Top 5 Mistakes SMBs Make in Cyber

Many SMBs believe that they are “too small” and that cybercriminals only target large enterprises; but this is a huge misconception, that can be fatal for many. In reality SMBs are being targeted nearly 4x more than large organisations¹. Cybercriminals view SMBs as a “quick-win” or the “low-hanging fruit” - with limited resources to defend themselves. If you’re a SME, you likely still hold valuable customer records, or can’t afford loss of operations - a ransomware gangs dream!

🔧 The Fix: you need to run assessments, evaluate your vulnerabilities, and acknowledge and manage the risk.

_{1. 2025 Data Breach Investigations Report; Verizon}

Reusing simple passwords or skipping multi-factor authentication (MFA) is an open invitation for breaches. Over 88% of Web Application breaches involve the use of stolen credentials¹. We’ve encountered dozens of situations were employees of SMBs, even up to executive levels, are using business devices to access personal accounts and reuse credentials across their personal and business accounts. It only takes a few hours of Open Source Threat Intelligence to discover your employees email addresses and associated accounts that have been involved in a breach where passwords may have been leaked - password that are likely reused.

🔧 The Fix: enforce strong password policies, require regular password changes, utilise a password manager and deploy MFA.

For many SMBs data backups are ad hoc, or non existent. This usually comes with the territory of “Well, we’ve never experienced a breach, so we’ve never needed the backups”. After a sucessful cyber attack, 1 in 5 SMBs would be forced out of business². You’ll be grateful if you have those backups to restore and recover your business.

🔧The Fix: Adopt a 3-2-1 backup strategy (on-site, off-site, test regularly). If you don’t test, how do you know you can perform a fast restoration in the face of a ransomware attack?

^{2. Successful Cyberattacks Would Force...; VikingCloud}

Most breaches start with human error (Phishing, Vishing, Miss-clicks, or lack of awareness). Over 83% of organizations reported insider attacks in 2024³. Yet, many SMBs do not have formal incident response plans or ongoing staff staining programmes. If you don’t train your staff, how do you expect them to identify suspicious emails? If you don’t implement a incident response plan and test it how can you be sure everyone knows what to do in the heat of a breach?

🔧The Fix: Implement a regular security awareness program, deploy phishing simulations (attack as well as defend), and document an accessible and understandable incident response playbook.

^{3. 83% of organizations reported insider attacks in 2024; IBM}