Why do Cybersecurity Attackers Target SMBs?
The news is full of information about successful cyberattacks against large corporations and government agencies, which makes it seem like attackers avoid small businesses. In fact, more than two-thirds of all cyberattacks are directed against companies with fewer than 1000 employees. Your business is right in the crosshairs. Without adequate defenses or full-time information security professionals, you are a tempting target for attackers. How will they get you?
Small business constitutes a major force in the U.S. economy. There are more than twenty-seven million small businesses in this country, and they generate about 50 percent of our gross domestic product (GDP), making them a large and attractive target for nefarious actors. It’s also a huge misconception to say that Small or Medium businesses are not technically savvy or early adopters of new cybersecurity technology. SMBs fully understand the need to join the digital transformation, focusing on values such as flexibility, adaptability, and scale. As such, SMB IT budgets are expected to grow by 7.5% in 2021. The issue is that information security isn’t separate from IT. For SMBs, information security is usually a line item within the overall IT budget—and these line items aren’t large. A recent study suggests that almost 40% of SMBs have less than $1000 budget dollars allocated for information security. Over 30% of SMB security professionals say that their budgets aren’t large enough to sustain a robust cyber defense. Other barriers to information security include:

SMBs Focus on Core Competencies First, Security Second
Small business constitutes a major force in the U.S. economy. There are more than twenty-seven million small businesses in this country, and they generate about 50 percent of our gross domestic product (GDP), making them a large and attractive target for nefarious actors. It’s also a huge misconception to say that Small or Medium businesses are not technically savvy or early adopters of new cybersecurity technology. SMBs fully understand the need to join the digital transformation, focusing on values such as flexibility, adaptability, and scale. As such, SMB IT budgets are expected to grow by 7.5% in 2021. The issue is that information security isn’t separate from IT. For SMBs, information security is usually a line item within the overall IT budget—and these line items aren’t large. A recent study suggests that almost 40% of SMBs have less than $1000 budget dollars allocated for information security. Over 30% of SMB security professionals say that their budgets aren’t large enough to sustain a robust cyber defense. Other barriers to information security include:
- Employees who won’t follow security policies (24%)
- No time to learn about new threats (13%)
- Not enough people to build secure systems (12%)
- Limited experience (11%)

Bad Actors Have Multiple Attack Vectors
Let’s say that your business has $1000 that can be used to prevent cyberattacks. This means that you’re faced with two questions: If so, can your attacker extract more than $1000 worth of damage? The answer to both these questions is yes. Your attacker can defeat you for free—that is without spending a single resource other than time—and can exact an extremely punishing toll. Here’s one scenario: One of your applications on your computer is out of date and needs to be updated. With limited manpower, your IT department just hasn’t had time to patch the application to ensure that it is up to date. This outdated application is now a vulnerability within that application in its unpatched state, and one of its ports is exposed to the public internet - and you didn’t even know it. An attacker uses a port scanner to learn the application’s version number and identifies its vulnerability. They use a free copy of Metasploit to generate an exploit for that vulnerability, and they have root access to your vulnerable application. From there, the attacker has several options. They can steal all of the information from that application, and they probably will. They can use their toehold on your network to scan for other vulnerable applications. They can drop malware, steal user credentials, exfiltrate your customers’ personal information, and more. They can do all of this without spending any money, they can cost you an average of $200, 000 per attack, and they can mostly bypass any security tools that you’ve already implemented, including firewalls and antivirus.