Small- and medium-sized businesses are vulnerable to cybercrime

By Carly Devlin, CISA, CISSP, Managing Director, Clark Schaefer Hackett

Large-scale cyberattacks like Solar Winds and Colonial Pipeline make international headlines. But the bigger organizations aren’t the only ones at risk for devastating breaches.

A recent study from the Ponemon Institute indicated that 63% of SMBs worldwide experienced a data breach during fiscal year 20191. Another study found that 43% of small businesses lack a cybersecurity plan2. Hackers examine the trends too. They know where to hit SMBs to exploit gaps in security.

Limited resources + growing threats = greater risk for SMBs

SMBs often have fewer resources to devote to cybersecurity — a 2017 study published by the Better Business Bureau found that 28% of SMBs cited a lack of resources as their top obstacle to achieving cybersecurity goals. In addition, 27% of SMBs said that they lack the necessary expertise in house to achieve their goals.

Additionally, the threat landscape is more complex, with cyberattacks taking on many forms. We hear a lot about phishing attacks, data breaches, and ransomware. These common cybercrime tactics become more sophisticated as businesses get better at fighting them. 

Resist the myths: these misconceptions can wreck your cybersecurity posture

Many companies have dangerous blind spots when it comes to cybersecurity threats. As a business leader, you set the tone for your business. If you understand the common misconceptions that prevent companies from properly protecting themselves, you can help shape the culture of your organization and avoid catastrophe.

1. My business is too small to be attacked

Although SMBs have less valuable data than a large corporation, they’re not safe from cyberattacks. Most businesses retain personal information like credit card numbers, protected health information, and personally identifiable information, which can be used to perpetrate identity theft and other damaging scams.

2. Most hackers aren’t dangerous

It’s easy to think of a hacker as a bored teenager working from their parents’ basement and looking to wreak havoc. While amateurs certainly exist, they are far outnumbered by specialized cybercriminals who operate like business owners – highly organized, disciplined, and focused on a desired outcome. Cyberthreat actors are often well funded and able to enact highly sophisticated schemes and tactics quickly and ruthlessly.

3. Firewall and antivirus software is the only protection I need

Antivirus software and a firewall are important components of any cybersecurity strategy. However, they have limitations. Today’s threat actors can outsmart legacy technologies, making it impossible to detect a problem before it’s too late. Additionally, 24/7 staffing is needed for continuous self-monitoring security protocols. It’s a big mistake to over-rely on technology without having adequate staff in place to run it.

4. The authorities will save us if an attack occurs

Do not make the mistake of thinking that the authorities will come to save the day. Unfortunately, there are far too many cybersecurity incidents for law enforcement to pursue. If law enforcement is involved at all, the highest priority is likely given to the most severe attacks. Most SMBs are on their own when it comes to protecting their companies from and responding to cyberattacks.

5. It won’t be hard to recover after an attack

The average cost of a cyberattack is more than $188,000 for small businesses (according to Symantec). However, that doesn’t include the hidden costs: legal fees, lost productivity, losing the trust of your customers or, worse, losing the entire business. There is no way of estimating the full damages if a cyberattack occurs.

So, what actions can business leaders take to define their company’s cybersecurity posture and protect it from a threatening landscape? The answer is leveraging technology, people, and processes to build a cybersecurity framework that can reduce the risk and severity of an attack.


1Ponemon Institute, 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, October 2019


For more information, contact Carly Devlin at 877-671-7100 or

Clark Schaefer Hackett is a Goering Center sponsor, and the Goering Center is sharing this content as part of its monthly newsletter, which features member and sponsor articles.

About the Goering Center for Family & Private Business

Established in 1989, the Goering Center serves more than 400 member companies, making it North America’s largest university-based educational non-profit center for family and private businesses. The Center’s mission is to nurture and educate family and private businesses to drive a vibrant economy. Affiliation with the Carl H. Lindner College of Business at the University of Cincinnati provides access to a vast resource of business programing and expertise. Goering Center members receive real-world insights that enlighten, strengthen and prolong family and private business success. For more information on the Center, participation and membership visit

Related Stories


Is your personal data protected?

December 13, 2023

From phishing attacks, malware and account hijacking to removable media, denials of service and intellectual property theft, cybersecurity incidents are constantly evolving and the impacts are becoming more severe.

Debug Query for this