Why are Small & Medium Business (SMBs) in the cross hairs of hackers? Many would assume that these aren’t prime targets, but statistically speaking, SMBs are at great risk, and hackers spend a significant amount of time trying to pick their locks. Here are some statistics courtesy of Purplesec

  • 43% of cyber attacks target small business.
  • 47% of small businesses had at least one cyber attack in the past year, 44% of those had two to four attacks.
  • 70% of small businesses are unprepared to deal with a cyber attack.
  • 3 out of 4 small businesses say they don’t have sufficient personnel to address IT security.
  • 66% of small business are very concerned about cyber security risk.
  • 85% of small businesses plan to increase spending on managed security services.
  • 51% of small businesses say they are not allocating any budget to cyber security.
  • 58% of malware attack victims are categorized as small businesses.

What Many SMBs think

Many of our customers assume that because they are small, they aren’t of interest to hackers. They feel that because they are not a big or well-known brand, they are invisible. They also surmise that they have nothing of value to the hackers, making them seem even less desirable. All these assumptions are incorrect.

What Hackers Know About SMBs

Hackers choose SMBs because they know many small companies feel this way. They know that security is likely a low priority due to the reasons stated above. They know that most SMBs don’t have any training or phishing simulation testing in place. They also know that they will not have many of the standard security protections in place due to a lack of human resources or security budget.

They know that many SMBs outsource their IT to companies that do not have sufficient security protocols in place, leaving them potentially exposed to cyber-attack.

They know that many SMBs also leave their security to their “IT Guy” who is not trained in security. The IT guy is already struggling just to keep up to the IT needs of the company. He or she may not have the time required to dedicate to learning what to do or how to implement proper security controls.

They know if they ransomware your company and lock up your computers, servers, and data, that you’ll consider paying the ransom. At that point, it’s not about the data you think isn’t important. It is about not having access to your computing infrastructure to conduct business. It’s about the reputational damage and loss of consumer confidence that follows.

For these reasons and more, SMBs are targeted with increasing frequency. So, what can be done? Lets cover some problems and solutions.

The Problem

You don’t have the human resources available to implement basic security protocols. No one in your office can advise what your company should be doing to protect it. Some Suggestions


At a minimum, start with infosec training and phishing simulations. Source a company that can provide you with access to a quality cyber security training platform that is current, easily accessible, and provides reporting. Training is very effective at increasing the awareness keeping cybersecurity front of mind. It will help to reduce the probability of a successful attack.


Phishing is equally important. It is like peanut butter is to jelly. An effective phishing program will tell the company where there are areas of concern. In other words, it can help to identify the people in your organization that are susceptible to clicking, opening, or submitting data into a phishing simulation attack. Once identified, the people making these mistakes can be offered additional training to understand the dangers of phishing and how to avoid becoming a victim.

Everyone gets Phished

Include everyone in the training AND phishing programs, regardless of their job title or position. Include any of those who communicate using your corporate domain, even those that work as casuals, part time or other. It only takes one person to fall prey to a phishing attack to bring the company to its knees.

Mix it Up

Be sure to conduct different forms of phishing, such as spear phishing, whaling, vishing, smishing and BEC (business email compromise) because a generic phishing campaign is ineffective. If you don’t know what these variations are, SecuSolutions can help!

Be Sneaky… because Hackers Are

Consider conducting a covert phishing simulation first versus an overt one. This will ensure that you get an accurate measure of the staff’s true reaction to a phishing email, provided the phishing campaign has a granular reporting feature. Conducting a covert simulation will tell you how aware your staff are. Conducting an overt test will ensure they are on their best behavior because they know the test will be coming. This will not provide accurate data.

Hackers Don’t Care About Feelings…

Don’t be concerned with hurting someone’s feelings by conducting a tricky or deceitful phishing simulation. Hackers don’t care about feelings and nor should you. If you need to let select individuals know they failed the phishing simulation and do not want to embarrass them, pull them aside in private and let them know. You can also host a company wide Teams or Zoom meeting where you can announce that a covert phishing campaign was conducted and present the results. During the meeting, show them the email that was used in the campaign and let them know how many clicked it, opened it, or submitted data. You don’t need to call them out because they will know who they are.

If you are considering a covert campaign, be sure to keep the mission quiet. The fewer people in the know, the more effective it will be.

Test Your People, Not Your Technology

Be sure to whitelist the phishing campaign to make sure you are phishing for human metrics and not testing the technology designed to keep the phishing emails out. Its inevitable that technology will eventually fail, allowing that one email to get in and flat line your company.

Application or Old-School Phishing?

There are many phishing simulation applications out there. Know that hackers don’t use these applications. If hiring a security company to conduct a managed phishing simulation is not an option, you need to make certain that the emails you choose to send are void of any tell-tale signs that make them suspicious.

If you are currently using a phishing simulation application, don’t be fooled by “low click rates”, this could mean that the email sent by the application is too obvious and easy to spot. It won’t fool anyone. Phishing should be your best effort. It should be as crafty as possible because those are the emails that are being clicked and doing the most damage.

Start with the basics, they are effective and less expensive! Start with training and phishing, and you will already be much more secure. These two suggestions can be implemented at a relatively low cost. We can also provide more advice that SMBs can use in the near future. SecuSolutions is able to assist with training, phishing, and more! We are always available for a no obligation call to discuss your security concerns and needs.