SMBs are the Perfect Candidates (for Hackers to Exploit)

May 23, 2022

A report by the U.S. National Cyber Security Alliance estimated that 60% of all small to medium-sized businesses (SMBs) fail within six months of a cyberattack.

According to Towergate Insurance, SMBs often underestimate their risk level, with 82% of SMB owners saying they’re not targets for attacks. They believe that, researchers said, because they feel they “don’t have anything worth stealing.” This is a fallacy and these businesses become perfect candidates for hackers.

Take the steps below to make your organization a not-so-perfect candidate for hackers to exploit.


It is much easier to prevent an attack than it is to recover from one. Once your company’s data is stolen through a ransomware attack, recovering it can be a lengthy and arduous effort. A key part to combating this is security awareness and training which involves educating employees about security basics, personal cybersecurity, and the risks of malicious attacks.

Cyberattacks cost an average of $3.8 million and global cybercrime is estimated to cost $6 trillion in the next decade. If you don’t pay to train your employees about cybersecurity best practices, you will end up paying more in the long run.


Technological advancement has allowed cybercriminals to create powerful algorithms that can correctly guess even complex passwords within seconds. This is something to consider the next time you think about using your grandma’s name as your password.  As a conventional recommendation, you should use a longer password of at least 12 characters composed of a mix of numbers, symbols, and upper and lowercase letters.

Although this is a good starting point, implementing Multifactor Authentication (MFA) is a highly recommended enhancement. MFA requires the user to provide two or more verification factors to gain access to a resource such as an application or system. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which significantly decreases the likelihood of a successful attack using compromised credentials.


Everyone makes mistakes. It’s not uncommon for even the best-trained staff to make mistakes. Therefore, installing anti-virus and anti-malware software on computers adds an extra layer of protection, especially against phishing – a social engineering attack meant to steal data and login credentials.


In the same way you lock the door when you leave your office, you need to protect company laptops with secure passwords. Laptops that are given to former employees need to be retrieved promptly. Considering everything you use at work is a possible gateway to your company, protect it with passwords (and MFA where possible).


Patch! Patch! Patch! According to Centrify, more than 80% of hacks are caused by outdated software. The best anti-virus and anti-malware programs are only as good as their latest patches. Forgetting to install patches will allow hackers to exploit the system’s weaknesses.


Hackers don’t waste resources attacking “just anyone”. Hackers target where the “information goldmine” is when they attack an organization. Think about your company and where hackers are likely to target. Will they target your employees’ information? Are they interested in your customer databases or intellectual property? You need to ask yourself “where is the goldmine in my organization”?


Hackers attempt to disrupt the activities of your business. By having an offline backup, you will be able to start running again while cyber experts deal with the fallout from any such attack. The absence of an offline backup will flat out shut organization down. NIST recommends organizations conduct backups of both user and system-level information consistent with recovery time and recovery point objectives.


In a time when businesses have so greatly embraced BYOD (Bring Your Own Device), it is important that companies have a documented BYOD policy that focuses on security precautions to ensure these devices are safe and secure. Small businesses should also require employees to set up automatic security updates and require that the company’s password policy apply to all mobile devices accessing the network.

Aronson provides a number of services to assist organizations with addressing critical cybersecurity gaps or areas of improvement. We conduct cybersecurity assessments against industry best practices and established frameworks. We can also assist with implementing a robust cybersecurity program for your organization and/or providing remediation support to address specific security controls or practices.

Contact our Cybersecurity Advisory team to discuss how we can assist.