Stats & Trends
Jack Danahy
Oct 2015

The Surprising Reason Small Businesses Are Big Targets for Cyber Attacks

Photo by Ryan McGuire

Note: This post is a sneak peek of material from our Getting Started Guide to Cybersecurity.

Big public breaches and the reporting around them can lead us to believe that companies get hacked because someone, or some organization, is specifically targeting them for their secrets, their users, or their financials. As a result, smaller companies feel that they are relatively safe, simply because they have so much less to offer.

While I was meeting with a technology group last month, one IT director summed it up, “We really don’t have much that is very interesting, so why would anyone bother?”

Unfortunately, current statistics and the most successful attack techniques show that this conclusion is dangerously false. In fact, smaller companies have as much need to prioritize their own security as any other business of any size.

Startling Statistics

In November of 2013, the Ponemon Institute surveyed the small- and medium-sized business (SMB) market and found that 58% of SMB management does not see cyber security as a major issue. A National Cyber Security Alliance survey revealed that 77% of SMB owners believed they were safe from cyber threats.

Nothing could be further from the truth, and the reality is eye-opening:

  • In 2014, 60% of all targeted attacks struck small- and medium-sized organizations. (Symantec)
  • 1 in 2 businesses surveyed by the National Small Business Association in 2014 reported being victims of cyber attacks.
  • 60% of SMB cybercrime victims go out of business within 6 months of an attack (NCSA)

How do attackers have time to seek out so many individual small businesses? The answer is they don’t, nor do they have to.

Hacks in Sheep’s Clothing

In August, a major attack campaign was executed through Yahoo against its roughly 6.9B monthly visitors. According to reports, hundreds of thousands of visitors were exposed to malware through the Yahoo advertising network, and an estimated 27,000 users were infected per hour. Here is how it worked:

  1. Attackers created ads of the type that pop up in your browser window when you do a search, or visit a website. These ads, though, weren’t simply selling something: They contained malware.
  2. These ads were presented within Yahoo visitor browsers according to the usual rotation and algorithms.
  3. The ads contained an exploit kit which then exploited the user machine and installed its payload of malware.

Yahoo is not alone: Organizations as diverse audiences as Forbes,, and Google have all been used as mules to carry advertising-enabled malware (malvertising) to their visitors and users.

The visual below created by Malwarebytes provides another great explanation of how malvertising works:

Crimes of Opportunity

While this style of attack is growing in popularity, it is just one of many types of attacks that are broadly directed and indiscriminately applied.

Legitimate websites get hacked, and malicious code is served up from them. Phishing campaigns attack lists of contacts simulating outreach from banks, retailers, or government agencies.

Why are cyber attacks on small businesses increasing? The surprisingly simple answer is that, for many attackers, company size doesn't matter.

In more and more cases, the victims of today's cyber attacks are not targeted because of where they work, they are just vulnerable places to land.

These infections can be thought of as crimes of opportunity for the organizations involved. The attackers do not premeditate the identity of their would-be victims, but the user systems, once corrupted, phone home to tell the attackers where the infection has landed. The malware then begins to take orders. It will fetch valuable data, offer a platform for additional attacks, or simply watch and listen until something interesting presents itself.

When the corrupted system is in an SMB, however, the impact is most severe. Lacking the security infrastructure of larger firms (who typically invest in monitoring, intrusion detection, and incident and event management systems), the SMB breach is often long-lived and seldom detected prior to real damage being done.

What to Do?

IT directors and security managers at smaller companies need to go to their management armed with these facts and show them that their limited size and assets will not protect them from attacks. 

These breaches begin with exploits that are blind to their targets, but the lack of security investment by small businesses can actually make them more attractive targets for additional attacks, as the attackers know they are far less likely to be discovered and disturbed.

For all of these reasons, security investment at small businesses has got to be reevaluated. Today, companies of all sizes are exposed to a very similar set of dangers. Small businesses must abandon the false comfort of their relative obscurity and take control of the active protection of their data and their livelihoods.

3 Security Advantages Small Businesses Should Leverage

The good news is that once aware of their top security challenges, small businesses can actually have a simpler time getting more secure than large companies with big staffs and bigger budgets.

  1. Better visibility & less noise: Because of their lower number of machines, they can watch them more closely without flooding a management system.
  2. More customizable: Because the organization tends to be a little flatter and more centralized, security policy and culture can be developed and delivered in a way that is tailored to the specific needs of the individual areas of business.
  3. More direct buy-in from employees: Lastly, it can be easier to inspire all employees to participate in the security of the whole, and that will ultimately pay the highest dividend.

Smaller doesn’t inherently mean safer, but it can mean smarter, more streamlined, and quicker to adapt.

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.