Skip to main content

Cyberattacks are a predictable part of doing business, and small to midsize businesses (SMBs) are not at all immune. According to a survey completed by Devolutions, a Canadian software firm, about 43% of all known cyberattacks in 2023 were perpetuated on SMBs. These attacks threaten SMBs’ financial security and marketplace reputation–often out of proportion to similar attacks on larger businesses. The only way to remain safe in a known environment of risk is to adopt a bias for action. 

The Survey

The Devolutions survey is a wealth of information about the mindset and experiences of SMBs all over the world. For context, an SMB is any business with fewer than 1,000 employees. Small businesses employ fewer than 100, and midsize businesses employ 100 to 999. Overall, the 217 businesses surveyed felt confident that they were well-positioned against threats. But their actions made it clear that this confidence may not have been earned. 

While 80% of survey respondents say they are well-protected against IT security threats, only 60% are using essential tools like password managers, two-factor authentication, and regular user training. By the same token, survey respondents are worried about all of the same threats that concerned them in the previous year’s survey. Their top three concerns were ransomware, phishing, and malware. This ongoing worry represents a lack of action around challenges that are well-documented and not going away anytime soon. 

Not only are these threats not going away, their frequency is increasing. Nine percent more survey respondents experienced attacks in 2023 (69%) versus 2022 (60%). And a staggering 19% of respondents experienced more than five documented cyberattacks in one year. 

Even with the obvious increase in threats, SMBs are bowing to financial pressures by cutting security budgets. Depending on your market and the complexity of your business, experts recommend spending 6 to 15% of your operating budget on IT security. In 2022, 68% of surveyed businesses met this threshold. But in 2023, the compliance rate dropped to only 51%. 

Action Steps for SMBs

The first thing SMB leadership needs to do is to adjust their mindsets around cybersecurity. OpenText’s Global SMB Ransomware survey revealed that 67% of respondents either don’t believe or aren’t sure that they are ransomware targets. The fact is, that if you have a bank account and use the internet, you are a target, no matter how few employees you have or how small your revenue is. Leaders often fall into the complacency trap. Instead of relying on a “sense of security,” leaders must adopt a mindset of continuous adaptation to the reality of threats. 

Despite increased financial pressures, SMBs must make security an organizational and budgetary priority. If budgets are constrained, leaders must be highly strategic with their spend. In the Devolutions survey, 11% of respondents had no in-house or external resources dedicated to cybersecurity. Leaders at organizations in this segment need to come to terms with reality and make budgets that take their risk level into consideration. They should quantify, based on their business’s market and complexity level, exactly how much they could lose in a security breach and allocate security funding to counter the potential loss. 

Most businesses can mitigate a large percentage of their risk through basic cyber hygiene. Just as consistent brushing and flossing prevents tooth decay, a regular schedule of hygiene can keep your systems in basic working order. In addition to mandating strong passwords and two-factor authentication, a hygiene protocol should also include a cyber insurance policy and regular system backups. Just as you don’t rely only on your in-home care for dental health, your backups also need a checkup. Backup testing assures that there is no file corruption and that a backup could be successfully implemented in the case of a ransomware attack. 

More advanced moves toward a better cybersecurity posture require enhancing oversight and control. SMBs need to adopt the principle of least privilege, zero trust, defense-in-depth, and segregation of duties. Unfortunately, many businesses implement a lot of flashy tools that might cost a lot but aren’t focused on the precise nature of the company’s individual risks. Instead, they should take a risk-based approach that starts with identifying the critical information assets that need to be protected. Going down this road requires in-house or external resources that can take a broad view of the business’s needs and develop a strategy that considers a range of variables. 

Remember that security is much more than just a technology problem. A comprehensive and consistent protocol of user training must be deployed across the organization. Even without a big security budget, businesses can focus on improving employees’ knowledge and awareness by continuously upskilling. Training will empower your employees to be a link in the defense chain. 

Asylas Can Help

Remember the stat about adequate IT security spending from the Devolutions survey? Only 51% of SMBs are allocating the recommended percentage of funds to help prevent and mitigate attacks. The remaining 49% should hire external resources to meet their needs without incurring consistent overhead costs. If your SMB cannot afford to maintain in-house resources for cybersecurity, a services provider like Asylas can help close the skills gap in your organization.

Asylas provides customized information security and compliance solutions. If you are an SMB that doesn’t know where to start or if you have some security tools in place with no defined plan, Asylas can help. We provide a wide range of security services, including security posture assessments, vendor assessments, penetration testing, security awareness training, framework-based risk assessments (NIST, CIS, etc.), and much more. 

For custom information security and compliance solutions, reach out to Asylas at 615-622-4591 or email Or complete our contact form.