Please ensure Javascript is enabled for purposes of website accessibility

Why small to mid-sized businesses are perfect targets for hackers

Why small to mid-sized businesses are perfect targets for hackers

John Roman

There are many challenges to running a business that owners must face including the countless tasks, roles and responsibilities that keep a business running smoothly. Higher on the list of concerns for business owners is cybersecurity that can put many businesses at risk. If a breach takes place and a hacker gains access to a business’s network, a great deal of damage can be done. Additionally, as more businesses continue to advance digital operations, the more at risk they become to cyberthreats. 

Cyberattacks are a growing threat for small businesses. According to a recent Small Business Association (SBA) survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. Yet many businesses cannot afford professional IT solutions, have limited time to devote to cybersecurity or they don’t know where to begin. While cybersecurity threats are constantly evolving, the risks are not diminishing any time soon.  

Small businesses are especially susceptible to cyberattacks 

No business is immune to cyberattacks. In fact, small to mid-sized businesses account for 60% of all cyberattacks, however, only breaches of major companies make headlines. In 2020, the global average cost of a data breach was $3.92M and expected to increase into the foreseeable future.  

There is a common misconception among small to mid-sized business owners that due to their size they are not likely to be targeted or considered “high profile” enough. This false mindset can make businesses even more susceptible to cyberattacks. Additionally, smaller businesses underestimate the value of their personal data, including credit card data or passwords. 

Small businesses are attractive targets because they have information that cybercriminals want and typically lack the security infrastructure of larger businesses. As more business is conducted online through cloud services, without the use of strong encryption technology, a hacker can easily access sensitive data behind a door with an easy lock to pick.   

Here are four ways small to mid-sized businesses can protect themselves against cyberattacks:   

  1. Don’tbe ignorant: Oftentimes, businesses and business owners think, “it won’t happen to me,” when in reality, it is not a matter of if a cyberattack will happen, but when. Erring on the side of caution is not only the safest thing to do, but it is the right thing to do. It is better to be prepared for any type of threat, breach or attack than to be caught off guard and left in a vulnerable position — one that could negatively impact your business. 
  1. Plan ahead and create policies: Your cybersecurity plan should include an employee training program and an incident response plan. The first step to securing your network is to make sure your employees understand security policies and procedures. Establish basic security practices and policies for employees and create employee and IT related policies that are compliant with the NY SHIELD Act. Companies are considered compliant if they implement reasonable administrative, physical and technical safeguards.  

Administrative safeguards include conducting risk assessments, training employees and designating a core team to oversee security programs. Physical safeguards help protect against the unauthorized access of private information at any point during collection, transportation and disposal. Therefore, businesses should create systems and policies to prevent, detect and respond to any cyberattack.  

  1. Educate employees: Cybercriminals are becoming more sophisticated in their methods and employee are often considered “easy targets.” In fact, the majority of malware is delivered via email, putting a business at risk if an employee unknowingly clicks on a phishing email or downloads a suspicious document. Therefore, educating and training employees on the risks as well as conducting security trainings are ways to safeguard a business. 

Training should not be a one-and-done event. Rather, schedule yearly or semi-yearly refresher courses to keep security top of mind. Help employees understand the importance of updating their software, using secure passwords, adopting security best practices and knowing what to do if they identify a possible security breach. In short, it is imperative to ensure all employees understand how to use company resources that will arm them with basic email safety precautions, and the ability to identify the red flags of phishing emails.  

  1. Invest in cybersecurity software: On top of planning and training, the next step is to invest in cybersecurity software. Businesses need antivirus software that can protect all devices from malware, viruses, spyware, ransomware and phishing scams. Software should not only offer protection, but also technology that helps you clean computers as needed and resets them to their pre-infected state. Investing in email gateways such as Mimecast, ProofPoint or Microsoft will support cybersecurity plans and tactics.  

Safeguard your Internet connection by using a firewall and encrypting information. A firewall acts as a digital shield, preventing malicious software or traffic from reaching your network. There are many kinds of firewalls, but they fall into two broad categories: hardware or software. If your business has a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router. 

Some firewalls also have virus-scanning capabilities. If yours doesn’t, be sure to also install antivirus software that scans your computer to identify and remove any malware that has made it through your firewall. It can help you control a data breach more efficiently by alerting you to an issue instead of having to search for the problem after something goes wrong. 

Cyberattacks are not going away any time soon and will continue to pose a threat to small and mid-sized businesses. By taking these necessary steps to protect your business, you will safeguard your business from attack, which will allow you to spend time doing what matters most — running your successful business.  

John Roman is the chief information officer of The Bonadio Group and president and chief operating officer of Bonadio’s Information Risk Management and Cybersecurity Division, FoxPointe Solutions. To learn more, visit or