Why Small Businesses Are Targeted For Cyber-attacks

And Here’s What They Can Do to Minimize Them

By Dennis Ast, CPCU, CCIC

We hear a lot about cyber-attacks on large organizations like Colonial Pipeline, JBS Food, and CNA, to name a few, in the news. We don’t hear about all of the small businesses that have had a cyber-attack. More than 40% of cyber-attacks happen to small and medium size businesses. There are many reasons that cyber criminals focus on small businesses. The primary reason is that cyber criminals know that many small businesses are not prepared for a cyber–attack. They haven’t focused their resources on increasing their cyber hygiene and resiliency which make them an easy target for not only large cyber-criminal organizations but also for smaller cyber organizations or individual threat factors that are developing their skills and using ransomware kits and other cyber-attack tools that are easily purchased on the dark web. These attacks can come in many forms from a phishing attack, business email compromise, a ransomware attack, and fund transfer fraud. There are also exposures to a cyber event through vendors you do business with, and even the software and applications you use in your business every day. Any type of a cyber-attack can be devastating to a small business. In fact 60% of small businesses fail after a cyber-attack, per the National Cybersecurity Alliance.

All is not lost! Small businesses can improve their cyber hygiene and resiliency, and make it more challenging for a threat actor to attack their organization. Cybercriminals are looking to monetize their activities so they focus on easy targets. There are many ways a small business can help protect themselves from a cyber-attack.

Employee education is key to a successful cyber security program. The 2022 Verizon DBIR found 82% of data breaches involved human error. In many cases, it is an employee opening a phishing email. Many of the current phishing emails are not as easy to spot as they use to be. The cyber criminals have become smarter and their phishing campaigns have improved significantly. It is not only falling for a phishing email, it could just be an error made by one of your employees. Developing a program to help your employees understand common vulnerabilities and threats to your business will lessen the chances of a successful cyber-attack.

Another key is the use of Multi-Factor Authentication or MFA. Many cyber carriers have identified that as much as 80% of their reported claims were attributable to the lack of MFA. MFA provides an additional layer of security if your employee’s user ID’s and passwords have been stolen or compromised. MFA should be enabled on all email access, remote access as well as on privileged access to your system and sensitive data.

Employee education and MFA are only the beginning to improve your cyber hygiene and resiliency. Businesses should also consider implementing Endpoint Detection and Response or EDR to help detect potentially malicious activities on your endpoints. Businesses should also ensure they encrypt all sensitive data as well as actively and regularly patching all of their applications and software to minimize potential vulnerabilities. Ensure that you are having regular back-ups that are encrypted, air-gaped, and tested. It’s not good having a back-up if you aren’t able to restore from it. Finally, you should develop and practice a cyber-incident response plan. If a cyber-event does occur, having a plan in place will help you to minimize the impact it can have on your organization.

By being proactive and implementing the best practices outlined above you can help protect you organization and minimize the impact that a cyber-attack can have on your business.

For more information please contact Dennis Ast, Senior Account Executive Cyber Risk Specialist at or DAst@Onegroup.com

This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem. Please refer to your policy contract for any specific information or questions on applicability of coverage.

Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.