As the dust and excitement of the 1990’s brief, and strange blip of cyberculture and cybersex settled, a new term entered the English Lexicon. According to Ben Zimmer ( as cited in Newitz, 2013) the earliest recorded use of the term “cybersecurity” was in 1989 when the fad of adding “cyber” to any word made it seem futuristic and interesting. But the reality and disenchantment with the subculture briefly disappeared while the dark side of the internet where adversaries exploit vulnerabilities grew.
Today the word cybersecurity covers techniques to ensure system availability, integrity, and confidentiality of systems and data (ITU-T, 2008). It is at the forefront of our daily news. We hear about massive data breaches, government data leaks, state-sponsored espionage, denial of service attacks, identity theft, computer viruses, and more. However, what doesn’t always make the headlines or almost never, are cyberattacks on small and medium-sized businesses.
Small and medium-sized businesses (SMBs) are not immune to cyber-attacks. In fact, a vast majority of criminals have turned their focus to SMBs. First, attacks on SMBs bring less attention. Secondly, most of these businesses do not have a plan of action in place or the resources and infrastructure to detect and prevent these attacks. ESET’s (global leader in cybersecurity) (2022) SMB Digital Security Sentiment Report informs us that over two-thirds of SMBs experienced a data security incident. To add, researchers at cloud security Barracuda Networks (2022) point out in their report that businesses with less than 100 employees are three times more likely to be targeted when compared to larger organizations. In fact, they are likely to experience 350% more attacks based on social engineering than their larger counterparts. ESET’s (2022) report portrays some of the top cybersecurity concerns which ranged from malware, web attacks, ransomware, third-party security issues, denial of service, and remote desktop protocol attacks.
A lot of these terms may seem like technical jargon, but ultimately these attacks bring financial losses, reputational damage, data leaks, legal and compliance penalties, loss of customers, and in extreme cases complete business closures. These results should be easy translations for senior business stakeholders of the SMBs. These can affect everyone, and everyone is everyone! Cybercriminals do not discriminate based on your location, industry, or size. Any valuable data is just another opportunity for them. This is why cybersecurity should not be a luxury or afterthought for SMBs, it’s not easily solved by ticking a box.
In order to truly be effective SMBs should understand the “why” and “how” to approach cybersecurity. However, we must understand the challenges and realities. As new technologies are introduced the spike in cyberattacks increases, but SMBs have fewer resources and security expertise which leaves them more vulnerable. Despite the fact that there is no immediate return on investment like advertising, it should be looked at more as an approach to reduce the probability of severe events in the future as we move towards a more digitally centered age.
As such SMBs should focus on:
- Employee Cybersecurity Awareness and Training – Frequently, employees lack awareness of how to recognize potential threats, what steps to take upon detecting an attack, and their responsibilities in mitigating and rebounding from such incidents. Training them on how to recognize and report suspicious activities, how to handle sensitive information securely, and the importance of following security policies and procedures can effectively tackle these concerns. It fosters a culture of security within the organization. When cybersecurity becomes a shared responsibility and a part of everyday practices, employees are more likely to make security-conscious decisions, follow policies, and adopt secure behaviors. This collective effort strengthens the overall security posture of the organization.
- Understanding Cybersecurity Investment – Becoming aware of threats and vulnerabilities that are currently in cyberspace is the first step towards a better cybersecurity approach. Nevertheless, this awareness should also instill the notion that one must invest in order to detect and mitigate these threats. Research by Capgemini Consulting (2017) points out that 74% of customers would be prepared to move to a competitor if there was a security breach. As a result, investing in training, hardware or software technologies, legal knowledge, or security experts should not be seen as an immediate return on investment. Rather it should be seen as a way to reduce the probability of catastrophic events, or even losing customers while maintaining cybersecurity as a top priority.
- Proactive Approach to Cybersecurity – News outlets typically cover actions involved after cyber-attacks that have taken place, and most of these are fixes/solutions for the damages that have been done. This is a reactive approach. However, there are the concepts such as those described by Craig, Shackelford, & Hiller (n.d) of “active defense” and “proactive cybersecurity” that take measures before incidents take place. These have always been rooted in military traditions, however cyber defense mechanisms that proactively mitigate attacks can be applied to the private sector. Proactive approaches to cybersecurity “alleviate, delay, and even prevent incidents from arising in the first place” (Almahmoud, Yoo, Alhussein, Farhat, & Damiani, 2023). SMBs should not wait until a major attack or event takes place, instead, they should always be proactively planning and embracing better security practices.
- Business Disasters & Recovery Plans – Nevertheless, no matter how much investment, training and awareness campaigns, and proactive approaches to cybersecurity an SMB takes, there’s still always a risk. Newer threats emerge every day, and it’s just a matter of time before new vulnerabilities are exploited. That is why it’s important to plan for when not if. Having a recovery plan ensures and demonstrates that an SMB is serious about taking care of its assets and even its customer’s data. It builds confidence and trust between businesses and customers and further elevates one’s reputation. But most importantly, this plan outlines the steps involved for the SMB on how to recover from the disaster, ranging from executing responsibilities and the resources needed to implement it. According to Dobran (2018), 93% of businesses that have no disaster recovery plan are out of business within one year.
To sum it all up, cyberattacks occur every day, and if you’re the owner of an SMB you’re a direct target. Perhaps your business won’t make it on the headline of a newscast, but it will likely suffer from the damage inflicted by exploitations of an attack. Nevertheless, the reality is that not all SMBs have the resources to implement defense mechanisms as Fortune 500 companies. But it is important to have some sort of investment into cybersecurity that will not only prevent losses of data, but one that can be seen as a strategic business growth opportunity that will rival competitors with a competitive advantage. A good cybersecurity approach can enable SMBs to offer better services and attract new customers who then become more aware of the importance of data privacy and protection. This then serves as a forefront posture for the business that offers cybersecurity as a deeply embedded element integrated into the organizational culture. As owners of SMBs, one should look at cybersecurity as a strategic business priority and not a box-ticking exercise.
Almahmoud, Z., Yoo, P.D., Alhussein, O. et al. A holistic and proactive approach to forecasting cyber threats. Sci Rep 13, 8049 (2023). https://doi.org/10.1038/s41598-023-35198-1
Barracuda. (2022). Spear Phishing: Top Threats and Trends. Retrieved from https://www.barracuda.com/reports/spear-phishing-report-7
Capgemini Consulting. (2017). The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer and More Secure. Retrieved from https://www.capgemini.com/consulting/wp-content/uploads/sites/30/2017/07/privacy-and-cybersecurity-in-fs_dti-research-report.pdf
Craig, A., Shackelford, S., & Hiller, J. (n.d). Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis. Retrieved from https://dlc.dlib.indiana.edu/dlc/bitstream/handle/10535/10249/SSRN-id2573787.pdf?sequence=1&isAllowed=
Dobran, B. (2019). 2020 Disaster Recovery Statistics That Will Shock Business Owners. Retrieved from https://phoenixnap.com/blog/disaster-recovery-statistics
ESET. (2022). ESET releases new SMB research, finds businesses lose hundreds of thousands of euros in data security breaches
I.T.U.-T. (2008). X.1205: Overview of cybersecurity. https://www.itu.int/rec/T-REC-X.1205-200 804-I
Newitz, A. (2013). Th Bizarre Evolution of the Word “Cyber”. Retrieved from https://gizmodo.com/today-cyber-means-war-but-back-in-the-1990s-it-mean-1325671487