Why SMBs Are Easy Targets for the Bad Guys

As malicious hackers turn up the heat, small and medium businesses can’t remain complacent — the threats to their security are real and growing worse all the time

During a recent business dinner, I wound up sitting beside the owner of a logistics company who confidently confided that his 6-person business was just too small to hack.

His firm annually grossed somewhere in the high 6-figures and the anti-virus software he had installed on the company PC’s and internet router offered more than enough peace of mind for him. This isn’t the first time I’ve heard this argument from owners of small and medium-sized businesses (SMB). But it’s still cause for concern because the threats to their security are real and growing worse all the time.

Yet despite the sharp growth in attacks, there’s still too much complacency among SMBs. When the subject turns to cyber security, some SMBs think that they’re too small to get hacked. Others believe that they can get by just fine with free anti-virus software. I’ve heard some even comment that their iPhones are “inherently secure” or that their employees rarely access company data from their phones anyway.

Whether companies have 1 or 100 employees, they still need to put in place basic protections. As you go about evaluating whether you’re equipped to stop a cyber attack, ask yourself these questions:

Do I sell to big enterprises?

When criminals try to break into a business’s network, they tap every virtual “window” or “door.” If they can’t break in, they move on to the next one. If your biggest customers have locked all of their doors, you, as the SMB connected to that big business, might get targeted. And if an SMB gets hacked, or be required to take some immediate actions if that leads to a breach of their clients. Compounding matters, new data protection regulations coming into law in Europe this May means that government authorities will be able to impose hefty new fines for any data breaches.

Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive. But this will be superseded by the new legislation to protect personal data known as. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the European Union.

Even if they haven’t already, larger enterprises that SMBs serve are beginning to require those SMBs to comply with their enterprise security guidelines. For many reasons, far smaller companies are needing — and nearly required — to have the (cyber) defenses expected of their far bigger partners.

How many “things” access the Internet?

When I ask SMBs to count the number of devices in their businesses that connect to the Internet, they usually underestimate that number by as much as a factor of 3. They may count laptops and personal computers. But they often overlook the fact that their employees regularly use personal phones and tablets to access business data. What’s more, there are any number of other devices — in fact, anything connected to the Internet — that represent a potential point of entry for a virtual “break-in” into your business.

The growth of the Internet of Things (IoT) is ushering in an era where there will be a constellation of connected devices.. Indeed, an IoT device can be compromised within two minutes of connecting to the Internet. And unlike breaking through a door or window of a physical office, there’s no real alarm, unless your security software is professional enough to detect the attack.

How many of your employees are trained to prevent cyber attacks?

Have your people been trained properly? More than half of all. It only takes one employee who clicks on a bad website, opens a malicious email link or falls for a social engineering ruse to let an intruder into your network. Cyber defense requires both great products and employee awareness but without both, SMBs put themselves at risk. Just as companies need to enforce rules around sexual harassment, privacy, and the prevention of work-place violence, they can’t treat cyber security as an afterthought. It’s critical to get this right.

SMBs face enough challenges just tending to the running of their businesses. They don’t need to add a cyber breach to their to-do list. You’ve heard the adage, “Pay now or pay later.” Investing the time and resources now will pay off in the long run — and avoid potentially a lot of pain in the future.

What do you need to protect your business? I’ll be examining how SMBs should arm themselves against cyber attacks in another blog in this same space next month. Please share this with anyone who may benefit. You can always contact me @

If you liked this topic, you may be interested in the below:

Symantec Endpoint Protection Cloud

Easy to use security-as-a-service for organizations with limited IT security resources:

Warning: Mobile Threats Love Organizations of All Sizes: