• Home
  • /Learn
  • /5 Common Cybersecurity Challenges for SMBs
background image


5 Common Cybersecurity Challenges for SMBs


The most common cybersecurity challenges for SMBs (small and midsize businesses)–what are they, and what steps can you be taking to minimize them?

Today, the ethical hackers at Packetlabs are outlining the top 5 cybersecurity challenges SMBs face in 2023 and beyond… and how you can start mitigating their risk.

The Top Cybersecurity Risks in 2023 and Beyond

Contrary to popular belief, small and medium-sized businesses are equally at risk of cybersecurity breaches as large enterprises. No organization is too small–or too large–for threat actors to target.

Here are just some of the stats that SMBs in common industries should be considering:

  • General: Businesses across multiple industries with less than 500 employees lose on average $2.5 million per attack in direct financial losses alone

  • Healthcare: Healthcare organizations around the globe averaged 1,463 cyberattacks per week in 2022, up 74% compared with 2021–and this number is only growing in 2023 and beyond

  • Government: Compared to 2018, the US government’s cybersecurity budget has increased by $583.1 million, with Canada following suit 

  • Technology: 69% of small businesses report that they do not strictly enforce password policies, SaaS companies included 

  • Ecommerce: Cyberattacks have become “modern bank heists”, with nearly 70% of ecommerce-based businesses reporting a significant increase in ransomware since 2021

  • Law: Since 2020, the number of North American law firms impacted by cyberattacks has risen to one in four

What’s behind this spike in cybersecurity risks? Regarding SMBs, that answer is two-tiered: the first is that, thanks to advancements in technology, it’s easier than ever before for threat actors to automate actors. With this automation, hundreds–if not thousands–of organizations can be targeted in one fell swoop. Because SMbs generally have less-fortified cybersecurity measures in place, they are often prime targets for said automation.

The next is tied to the rise of remote and hybrid workers. Through public WiFi, a lack of password protection, social engineering, and more, workers are often unknowingly putting their organization’s data on the line–and the consequences are often monumental.

So what are the top cybersecurity challenges for SMBs, and how can you start circumventing them? Let’s dive in.

#1: Ransomware is a Top Threat for Small Businesses

Did you know that 55% of ransomware targets small businesses with 100 employees or less?

Because even the smallest of organizations can handle large sums of money, confidential information, valuable customer data, or key infrastructure, there is no such thing to threat actors as a non-lucrative target. This is especially true due to the fact that, especially when it comes to law and healthcare, small businesses often work with larger companies–and can be used as a gateway for cyberattacks to target said larger companies.

The Solution: Evaluate your organization’s readiness for a ransomware attack via ransomware penetration testing. Alongside a 360-degree analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374)–and a technical assessment of security controls–a full penetration test is conducted to measure the strength of your organization’s systems.

#2: Healthcare is the Industry Most Targeted by Cyberattacks

Healthcare organizations across North America continue to be the most-targeted industry for data breaches for the third consecutive year–with no signs of the pattern stopping. 

Below are the most targeted aspects of healthcare organizations in 2023 and beyond:

  • Patients’ medical history (including conditions, treatments, and diagnoses)

  • Medical insurance account numbers

  • Medical provider accounts

These targets remained steady across small-to-large healthcare businesses and organizations.

The Solution: A cyber maturity assessment works to provide a “health check” on an organization’s cybersecurity and provide a roadmap towards betterment. This includes both mandatory cybersecurity compliance and action steps toward accomplishing regulatory, contractual, and stakeholder requirements.

#3: Phishing Attacks Are Targeting Your Employees

One of the most common cybersecurity risks in 2023 is phishing. With phishing now accounting for 90% of all data breaches, the sophistication of them have taken a significant portion of remote and hybrid workers off-guard–leading to many of them forfeiting valuable information (such as passwords and financial access) over the phone or via email.

Whether clicking on malicious links, downloading files that compromise their business devices, or providing sensitive information verbally, the negative impacts of phishing can wreak havoc on an organization’s financial and reputational well-being. 

The Solution: Employee Awareness Training regarding cybersecurity risks has never been more crucial, especially regarding business email compromise. With threat actors mimicking key stakeholders, executives, or other employees through easily-findable information posted online, keeping your employees up-to-date on security best practices is non-negotiable. Reach out to our team today for zero-obligation recommendations on how to get started.

#4: Over Half of SMBs Reported That it Took 24 Hours to Recover From a Breach

Website downtime results in the loss of business, client trust, customer loyalty, and, often, a significant portion of an organization’s finances. Despite this, however, 51% of small businesses reported that their website was down for a minimum of eight hours following a data breach–and that it took them, on average, over 24 hours to start recovering from one.

In addition, the same report stated that 55% of polled North Americans would be less likely to continue doing businesses with organizations that were breached and took over 24 hours to recover.

The Solution: When it comes to cybersecurity (and combating slow recovery times), the best defense is a good offense. Red teaming works to assess potential attack paths before threat actors do, saving your organization time, money, and reputation. 

#5: Organizations With Less Than 500 Employees Report An Average Financial Loss of $2.98 Million Per Cyberattack

Last but not least, outdated cybersecurity is the top risk for SMBs in 2023 and beyond–and is costing SMBs upwards of one million dollars per cyberattack.

Since cybercriminals assume that SMBs invest less in their cybersecurity (and that most don’t have up-to-date cyber insurance), organizations with less than 500 employees are frequent targets of cyberattacks–and are often the least financially prepared for one. At worst, a successful cyberattack can put an unprepared SMB out of business.

The Solution: Small steps, like enabling multi-factor authentication (MFAs) for all stakeholders can deter baseline cyberattacks. MFAs provide an extra layer of security when users log into a business-related account, whether it be in the form of SMS-codes, tap notifications, or biometric checks (like a fingerprint or facial scan.) We recommend you get a quote today for in-depth recommendations on how to keep your specific digital spaces safe.

SMB Cybersecurity FAQs

“How much does a cyberattack cost a SMB?"

For SMBs, a data breach can cost upwards of $2.2 million dollars.

“How does a small-to medium-sized business avoid being the victim of a cyberattack?”

Enabling baseline cybersecurity measures (such as MFAs and consistent Employee Awareness Training) alongside pairing with a reputable pen testing as a service company are effective measures SMBs can employ to avoid being victims of data breaches.

“What are the best cybersecurity practices for small-to-medium-sized businesses?”

Some of the top-recommended cybersecurity practices for SMBs are as follows:

  • Train employees in security protocols

  • Provide firewall protection

  • Curate a mobile device action plan

  • Backup important information (and thoroughly destroy all information-related documents when they are no longer needed)

  • Secure your WiFi networks

  • Limit employee authority regarding installing software

  • And mandate MFAs

“What are the most common cyberattacks on medium-sized businesses?”

Phishing, ransomware, and malware make up the top three most common types of cyberattacks on medium-sized businesses.

“How many cyberattacks target small businesses?”

Nearly 50% of cyberattacks specifically target small businesses.

“What are the most targeted industries for cyberattacks?”

Healthcare is the most-targeted industry for cyberattacks and has been since 2020.

What are the top cybersecurity statistics for SMBs in 2023?”

  • 51% of small businesses have no cybersecurity measures or cyber insurance in place

  • Employees working at SMBs experience a 350% increased likelihood of being victims of social engineering than those at large enterprises

  • Almost 40% of SMBs report that they’ve lost important data as the result of a cyberattack

  • 82% of ransomware attacks back in 2021 were aimed at organizations with less than 1000 employees, and that trend is persisting


Common cybersecurity risks and challenges for SMBs are only increasing as the years pass by.

With the rise of remote work and increasingly advanced cyberattack techniques, more and more SMBs are falling victim to threat actors–but, by implementing accessible action steps, you can proactively circumvent these losses. 

Book a demo today or sign up for our newsletter for more ready-to-implement cybersecurity tips, delivered straight to your inbox. 

Download our Free Buyer's Guide

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial.

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.