The latest statistics on business size and cyber risk seem clear enough—larger businesses, especially those with revenues exceeding $50 million, experience cyber incidents 2.5 times more frequently than other enterprises.
It makes sense: the larger the business, the more valuable the data assets, and the more complex the IT infrastructures—meaning more potential entry points for attackers. The higher public profile of larger companies can also make them targets for reputation-damaging attacks.
While all of the above is true, this does not mean that small and medium-sized enterprises (SMEs) are flying under the radar when it comes to cyber threats—contrary to what many may believe.
In fact, SMEs are becoming increasingly prime targets for cybercriminals for a number of reasons. Firstly, despite their size, these businesses often hold valuable customer data. Take SMEs within public administration and educational services, for example. Operating as small, specialized entities providing services to schools, government departments, or local communities, they can hold highly valuable customer data such as personally identifiable information (PII), financial details, health information, or user behavior data.
Smaller firms also typically struggle with budget constraints that often lead to outdated IT infrastructure and weak security measures, which make them easier prey. The fact we’re currently seeing a rise in attacks on educational institutions—up 70% from three years ago—shows just how vulnerable underprepared sectors can be.
Another point to consider is the fact that SMEs are often part of larger supply chains, creating a weak link that hackers can exploit to access larger, more prominent organizations. This correlates with a huge rise in supply chain attacks, which have grown more than five times (431%) between 2021 and 2023, with further growth projected in 2025. Exploiting the trust between interconnected organizations and their vendors or suppliers, these attacks can potentially compromise multiple entities through a single breach, including all the smaller companies in the chain.
Finally, it’s worth noting that while smaller firms may face a lower frequency of attacks overall, the consequences of a single incident can be devastating without the resources and resilience of a larger firm, including significant financial losses, crippling downtime, business interruption, and in some cases, even closure.
Common SME cybersecurity mistakes and how to address them
With the above in mind, it’s more important than ever to identify the cybersecurity mistakes SMEs typically make and for small business owners to understand that their size doesn’t make them invisible to attackers. Among the most common mistakes are skipping software updates, overlooking employee training—giving rise to human error, one of the most significant vulnerabilities in any organization’s defenses—and underestimating the sophistication of today’s threats.
While each sector faces unique challenges and vulnerabilities that require tailored approaches to cyber risk management, consider the following measures to significantly improve a small business’s security posture:
- Conduct regular, comprehensive cyber risk assessments: Assessments should be tailored to your industry’s specific threats and vulnerabilities and involve identifying critical assets and data, evaluating existing security controls, assessing threats and vulnerabilities, determining potential incident impacts, and prioritizing risks based on their likelihood and potential consequences. Tools like Cowbell Factors can also offer valuable benchmarks against peers, helping identify areas where your organization excels or needs improvement.
- Don’t underestimate the value of cybersecurity training for employees: To address human error, training should be ongoing, role-specific, and tailored to the unique threats employees may encounter. Phishing awareness, particularly important for small businesses, should be a central focus. Effective programs should cover recognizing (and reporting) phishing attempts—especially difficult with recent advances in AI—safe browsing and email practices, handling sensitive data securely, password security, multi-factor authentication (MFA), social engineering awareness, and secure remote work practices.
- Strengthen incident response and backup systems: Together, these measures ensure organizations can recover quickly and minimize disruption in the event of a cyber incident. A robust incident response plan should define clear steps, roles, and responsibilities during an attack, along with procedures for containing and mitigating impacts, preserving evidence for legal purposes, and conducting post-incident analysis to improve future responses. Equally important are comprehensive backup systems, which must be regular, automated, and securely stored offline or in segmented networks to protect against ransomware.
- Improve due diligence across the supply chain: To counter the rise in supply chain attacks, SMEs must vet third-party vendors, regularly audit key suppliers, and develop a robust third-party risk management program.
- Manage technology risks by addressing the most vulnerable systems: SME leaders should establish a comprehensive patch management strategy to ensure all operating systems and server-side technologies are consistently updated with the latest security fixes. Additionally, for content management and collaboration platforms, it’s essential to implement strict access controls, use encryption, and regularly perform security audits to safeguard against potential threats.
When considering the above, remember that cybersecurity is not a one-time effort—it needs to be treated as an ongoing process that receives continuous attention and adaptation to new threats.
A necessity, not an option
The SME segment represents over 99% of all businesses and 44% of the American GDP, yet SMEs are one of the most underserved segments of the American economy when it comes to cybersecurity. However, simply by implementing the above tips, business leaders can significantly enhance cyber resilience.
With cyberattacks on the rise, safeguarding digital assets isn’t just an option anymore—it’s a necessity for the survival and future growth of SMEs.
About the Author
Simon Hughes is Cowbell’s SVP, Global Distribution & General Manager UK. Simon is a seasoned underwriter with over 13 years of experience in the insurance industry. He began his career at Lloyd’s and has since gained valuable experience with the multi-national reinsurer SOVAG and CFC Underwriting, a UK-based specialty insurer. At CFC, Simon was a member of the cyber team for six years, serving as a cyber underwriter and senior leader focusing on small to medium-sized enterprises. Simon helped build the UK and EU cyber underwriting teams to achieve market-leading and profitable growth in a rapidly developing market. He is a proven leader with a deep understanding of cyber risk and insurance and has been instrumental in driving success in all his previous roles. Simon can be reached online at LinkedIn and at our company website https://cowbell.insure/.
