Contact us: +45 32 67 26 26

The Biggest Security Risks for Small and Medium-Sized Enterprises

Gry Myrtveit Gundersen
By: Gry Myrtveit Gundersen Cyber Security | 4 January

Are you working in a small or medium-sized business? Then this is important for you! Did you know that SMEs are increasingly vulnerable to cyber-attacks? These businesses usually do not have the same security focus and budget as larger companies, which makes them easy targets for cybercrime. We have gathered some data about the threats SMEs face, and what you can do as an SME to strengthen your security. 

Small businesses are more vulnerable than they think 

A common misconception among small and medium-sized enterprises (SMEs) is that they are not interesting targets for cybercriminals and therefore not vulnerable to cyberattacks. Unfortunately, this is far from the truth. In fact, data from Accenture reveals that 43% of cyber-attacks are aimed at small businesses. You might be unaware of this, as such attacks rarely make national headlines. Additionally, many SMEs choose not to report the attacks they experience. According to the European Commission's SMEs and Cybercrimes report, 44% of all cybercrimes experienced by SMEs in 2021 went unreported. 

Cybercriminals are turning their attention to SMEs 

Smaller businesses may not prioritize investments in cyber security, and they might also lack the resources needed to effectively handle cyber threats once they occur. As a result, they are increasingly falling victim to attacks. As Michael Sohn, an FBI Supervisory Special Agent, pointed out to CNBC last year, "The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture, so what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses.” 

Hiscox's Cyber Readiness Report 2022 found that while the number of attacks fell slightly for larger companies in 2021, they increased among most other size groupings” as the hackers have directed more of their attention to mid- and small-sized businesses”. Companies with 10 to 49 employees saw an almost fourfold increase in the average number of attacks. 

The biggest security risks for small businesses 

One of the biggest cybersecurity risks you are faced with as an SME is social engineering. This is a strategy used by scammers to deceive victims into giving away information, money, or access to systems. These attacks target people within your company, whether they are managers or employees. A comprehensive study by Barracuda shows that employees in companies with less than 100 employees will experience 350% more social engineering attempts than employees in larger companies. 

Phishing emails 

A common social engineering technique used by cybercriminals is phishing emails. These emails are designed to trick employees into making mistakes, such as clicking on a malicious link. Research from Symantec reveals that small businesses receive the highest proportion of malicious emails, with 1 in 323 emails being malicious. 


Through these emails, cybercriminals can trick your employees into sharing sensitive information. The emails may also contain malicious content such as ransomware, a virus that locks your computer or encrypts important files. To regain access to the content, the cybercriminal demands that you pay a ransom. According to Trend Micro, 8 out of 10 successful ransomware attacks are targeted at small and medium-sized businesses. 

60% of SMEs shut down after cyber attacks  

Once a cyberattack succeeds, it can cost small businesses dearly. Many SMEs do not have an incident response plan in place beforehand. This means that the attack might cause greater financial damage than necessary. On average, small and medium-sized businesses spend $1.6 million recovering from a phishing attack. 60% of such businesses are forced to shut down within 6 months after falling victim to a data breach or cyber-attack. 

So, what can you do as an SME to strengthen your security? 

Security awareness training for small businesses 

The European Union Agency for Network and Information Security (ENISA)’s first piece of advice to small and medium-sized businesses is to create a good cybersecurity culture in the workplace. Their second piece of advice is to provide regular security awareness training to all employees to ensure they can recognize and handle various cyber threats.  

We have seen that the cyber threats SMEs face are largely aimed at the people in the organization. Creating awareness among your employees about these threats goes a long way in reducing human errors, making your company much more resilient to cyber-attacks. 

We are happy to help  

At CyberPilot, we want to help small businesses improve their cybersecurity. That is why we offer awareness training for employees. Through our awareness training we have helped hundreds of small businesses create a strong security culture in their organizations. The training consists of short online courses covering various cybersecurity topics. It is easy to implement, and we will support you every step of the way. If you are interested, you can try our courses for free for 14 days. 

We also offer phishing training. Through simulated phishing attacks, you can test your organization's preparedness against phishing and train your employees to detect and report real attacks. Book a free demo with one of our phishing experts here. 

Cybersecurity does not need to be resource-intensive. Reach out to us if you want to learn more – we are happy to help.