objectives for cybersecurity investments include firewalls, protection from phishing, data protection, access control, ransomware protection, and identity management.
The average total cost of a cyberattack on SMBs is nearly $255,000, with some incidents costing up to $7 million. The highest costs attributed to cyberattacks on SMBs are investigation and recovery.
The majority of SMBs do not manage security internally, with the remainder relying on external resources like consultants, managed service providers, and cyber insurance recommendations.
In summary, addressing the common misconceptions around cybersecurity, investing in a layered defense, and providing employee training is essential for reducing the cyber-vulnerabilities of SMBs. The survey respondents were from businesses with under 300 employees, and the survey was based on a September report.
[1] https://www.verizon.com/business/resources/reports/dbir/2020/ [2] https://www.statista.com/statistics/871530/cost-of-data-breaches-worldwide/ [3] https://www.cybersecurityintelligence.com/news/small-businesses-are-an-increasingly-attractive-target-for-cyber-criminals/ [4] https://www.cybersecurityintelligence.com/news/the-human-factor-is-the-weakest-link-in-cybersecurity/ [5] https://www.symantec.com/content/en/us/enterprise/insights/threat-report/2020/small-and-medium-businesses.pdf
- The fact that many small- to medium-sized businesses (SMBs) believe they are too small to be targeted by hackers is a prevalent misconception, as over half of cyberattacks target these businesses due to their often weaker defenses and ease of access.
- Relying solely on antivirus software is insufficient protection for SMBs, as it cannot detect sophisticated or stealthy threats like phishing, ransomware, or zero-day exploits. Effective cybersecurity demands a layered defense that includes firewalls, endpoint protection, regular patching, encryption, multi-factor authentication, network monitoring, and employee training.
- Social engineering attacks, which manipulate trust and urgency to gain access, pose a significant risk to SMBs due to the lack of training among employees to recognize phishing or other scam attempts.
- Assuming that a company's security posture is effective without proper assessment can lead to vulnerability, as SMBs remain exposed to data theft, financial loss, reputational damage, and regulatory penalties without proper cybersecurity planning and risk prioritization.
