Here are the Top Cybersecurity Threats Facing Small Businesses Today

Top Cybersecurity Threats Facing Small Businesses Today

Photo Attribution: smonkey/

With so many potential risks to cybersecurity, it is no surprise that data protection is a top priority for many small businesses in the U.S. When a business evaluates its cybersecurity position, it is encouraged to look at it from three key positions:

  • Layered
  • Technology-based solutions on-premises
  • Internal cloud technology

Employee awareness, best practices, and internal policies are also factors when mitigating risk to sensitive data. Small businesses need to be particularly careful when it comes to protecting themselves against cyberthreats. Most times, they do not have the infrastructure to support robust protection systems, training, or staffing. When danger is at the doorstep, they must often work harder to prevent and contain the situation. As a small business owner or IT leader, what are the most common cybersecurity threats you should be aware of? Continue reading to find out.

Some key takeaways

According to the most recent census data available, there are 30.7 million small businesses in the U.S. which account for 99.9 percent of all U.S. businesses. Cybercriminals have plenty of options.

Just because your business is small does not mean it is invincible. Small businesses are as much a target as a large business is. Cybercriminals now often employ automation, meaning that they can attack several small businesses at once.

The cost to small businesses is anything but small. According to data shared by Expert Insights, businesses with less than 500 employees lose approximately $2.5 million per cyber attack. This can be a devastating hit. Small businesses must ask themselves - is the cost of sustaining a cyberattack less than setting up adequate protection systems? The answer is almost always "no".

The top security threats facing small businesses today are:

According to data collected by Atlas VPN and shared by Forbes, by the end of November 2020, Google had already registered 2.02 million phishing websites for the year. This figure represents an alarming rise to the tune of 19.91% over 2019. On average, there were 46,000 new phishing websites created each week. This statistic further reinforces the notion that there is no time for rest when it comes to a cybersecurity defense system.

As a small business, what should you be keeping an eye on when it comes to cyberthreats? Here are the top security threats impacting small businesses today.


Ransomware is a type of malware that encrypts a victim's files. The attacker will then demand a ransom to restore access to the data. Payment is required to obtain a "decryption key". Financial demands can range from a few hundred to hundreds of thousands of dollars. Larger organizations are often slapped with the largest demands, given their financial capability and the mass amounts of data they often store.

This type of attack is the most prevalent when it comes to small businesses. You might have thought that cyber criminals would want to go after the big corporations that house more data, but they tend to have better cybersecurity safeguards in place. Impacting many small businesses can often lead to returns that equal or exceed impacting one large corporation. Of course, automation has made a cybercriminal's job easier by allowing for the attack of many small businesses simultaneously.

A short story of a small business caught by surprise:

Jason, the Chief Financial Officer of a small business in Kentucky, recounts a recent ransomware experience. He has chosen to use his first name and exclude his company name for security purposes. The business is home to just eight PCs. On a Saturday night at 10:30 PM, an employee alerted Jason and others of a suspicious email noting that the company was under attack. Upon further investigation, it was revealed that ransomware had infiltrated the corporate systems.

Jason was forced to pay $150,000. A large chunk of change for a small business, but a bit of a "win" considering the initial demand was $400,000. An outside IT company let him know that they were lucky to be forced to pay such a minimal amount. The group responsible for the ransomware attack often asks for payments in the $1 million to $10 million range and rarely attacks small businesses. Jason consulted with another outside company to settle the payment in Bitcoin since acquiring that volume of cryptocurrency would be difficult for someone who does not already have it in reserve. Though there is very little to laugh at in such a situation, hysteria was shared amongst staff when the cybercriminals provided a 1-800 number to call after the ransom was paid to help recover files! You can read the full story and interview at TechRepublic.


Phishing is a type of fraud that involves the attempt to obtain sensitive information such as credit card details, program usernames, passwords, and more through the disguise of a trustworthy entity via email.

Whether it be in a personal setting or a business setting, we have all received legitimate-looking emails from companies, most often, banks. They are asking us to urgently log-in to provide additional personal information or update credit card details. To some of the best-trained eyes in the IT industry, some of these emails can look so legitimate, that without analyzing the granular details of the message and links, others may never know the difference. This tactic is working. According to the Canadian Federation of Independent Business, and for a time period of March 2020 to the end of that year, more than 80 percent of businesses that experienced a cyberattack say it came through email scams and phishing. Cybercriminals find great success in the phishing tactic since many employees, even those with a good level of tech knowledge, overlook the fine details of the scam.

What should you be looking for when it comes to phishing scams?

Beware of shortened links - hover your mouse over buttons within the email to reveal the redirect link.

Pay attention to grammar and punctuation - typos, words in capitals and exclamation marks are all signs that the email is not legitimate.

Is the email urgent or threatening? - most people, especially other businesses would like you to engage with their emails, but they won't place an unreasonable level of urgency on you to do so.

Malicious insiders

Employees, contractors, or other insiders with malicious intentions can share an organization's data or intentionally engage cyberattackers. In other cases, an employee may not have malicious intentions, but could unintentionally expose a small business's information to the wrong individuals. Both cases present danger to an organization.

IT leaders do not always suspect their employees to be engaging in this type of behavior. This means that it can often take longer to investigate and identify a source in this scenario.

As part of the most recent Insider Threat Report, conducted by Cybersecurity Insiders, it is noted that 68% of organizations feel moderately to extremely vulnerable to insider attacks. This number is staggeringly high, considering employees should be a business's most valuable asset - not their greatest detriment.

According to the same report, organizations are not overly confident in their abilities to monitor malicious insiders.

Image courtesy of Cybersecurity Insiders

What can small businesses do to stifle data loss caused by insiders?

When it comes to intentional data loss caused by internal actors, the best defense is for IT leaders to consider employees as part of the equation when conducting an investigation.

Unintentional data loss caused by employees is almost always a result of a lack of proper training. Cybercriminals are getting more sophisticated. Regular training sessions conducted by IT leaders can help keep everyone up to speed on the latest trends. Although there are bound to be situations missed by employees, this can certainly help reduce the frequency and severity of instances.

Although no cybercrime is ideal, a small business can track the root cause easier than larger businesses due to the number of employees working for them.

A subtle reminder for small businesses:

What should you do in a particular situation? What is missing from your cybersecurity plan? This handy graphic offers a gentle reminder to IT leaders and employees about the best cybersecurity practices available for small businesses. Print it out or save it to your desktop for quick reference.

Image courtesy of LE VPN