Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform.
Cyberattacks and data breaches on small businesses seldom make headline news, even though 44% have experienced a cyberattack. In fact, 61% of victim organizations lost a minimum of $10,000, while 17% of businesses fell victim to repeat attacks.
Cyber is now considered a major threat by small businesses.
Post-pandemic, 70% of small businesses accelerated their digital transformation efforts. The more they depend on digital assets, the more exposed they are to cyber risks. According to a 2024 U.S. Chamber of Commerce survey, 60% of businesses are increasingly concerned about cyber threats including phishing, malware and ransomware. More than a quarter of small organizations believe their business will not survive a major cyberattack.
Why do cybercriminals target small businesses?
There are several reasons why cybercriminals target small businesses. Risk factors include:
• There is a lack of advanced cybersecurity measures. Small businesses have budget constraints. They lack advanced cybersecurity equipment (43% of small businesses don’t have a networked firewall) and may not employ dedicated cybersecurity staff to maintain and monitor their threat environment.
• They’re small in size but large in value. Even small businesses hold sensitive and valuable customer information like credit card information and personally identifiable information (PII) which can be monetized by cybercriminals. Some small businesses function as intermediaries, suppliers or channel partners of major corporations and might have access to sensitive systems and data at their disposal.
• Small business attacks fly under the radar. Attacks on small businesses are typically not reported. As a result, there’s a low likelihood of involvement by security, compliance and law enforcement agencies.
• They have limited awareness of risks and evolving tactics. Forty-four percent of small businesses believe that an antivirus solution is enough to protect them from all manner of cyberattacks. Two-thirds (73%) perceive that they are well-prepared to handle a cyberattack; however, 41% do not have backup and recovery systems in place.
Phishing is the main point of entry into small businesses.
It’s well known that the most common points of entry into small business environments include “phishing (53%), unpatched servers/VPN (38%), and credential theft (29%).” Phishing involves attackers impersonating a trusted organization or an individual sending malicious emails, messages, attachments and hyperlinks.
Unpatched servers/VPNs involve targeting known or unpatched vulnerabilities and using that as a mode of infiltration into the target environment. Credentials can be either phished from organizations, they can be purchased from dark web marketplaces or they can be cracked or guessed.
How can small businesses mitigate cyber threats?
Recommendations and best practices that can reduce exposure to threats like phishing, malware and ransomware include the following:
1. Conduct continuous cybersecurity training. Despite phishing being the primary vector of entry into organizations, only 48% of organizations train employees on security measures. Training employees once a year isn’t effective; users quickly forget.
Instead, organizations must do at least these two things. One, induce muscle memory and security intuition through repetitive exercises, subjecting users to simulated phishing tests. Two, send ongoing newsletters, research articles and stories to keep security best practices top of mind: the use of strong passwords, safe internet browsing habits, pausing before clicking or downloading, and alertness and vigilance.
2. Adopt a multi-tiered security model. Leverage a combination of cybersecurity tools such as intrusion prevention systems (IPS), secure web gateway (SWG), endpoint detection and response (EDR) and data leakage prevention (DLP) to alert unusual activity and block threats and intrusions as they happen. Deploy backup and data recovery systems. Use phishing-resistant multifactor authentication to stop attackers from entering the environment if they manage to gain access via stolen employee credentials.
3. Implement sender authentication protocols for email security. Sender authentication protocols, including sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and domain-based message authentication, reporting and conformance (DMARC), play a big role in verifying the authenticity of email senders. By implementing these protocols, businesses can significantly reduce the risk of receiving spoofed or forged emails in their inboxes, blocking a good number of phishing attempts.
4. Plan for incident response. Regardless of how small or large the organization is or how well-implemented its cybersecurity defenses are, if a determined attacker decides to go after your organization, then it’s quite possible that they will succeed.
Therefore, keep a well-rehearsed incident response plan ready. The IRP is a roadmap for when things go wrong, containing a structured, step-by-step process for managing a security incident, from detection and containment to eradication and recovery.
5. Keep systems up to date. It is especially important that organizations update systems, software and devices with the latest firmware and patches. Software vendors and device manufacturers regularly release updates to fix vulnerabilities and bugs. If businesses continue to run these systems with outdated software, then hackers may exploit these gaps to compromise the business. Threat actors can easily leverage OSINT (such as Shodan) to discover vulnerable, internet-connected printers, routers, servers or IoT devices.
Small businesses must prioritize cybersecurity. Even if the budget is limited, businesses need to cover their security basics, update tools, consistently train employees to be savvy security evangelists and deploy incident response plans. These are simple mitigations that can go far in making small businesses more resilient against the growing threat of phishing, ransomware and data breaches.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
