Are there cybersecurity risks for a small company?

August 19th, 2021 By Amywright

Yes. In reality, small to medium businesses are targeted by cybercriminals more so than larger corporations. In this post, we explore the following questions:

  • Why do hackers attack small businesses?
  • How often do small businesses get hacked?
  • How many small businesses are affected by cybercrime?
  • What percentage of cyber-attacks happen against small businesses?
  • Do small businesses need cybersecurity?
  • How much does a small business spend on cybersecurity?

Why do hackers attack small businesses?

There are a few reasons why hackers specifically target smaller businesses, but usually hackers assume small businesses are easier targets and have weaker security systems. In addition, some smaller businesses can house information for larger corporations and provide a gateway to vital information leading to a hacker’s unauthorized entry into a larger corporation.

Hackers also prey on smaller and medium-sized businesses for ransom attacks. These attacks will result in the attacker stealing information from the company and more often encrypting their locally stored data and information. These attacks can result in the company being unable to access its data. Then the hacker will ransom the data back to the company for a price, making smaller businesses a target for acquiring illegitimate monetary gain.

How often do SME’s get hacked?

43% of cyber-attacks target small businesses, according to a recent Verizon report. The number of cyberattacks are forecast to increase due to more and more companies operating remotely, allowing for a significant influx of new attacks and hacking techniques to circumvent existing or pre-existing security protocols and methods. These latest hacks are why it is crucial for all businesses, small to large, to maintain up to date security and excellent security protocols and techniques.

In light of the recent pandemic, small businesses could be an even bigger target, as several small companies have shifted to conduct business online. This migration to digital has opened a new gateway for cybercriminals to access valuable data, especially for those companies unaware of the potential risks when moving to a purely online environment. According to Shepherd, from 2019 to 2020, there was a 424% increase in breaches within small companies in the last year.

Types of cybercrime that affect SME’s

“88% of organizations worldwide experienced spear-phishing attempts in 2019.” 

Phishing attempts are just one of many areas in which companies are targeted. Other types of attacks can include, but are not limited to:

  • Weak Passwords, resulting in compromised passwords
  • ‘Drive-by’ Infections
  • Scanning Networks for Vulnerabilities and Exploitation
  • Malware Attacks
  • Ransomware Attacks
  • Brute Force Attacks

These attacks can come from anywhere at any time and can affect anyone. Some of these attacks are hidden in plain sight, whilst others adopt a more direct approach.

Some attacks prey on human error and will specifically target employees inciting them to click on an infected file or document. This action can unknowingly download malicious software to their device, giving the attackers free roam of their device and potentially their whole network.

Other attacks are live attacks that happen in real-time, including DDOS (Distributed Denial of Service Attack), which interrupts communications between the host server and the end-user, exposing an open doorway for would-be attackers to enter into the network’s servers. This access gives the attacker the means to steal and/or destroy data and information at their whim.

Do small businesses need cybersecurity?


To put this into context, imagine your house having no doors, windows, or any means to stop intruders from entering your home. It’s unheard of and poses not just a risk to the contents of your house but also your physical safety! The same applies to business security.

Businesses hold valuable information on all of their stakeholders and customers. This information should be kept secure and well protected, and in some countries, it is mandatory and can cause significant repercussions for the company should their “secure” data be leaked.

How much does a small business spend on cybersecurity?

According to Shepherd, “83% of small businesses have not put funding aside for dealing with a cyber-attack”, and “60% of small businesses that are victims of a cyber-attack go out of business within six months.” The monetary damage can come in various forms, including costs from downtime and lost reputation. To fully understand the implication that an attack can have on your business, Shepherd states that “cybercrime costs small and medium businesses more than $2.2 million a year” with a projection to “cause $6 trillion in damage by 2021”. With these figures, the real question is how much should small businesses be spending on cybersecurity?

According to industry experts, businesses are advised to invest at least 3% of their total spending into cybersecurity. Planning and investing in cybersecurity should not be overlooked. Failure to properly secure your data can result in some very costly repercussions, both in courts of law and potentially to the attacker as well.

How can ISO/IEC 27001 help small businesses?

By now, you are aware of the severe implications of not adequately protecting your business, with the possibility of fines, data leaks, lawsuits, damage to reputation, and even loss of trade secrets and intellectual property. ISO 27001 proves that you are taking information security seriously. Every business needs an Information Security Management System (ISMS) to understand and manage corporate risks and comply with data security regulations. Small businesses looking to invest in their information security, look to ISO/IEC 27001 for multiple additional benefits.

The main benefits of ISO 27001 for small businesses are:

  • Protects information and improves security
  • Establishes trust and can give you a competitive advantage
  • Assists in compliance with legal regulations, such as GDPR
  • Creates new systems and processes
  • Reduces the need for customer security audits because you have an independently certified ISO

The benefits of ISO/IEC 27001 can vary depending on your unique business. However, the advantage of having an Information Security Management System is evident, especially for small businesses.

If you’d like to discuss your business needs and find out if ISO/IEC 27001 could suit your company, our experts are here to answer all of your questions.

Information security iso quote

Contact Us

For a free Quotation or On-Site presentation by an ISO Specialist, contact us today!

IMSM Canada Ltd
The Exchange Tower, PO Box 427
130 King Street West Suite 1900
Toronto, M5X 1E3

Tel: 416-945-6649

Contact Us

For a free Quotation or On-Site presentation by an ISO Specialist, contact us today!

IMSM Canada Ltd
The Exchange Tower, PO Box 427
130 King Street West Suite 1900
Toronto, M5X 1E3

Tel: 416-945-6649