Many hackers are shifting their focus from large enterprises to small businesses.

Small business owners frequently assume that hackers have little interest in attacking their organizations – “after all,” they reason, “what data do I have that a hacker could consider valuable?”

They are terribly wrong.

In fact, today, about half of all cyberattacks target small businesses.

Information security often takes a backseat to other issues that small business owners face,business owners can likely dismiss information security concerns as applying only to larger organizations. That is because small business owners frequently hear news reports about huge data breaches like those that happened at Yahoo   they may incorrectly assume that hackers only pursue companies with huge volumes of valuable data; such a notion is simply not true.

When it comes to information security, no business is too small. Small businesses increasingly find themselves the focus of attacks directly targeted against them and designed to steal funds, information and customers.Furthermore, the trend towards targeting small businesses is likely to continue – small businesses have become, in the eyes of many hackers, more attractive targets than larger enterprises. Here are some of the reasons:

1. SME have valuable data.

Contrary to many people’s perceptions, the majority of small businesses store either financial information that can be used for fraud, or personal details that can be used for identity theft – i.e., they have data that criminals want.

2. SME can provide hackers access into many other small businesses.

Small businesses often use services from other small business – and those offerings may not be secure. In some cases, competing small businesses may even utilize the same service from the same provider – which, can lead to all sorts of security problems.

3. SME owners pay ransoms.

Nearly every small business has computer-based data that it needs in order to operate, and few have the capability to independently recover from a ransomware attack, so small business owners are likely to pay ransoms if hackers encrypt critical data and demand money to restore access to it.

4. SME often lack adequate cyber-defenses.

Small businesses rarely have the defenses that large businesses have – so while the reward to a hacker may be smaller if he or she breaches the “little guy” than if he/she hacked a major corporation, the odds of actually achieving a reward are often much greater. To put it simply, smaller businesses are frequently much easier to hack than larger enterprises.

5. SME provide hackers access into larger enterprises.

Small businesses supply larger enterprises with goods and services – information gradually collected from small business systems may be a hacker’s golden ticket into a larger enterprise. The massive Target breach of just a few years ago, for example, began when a hacker exploited the access that the retail giant provided to an HVAC contractor.

6. It is likely a lot easier to get away with hacking a SME than a large enterprise.

Small businesses are far less likely to have security personnel and technology in place to detect an attack as it occurs, and are less likely to have technology creating and protecting audit logs and other data needed to both perform forensic analysis and establish admissible evidence. As a result, someone attacking a small business is much less likely to get caught, arrested, and punished than someone who attacks a large business. Criminals know this – and some who would never risk trying to attack, for example, might have no qualms about trying to hack a mom-and-pop retail outlet. The likelihood-of-being-brought-to-justice imbalance is further exaggerated by larger firms having much greater political clout and access to law enforcement than smaller businesses, coupled with the fact that small businesses are far more likely to fail as the result of a breach – meaning that some folks who might otherwise have pursued legal action against hackers simply do not have the time and resources to do so, or may “move on” to other jobs and not “dwell on the past.”


  1. Knowledge is the most effective weapon any small business can wield against cybersecurity risks. In the great linen hack of our times, companies could easily  protect itself by as simple changing the vendor default password. That simple precaution might prevent the breach of more than 1,000 clients records and avoided a drawn-out legal battle with their competitor.
  2. Small businesses should complement education-training efforts with a strong array of technical controls designed to minimize risk.
  3. At a minimum, small businesses should ensure that they leverage strong passwords, automatic updates for applications and operating systems, hardware firewalls, and encryption for their wireless network. This simple array of controls will go a long way toward defending against many cybersecurity threats.
  4. Similarly, small business owners and employees must be aware of the risks posed by social engineers, who use highly targeted spear phishing attacks to fool employees into revealing sensitive information. Modern attacks are quite sophisticated and leverage internal information, branding, and industry knowledge to manipulate unwitting targets into believing the legitimacy of an attack message.