Why SMEs Can’t Afford to Skimp on Security 

Powering Security and Business Initiatives Without Breaking the Bank

Written by Kate Lake on October 6, 2022

Share This Article

October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives to the IT team to end users. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.

There’s a common misconception that cybersecurity threats do not concern small and medium-sized enterprises (SMEs). In fact, 61% of small business owners are not concerned about falling victim to a cybersecurity attack, and only 5% named cybersecurity the biggest risk to their business. 

But the notion that SMEs are not vulnerable to cyberattacks is false. In reality, SMEs are targeted just as frequently (if not more so) than their larger counterparts. A 2021 survey found that 42% of small business respondents had experienced a cyberattack within the last year. Security threats are a problem for all businesses, and effective security is a critical component to stopping breaches and ensuring SME success. 

SMEs Are Not Immune to Cybersecurity Threats

People often assume that adversaries wouldn’t be interested in SMEs because they wouldn’t have enough to gain from going after them. After all, security solutions can be expensive, and SMEs have things to do — usually with tight timelines, lean teams, and limited resources. Why allocate time and resources toward something preventative when they have pressing things they need now?

But size and face value aren’t the only factors that contribute to a business’s likelihood of being attacked. In fact, some businesses aren’t chosen for their resources at all, but rather fall victim by chance, or as a casualty in a larger attack. And the data shows that SMEs are now targeted at almost the same rate as enterprises are. 

The following are some of the most common ways SMEs become cyberattack victims.

Unwilling Test Subjects 

Cybercriminals function just like legitimate businesses: they strategize and test before rolling out new tactics to optimize their efforts. When cybercriminals develop new tactics, they aren’t likely to try them out for the first time in a high-profile attack. Instead, they usually do their testing on small, nondescript businesses whose defenses they expect they can overtake. 

Supply Chain Attack Casualties

Some attacks hit several organizations by infecting the supply chain. In these attacks, cybercriminals usually compromise a large vendor’s product, software, website, or other asset. The infection spreads when partners, customers, and other third-parties access the compromised asset. While these attacks often start with larger vendors, they trickle down the supply chain to impact many other organizations, and SMEs often end up becoming casualties. 

Stepping Stones to Larger Targets

Cybercriminals may also infiltrate an SME as a stepping stone on their way to a more high-impact target. Attacks may aim to conduct reconnaissance on the target or infect the target through the SME in another form of supply chain attack. SMEs that partner with larger enterprises are more likely to fall victims to this type of attack. 

Likely to Cooperate

When large enterprises are attacked, they often (though not always) have the resources to recover, even if they can’t reclaim all their lost data, assets, and relationships. However, this isn’t quite so frequently the case with SMEs. With tighter budgets and finite resources, an SME being shut down after an attack is a real possibility. Adversaries know and exploit this: with more to lose in an attack, SMEs are more likely to cooperate. For example, cybercriminals often demand lower ransoms in ransomware attacks on SMEs, aiming for a price point that the SME can afford and, therefore, is likely to pay. 

The Consequences Can Be Severe

Okay, so SMEs aren’t immune to attack. But would an attack really be the end of the world?

For many businesses, the answer is yes: 21% of companies’ solvency has been materially threatened by a cyberattack. 

And the dangers are often higher for SMEs than for larger organizations: SMEs are not only vulnerable to attack, but they’re also susceptible to highly damaging ramifications. This is largely due to some commonalities among SMEs, including their limited resources and IT environments. The following are some common SME traits that can cause cyberattacks to hit harder. 

  • Underinvestment in cybersecurity. Because SMEs often don’t see themselves as targets, they tend to allocate resources to other areas before investing in security. This can leave their defense and response measures (including tooling, processes, and experience) underdeveloped, making attacks easier for adversaries to mount and carry out without detection or counteraction.
  • Limited IT and security personnel. SMEs don’t often have the level of security-dedicated personnel and expertise at hand that enterprises do. For example, 64% of companies with fewer than 100 employees do not have a CISO, and 52% of companies with 100-5,000 employees don’t have a CISO. This lack of available security expertise can make attacks harder to defend against and respond to. In addition, IT teams at SMEs often have significant workloads, disjointed communication, and sparse documentation, which can create oversights that make an attack less likely to be caught or stopped.
  • IT sprawl. IT sprawl is a common side effect of SMEs’ fast pace, which can pressure IT to make quick rather than strategic tooling decisions. While this problem-solving approach works at the moment, it can result in a plethora of poorly integrated and overlapping point products over time. This makes for a messy and sprawled environment where elements don’t integrate or communicate well, creating communication and visibility gaps. In turn, this can make adversaries’ jobs easier by both introducing visibility gaps and lowering the chance of detection after infiltration. 
  • Distributed cloud environments. Most SMEs have made their way (at least partially) to the cloud. However, this move to the cloud isn’t always accompanied with sufficient security adaptations. For example, SMEs commonly implement Bring Your Own Device (BYOD) policies to save on the cost of issuing devices to every employee, but securing personal devices can be difficult, and SMEs don’t always invest in the necessary mobile device management (MDM) tools to secure personal devices. In another example, some SMEs continue to use a perimeter-based security approach rather than adapting to secure devices and identities, or focus on endpoint security while neglecting cloud infrastructure security.

    In addition, businesses often assume that the standard security that cloud service providers (CSPs) include is enough on its own. However, these standards aren’t tailored to individual companies, and they are not robust enough to provide reliable security on their own. 

Adversaries are aware of these limitations and sometimes exploit them. For example, adversaries know many SMEs have sprawling IT environments, and they look for these gaps in visibility and control to aid in their attack and prevent alerts to their activity. Similarly, cybercriminals know that most SMEs operate during typical business hours (9 a.m. – 5 p.m.) and don’t have the resources for 24/7 monitoring outside business hours. Thus, they often mount attacks after-hours to maximize their chances of success.

What Can SMEs Do to Protect Themselves?

Security can feel a bit unattainable to the average SME. Many of the solutions seem to be geared toward enterprise-level solutions — which means they come with enterprise-level price tags. SMEs can’t afford to stop everything they’re doing to focus on security — but they also can’t afford to skip security completely. How can they strike the balance?

Fortunately, enterprise-level security solutions aren’t the only ones out there, and not every solution requires a purchase. There are small, cost-effective actions SMEs can take to significantly improve their security as well as long-term solutions for shoring up defenses without siphoning budget and resources away from other projects. 

To explore SME-friendly solutions to powering both business and security at once, download the whitepaper written by JumpCloud and CrowdStrike, Combining Business Priorities and Security: Choose Your Own Adventure.


Learn how you can protect against threats and support growth with IT unification.

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter