Are SMBs underestimating cyberattacks?

Aaron Bugal, Field CTO APJ, Sophos

In a digital-first world, where cybercrimes dominate headlines, organisations and individuals may experience data breach fatigue – desensitised over seeing such news repeatedly. This “it won’t happen to me” mindset remains pervasive among many small and medium businesses (SMBs), fuelled by the belief that their size makes them unappealing to attackers. However, this perspective is increasingly dangerous.

According to the Singapore Cybersecurity Agency (CSA) Cybersecurity Health Report, 46% of businesses and 49% of non-profit organisations cite the perceived ‘unlikelihood of being targeted’ as a barrier to adopting security measures. Unfortunately, SMBs have discovered the hard way that they are far from exempt.

SMBs face the same threats as larger enterprises but are often more vulnerable due to a lack of experienced cybersecurity staff, underinvestment in cybersecurity solutions, and smaller IT budgets. While the amount of ransom demanded from SMBs is generally less than what’s available from larger businesses, the higher success rate of an SMB attack makes it very appealing to cybercriminals.

The 2024 Sophos SMB Skills Gap Report revealed that in 74% of ransomware attacks against SMBs, attackers successfully encrypted data — a stark reminder of the risks. Compounding the issue, 75% of SMBs struggle to remediate incidents promptly, and the recovery costs can be devastating, forcing many to shut down their businesses permanently.

Cybercriminals are acutely aware of these weaknesses and have placed SMBs firmly as big targets.   

Cybercrime goldmine

With the collection and use of data growing exponentially now that almost every business from your local gift shop to the neighbourhood laundromat has a digital footprint, the key reward for cybercriminals is data. This is particularly true for SMBs as they often rely on one service or software application, per function, for their entire operation. This creates interconnected vulnerabilities. For instance, compromised credentials in an accounting software can grant hackers access to critical financial data, causing a cascading effect of breaches. 

And this is a growing threat. According to Sophos’ 2024 Threat Report, nearly 50% of malware detections for SMBs include keyloggers, spyware, and stealers that attackers use to steal credentials and data. This stolen information was then used to gain unauthorised remote access, extort victims, and deploy ransomware.

Skills shortage hit SMBs the hardest

91% of ransomware incidents and attacks began outside standard business hours. And yes, the same SMB Skills Gap Report demonstrated that during 33% of this time, SMBs have no one actively monitoring, investigating, and responding to security alerts.

This lack of expertise and manpower exacerbates the risks. The research revealed that 96% of those SMB IT professionals find investigating security alerts challenging. Adding to the pressure, separate research commissioned by Sophos revealed 82% of organisations reported increased burnout among IT teams, with 32% acknowledging that this exhaustion undermines diligence in performing their cybersecurity roles.

Shields-up defences

Enhancing cybersecurity within SMBs begins with a paradigm shift. Cybercriminals exploit assumptions that SMBs are less prepared, and without sophisticated, modern security tools and solutions. Proving them wrong requires strategic investment in the following areas:

  • Educate staff: Provide regular training on identifying and responding to threats
  • Enforce multifactor authentication (MFA): Secure all external-facing assets
  • Regular patching:  Keep software and network appliances up to date
  • Adopt SaaS solutions: Move complex, hard-to-manage systems like on-premise email servers to cloud-based platforms
  • Leverage managed services: Partner with managed detection and response (MDR) solutions providers to ensure 24/7 threat monitoring by seasoned cybersecurity professionals

SMBs must also recognise that the interconnectedness of their platforms and software increases the potential for widespread damage from a single breach. Therefore, it is imperative they take the necessary steps to reduce their risk factor and aim to be the unexpected business that is prepared to defeat cyberattacks. 

For SMBs, staying safe isn’t impossible. With comprehensive planning, thoughtful investment, and a paradigm shift toward cybersecurity readiness, even the smallest businesses can reduce their risks. In doing so, they not only safeguard their operations but also defy the expectations of cybercriminals, proving that no target is too small to be prepared.

Previous articleTop influencers of APAC online shopping revealed
Next articleHalf of Singapore workers feel uncomfortable admitting AI usage at work