When people think about data breaches and cybersecurity threats, they often think about the upper echelon of organizations. They think back to the Target data breach from 2013, which cost the international company $18.5 million, or imagine skilled hackers trying their best to get into the infrastructure of the Pentagon or major government organizations. 

While these large-scale attacks do happen, it’s much more common for hackers and cybercriminals to target small and medium sized enterprises (SMEs)—even though they seem like less lucrative targets. So why is it that SMEs are such vulnerable targets in the realm of cybersecurity? 

The Big Picture

Ultimately, SMEs are targeted for two reasons. First, they’re relatively easy targets, since they don’t have the same defenses that major organizations and companies have. Second, they’re potentially valuable targets, since they have access to more data and resources than an individual. 

Let’s take a look at these dimensions in more detail. 

SMEs Are Easy to Hack

SMEs are “easy” targets, which makes them extremely attractive to cybercriminals. Contrary to the public image, most hackers aren’t skilled technical masterminds; instead, they’re opportunists, trying to get access to whatever they can for the least possible effort. 

This makes a lot of sense from a practical perspective. For starters, not everyone is willing to invest years of training and effort to gain the skills necessary to execute hacking—it’s much easier if you can get by on the skills you already have. Additionally, it makes sense that a criminal would want to get as much money or data as possible for the least amount of effort; this is what makes for a profitable operation. 

In other words, hackers look for an easy job and SMEs make their job easy. These are just some of the ways they do it:

• Lack of IT support. First, SMEs rarely enlist the help of an IT support company like PalmTech.net. A good IT support company can consult with a business and help to provide them everything they need for a comprehensive cybersecurity strategy, including both tech assets and employee training. Unfortunately, many SMEs don’t make the investment in this area, so they don’t even know what defenses they’re missing. These unknown unknowns have the power to completely compromise the SME’s security. 
• Lack of firewalls, VPNs, etc. There are many products and services that can help to guard a small business against external threats, including active firewalls, virtual private networks (VPNs) and more. Each product or service has its strengths and weaknesses, but provides some level of protection against at least some types of threats—and the bare minimum is often enough to ward off would-be hackers. Even securing your Wi-Fi network with a complex password can be enough to deter threats. 
• Old and obsolete tech. Some SMEs continue to use old or obsolete technologies, which make them vulnerable to attack. For example, in an effort to save money, the business may have bought a number of devices made a decade ago, not realizing that there’s a common exploit for this hardware that any thief can take advantage of. These businesses may also fail to update their software regularly, leaving it prone to attack. 
• Inconsistent standards and untrained employees. SMEs often do a poor job of training employees and/or enforcing consistent standards for cybersecurity. Lax or untrained employees may choose weak, easy to guess passwords, or may leave their devices unsecured and unattended in public areas. This makes it trivially easy to gain access to your systems. 
• Social engineering. It’s also common for SMEs to become victims of social engineering. Skilled persuaders can often get untrained employees to voluntarily give up their login credentials, or let them gain access to your internal systems. These attacks can happen in a number of different ways. For example, cybercriminals may call or email your employees, masquerading as an authority from a brand you trust; from there, they may convince the employee there’s something wrong with their account, and try to get their login credentials. Social engineering can also be used to gain access to physical devices from your employees in person. 
• Believing there is no threat. Many of the items on this list are brought into existence or made worse by the fact that small business owners don’t realize how big of a target they actually are. They think that because their business is small, it won’t be targeted by cybercriminals—so they never take the threat seriously enough. 

Potential Value

At the same time, SMEs offer much more potential value than a comparable individual. There are many possible ways to extract value from SMEs: 

• Bank accounts/direct money. Though not the most common type of attack, some hackers try to take a direct route and gain access to a small business’s money or bank accounts. These accounts tend to have higher security, so they make for more difficult targets. 
• Customer data. More commonly, cybercriminals attempt to target SMEs so they can get access to customer data. Depending on the type of data procured, they can resell the data for a sizable profit on secondary markets. If you store sensitive customer information, this should be a top concern. 
• Ransomware and reputation. Ransomware attacks, which take systems “hostage” and pledge to release those systems if a certain payment is received, are becoming more popular. These types of attacks essentially bully SMEs into providing a direct payment to the criminal responsible for them. 

Because of these significant sources of value, the easy vectors for attack look even more attractive. 

It’s estimated that 43 percent of all cyberattacks currently target SMEs, and that percentage isn’t likely to go down anytime soon—especially because it’s still so common for SMEs to go undefended. If you want to minimize the possibility of your small business being targeted by cybercriminals, you have to invest in cybersecurity proactively, and put together a defense to ward off potential threats. Since most hackers are opportunists, even basic security measures will be enough to deter the majority of attempts.