Skip to content

Why cybersecurity needs to be taken more seriously by SMBs

Lloyd Cartwright |

March 1, 2021
Why cybersecurity needs to be taken more seriously by SMBs


A Rising Concern for SMBs

Cyber attacks and data breaches are a huge concern for SMBs globally. Until 2015, the majority of cyber attacks targeted large global enterprises. However, the last 5 years has seen a massive upward trend targeting SMBs.

If that in itself weren't hard enough, the impacts of a cyber attack on an SMB are proven to be catastrophic. Apart from major disruption to systems and business operations, other consequences of a cyber attack include loss of reputation and customer trust (especially if customer data has been compromised) and the significant costs for fixing the problem. Many SMBs close down within 6 months of a major cyber attack – this is the severity of the issue.


The Ponemon State of Cybersecurity for SMBs Survey showed that that roughly 2/3 of the world’s SMBs are experiencing regular cyber attacks through a variety of different threat vectors. Some of these include viruses and malware, social engineering, phishing, hacking and DDos attacks.



Explaining the shift of cyber crimes towards smaller targets

There are a number of other reasons which have contributed to the surge of cyber attacks on SMBs.


The Risk of Digital Transformation in SMBs

Like most large global enterprises, smaller businesses are now on a digital transformation journey, employing new technologies hooked into cloud, social media, mobile and IOT. While digitisation opens a world of possibilities for new revenue streams and efficiency, it also expands the ‘attack surface’ from the traditional IT infrastructures and deployments. Hackers now have new targets to exploit.


Lack of Dedicated Cyber Security Skills

A recent survey conducted by PwC found that 73% of SMBs do not have a dedicated cybersecurity team.


The “It will not happen to us” mindset

Cybercriminals do not discriminate. Data is data. Where there is low hanging fruit, hackers only need to exploit ONE vulnerability which could lead to large-scale cyber attacks. 


Poor Training and Cultural Awareness

Cyber security is as much about people and culture as it is about technology. The biggest vulnerabilities will always be human error and poor cultural awareness. Security training within SMBs tends to be IT-centric with little focus on instilling the right mindsets and behaviours to identify (for example) phishing attacks. 57% of global SMBs fell victim to Phishing attacks in 2020. These attacks are increasing not just in frequency, but in quality as well, becoming more difficult to identify before it's too late.



Reducing the Risk of Cyber Attacks for SMBs

While there is no silver bullet solution for preventing cyber attacks, there are a number of ways SMBs can improve cyber preparedness and resilience:

  1. Cyber is not just an IT issue… it's a board level risk! Even for an SMB, the board and executive team must play an active role in any cyber resilience programme.

  2. Recognise that good cyber security is about people and culture, not just technology and tools. Focus on instilling the right behaviours and mindsets, as opposed to ticking the boxes with masses of completed training courses.

  3. Identify your high value assets and data. What do you have that is of value to hackers? Where is stored and how is it being protected?

  4. Cyber threats are evolving, becoming more complex and persistent. Many SMBs tend to focus on traditional preventative tools such as antivirus, email or web filters which will only go part way to protecting your organisation. Explore the use of more advanced monitoring tools that will help you detect anomalous activity and respond more effectively.

  5. "We are confident we are fully prepared for cyber attacks!"  But are you? If your SMB were to experience a cyber attack tomorrow, how effectively would you respond? Which systems would you recover first? How would you deal with the press/media if it came down to it? These are all questions you can answer through testing your cyber response plan (also called a table-top exercise).

  6. Recognise that not all cyber threats are external. 43% of data loss stems from internal employees who either maliciously or unknowingly give cybercriminals access to your networks through social engineering.

  7. Keep software up-to-date and ensure that back-up processes are not only in place, they are working effectively!


Remember, cyber maturity is not a destination, it’s a journey. You will never be 100% cyber resilient. SMBs will need to adapt and adjust to the cyber threat landscape as it evolves. Cybersecurity is here with us forever.



The best time to start is now! Book a demo with our team at a time that suits you.

Book your demo


Lloyd Cartwright

Written by Lloyd Cartwright

Lloyd Cartwright has a diverse background in the field of cybersecurity and risk management. He began his career as a Cyber Security Analyst and Cyber Security Technologist at Barclays in 2018. Later, in 2021, he transitioned to Finning, where he worked as a Security Risk and Compliance Analyst. Currently, Lloyd holds the position of Senior Solutions Architect at 6clicks. At 6clicks, Lloyd contributes to building resilient cyber, risk, and compliance programs powered by AI. His expertise helps organizations streamline compliance, manage risk profiles, and confidently engage with vendors. With a passion for sport, reading, and music, Lloyd brings a holistic perspective to their work, emphasizing the importance of open forums and agile responses in today’s fast-changing world.