Four Ways That Small Businesses are Out of Their Depth on Cybersecurity

Image credit:

A common misconception of those new to cybersecurity is that only the largest of companies fall victim to cyber attacks. It would certainly seem that way if you got all of your tech news from TV. According to FireEye, 42% of small and mid-sized businesses do not see security as a big issue. Yet 77% of cyber attacks happen to these businesses!

Those 42% are more at risk than they think. What’s more, the effects of a cyber attack can be far more damaging to them.

Here are some ways that small businesses are especially vulnerable to cyber attacks, and why they should care.

1. Small businesses lack the resources for cybersecurity.

Small businesses don’t have risk management departments. They don’t have armies of security specialists. They don’t have the money to afford common cybersecurity solutions. Cyber criminals know that this is true, and can label small businesses as an easy target.

A study conducted in Feb 2020 reveals that 43% of small businesses lack any cybersecurity plan. On top of not having the resources to prepare for a cyber attack, a lot of them don’t even have the resources to see how the attack happened or what even happened.

2. Small businesses do not see cybersecurity as an issue.

According to a survey from BullGuard, almost 1/5 of small businesses experience a cyber attack, yet over 60% of surveyed small business owners think that their business isn’t a likely target. This doesn’t make sense because anything online that has value is worth attacking. There are no businesses with valuable info stored online that won’t be a potential target for a hacker.

3. Employees are not educated on social engineering tactics.

Small businesses are subject to many types of attacks, such as ransomware, malware, virus, stolen credit cards, or brute force. One of the most common attacks for these businesses are phishing attacks.

A phishing attack is a social engineering tactic where the hacker fools its victims into opening some sort of email or message. They are then prompted to enter confidential information about themselves, like a username and password. If these credentials open the door to an administrator account at the victim’s workplace, things can go downhill quickly. Phishing can also be a gateway to ransomware, which takes the entire company’s infrastructure hostage and asks for money.

Anyone who has used the internet has probably heard not to click on suspicious emails, yet phishing is still the most common kind of cybercrime according to the FBI. This statistic becomes more believable when you consider that 50% of small businesses don’t have cybersecurity training, according to BullGuard.

4. The cost of an average cyber attack has increased.

IT infrastructures are becoming more complex to meet today’s needs, and more value is stored in these digital environments. The more value that is stored in the databases of these small businesses, the more there is to lose. A report by IBM states that the average cyber attack costs small businesses $7.68 million dollars.

When an attack occurs, your business may experience a load of legal trouble, especially if the compromised data wasn’t defended properly. Assigning blame for security breaches is not black and white in the United States, but generally, the owners of user data are liable when a breach occurs. The less measures taken to avoid such disasters, the more liable the company will be.

Why do small businesses stay vulnerable?

We at SafeHouse believe that the root of the problem is education. As we have already seen, small businesses don’t seem to comprehend the severity of the issue, and they often fall prey to common social engineering tactics. The truth is: very few people know about the world of cybersec beyond vague news reports of billion-dollar corporations getting breached, and not everyone can afford to hire an IT staff.

A consequence of this ignorance is that even people who understand the threat can’t decide on which solution is right for them. Small businesses that decide to protect themselves might be overpaying or might be using a sub-par product. Moreover, once the product is purchased, the user may not know how to set it up properly!

In future blog posts, we hope to demystify the world of cybersecurity so that businesses and individuals can navigate these hurdles.

What can a small business do?

There are many simple things that a small business can do to protect themselves from cyber threats that do no involve a lot of setup. The following pointers do not necessarily involve installing new software, but they are super powerful!

  • Two factor authentication — when logging into a service, the client may be asked to provide extra information to validate his/her account credentials. These include personal information known only to the client or a special key sent to the client by phone or email.
  • Back-up files — many attacks on databases don’t aim to retrieve information. Some simply destroy the data within, as was the case with the “Meow” Virus in 2020. Businesses should back up their files and databases in case a disaster like this occurs. Some database engines allow you to do this. You can also backup your data to the cloud with services like Carbonite.
  • Obey the Principle of Least Privilege — only give special privileges (e.g. access to data and OS operations) to those who are supposed to use them. This is the best way to prevent insider threats and accidental leaks.
  • Use Strong Passwords and Update Them Regularly — this should go without explanation! If passwords are the key to infiltrating your system, they’d better be impossible to guess.

While the items listed above may be good best practices for security, it is usually necessary to install third-party software to protect your infrastructure, whether it be a Firewall, an Antivirus, or an Intrusion Detection System (IDS). At SafeHouse, we are creating one such solution that aims to help small businesses in particular. If you enjoy what you read, give our site a visit at

Freedom through decentralization