The Top Cyberattacks on Small & Medium Businesses

Not long ago, it seemed that cybercriminals were mainly targeting large companies. As bigger targets, they may have more gaps to sneak in…and oftentimes, more risk to data and reputation. But times have changed, and for many of today’s small- and medium-sized businesses (SMBs), they know this is no longer the case. In fact, some reports indicate the number of cyberattacks on SMBs are significantly higher than attacks on larger companies. According to a 2021 study, small businesses experience 350 percent more social engineering attacks than those at large businesses.

To make matters worse, it is challenging for SMBs to recover from a cyberattack given their limited resources. A recent report revealed that the cost of a cyberattack on SMBs created losses of more than $2.5 million, on average. In addition to the steep financial damage, these smaller businesses must navigate the serious reputational damage that often results from these attacks – which sometimes may be too much to recover from.

With all of these things working against SMBs, it’s no wonder that cybercriminals are changing their focus. They know these business leaders tend to have limited resources when it comes to IT security, which may mean they have less rigorous defenses, as well as less time and manpower to apply toward cyber protection. And this makes them appear to be much easier targets for hackers.

But this doesn’t have to be the case. To help lessen the risk of cyberattacks on SMBs, it’s critical to understand some of the most common threats they face and how to best stay protected.

Phishing Scams

One of the most widespread and damaging threats facing small and medium businesses are phishing attacks. Phishing not only accounts for 90 percent of all breaches that organizations face, but they account for more than $4 million in business losses. These scams, which occur when attackers pretend to be a trusted contact or site, have become smarter and more targeted in recent years. Once a cybercriminal successfully lures a user to click a malicious link, download a malicious file, or provide access to sensitive information, account details, or credentials, they can unlock the door to much more far reaching company data.

To avoid these types of cyberattacks on SMBs, companies should provide their users with comprehensive cybersecurity training. Tips should include:

  • Always ensure the sender and email address match and verify all links before you click them
  • Double-check with senders to ensure they sent the email
  • Verify the legitimacy of emails via your IT team.
  • Never post or email sensitive/personal information online

Cybersecurity training for employees is a critical step, but it’s also good to have your backend configured well– if and when an attacker breaks into your organization. These include:

  • Ensuring you consistently back up data
  • Maintaining software updates and patches
  • Using an email filtering program
  • Developing protocols to verify suspicious communications, and how users can report them (also part of employee training)


Ransomware is the type of malware most people are familiar with. When installed, it prevents users from accessing their systems/personal files and demands payment to regain access. This information, which typically includes passwords, files, databases, credit card details, personal information, or other valuable assets, is critical to a business so once activated, businesses will scramble to get back online. These types of cyberattacks on SMBs are commonly spread through email spam and network attacks.

According to a recent study, 84 percent of SMBs are concerned about a ransomware attack impacting their business, and 60 percent are not confident–or only somewhat confident– that they can fend off a ransomware attack.

Your best offense is a strong defense. While it’s not always possible to stop these attacks, there are some things you can do to catch them before they cause too much damage. Setting up endpoint security and antivirus software is a good starting point, as long as you ensure they are kept updated. More importantly, having monitoring set up helps you catch the early signs of an attack, so you can stop the malicious behavior before it does serious damage. If you don’t have the team in-house to support this 24/7, look for a security partner who can help you improve your security defenses.

Insider Threats

The actions of current and former employees, contractors, vendors, partners, and associates can lead to devastating results if not properly managed. Many of these individuals have access to vital company data, which if in the wrong hands, can cause harm to your organization—either by accidentally clicking a malicious link or intentionally stealing or leaking company data. Studies found that 60 percent of data breaches were caused by insider threats, and the current average annual cost of an insider threat is more than $11 million.

Building a strong culture of education and cybersecurity awareness within an organization is an important step to blocking insider threats. Additionally, organizations should have a thorough new hire screening and off-boarding process, and create security policies and use cases to detect misuse of company resources.

Weak Passwords

While the recommendation of setting a strong password has become a commonplace, the amount of individuals using weak passwords is still high, making this another problem that make it easy for cybercriminals to attack SMBs. In fact, studies show that 59 percent of professionals use their name or birthdate in their password, and 43 percent regularly share their passwords.

This is why many of today’s businesses are choosing to implement multi-factor authentication (MFA) technologies. This second layer of protection forces users to employ more than just a password to access business accounts. It’s not full proof (and surprisingly, a lot of businesses still haven’t implemented this), but it does help to prevent identity attacks. In addition, it is essential to implement and enforce a strong password policy, making sure passwords should consist of more than 12 characters, as well as random numbers, symbols, and letters, and must be changed on a regular basis.

Protecting your Business

While there are many different cyberthreats out there, there are several ways you can reduce the likelihood of a cyberattack on your SMB. If you don’t have the internal resources to stay protected, Proficio can help. We tailor our security services to help SMBs mitigate the risks of cyber threats, so you can be confident your organization is protected.

To learn more about how Proficio can help your organization stay safe, contact us.

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.


Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.