Small and midsize businesses (SMEs) are facing a growing threat from cybercriminals, yet many of these companies are not prepared to defend themselves. According to experts, limited budgets, stretched IT resources, and misunderstandings about cyber threats and insurance are keeping these businesses trapped in what is known as the “cybersecurity poverty loop.”
Mea Clift, a senior advisor in cyber risk engineering at Liberty Mutual, highlights that smaller organizations usually lack the security measures that larger companies have in place. This includes essential protections like privileged access controls and constant monitoring. Many SMEs rely heavily on third-party vendors, which increases their vulnerability as these external partners can be points of entry for cyber attacks.
Clift notes that the majority of cyber attacks on smaller businesses stem from business email compromises and phishing schemes. However, the tactics used by cybercriminals are evolving. New methods include text-based phishing and social engineering targeting executives, leading to more complex attacks like ransomware.
Another pressing issue is the risk associated with third-party vendors. As SMEs often outsource services they cannot handle in-house, they become susceptible to breaches that can compromise their data and systems if a vendor is attacked. Clift emphasizes that even a small breach at a minor supplier can have major repercussions, potentially causing significant losses for larger clients.
Looking ahead, Clift is keeping an eye on two emerging risks for SMEs: supply chain vulnerabilities and the misuse of artificial intelligence. She warns that AI’s potential for misuse is vast, with possibilities including manipulated data and disinformation campaigns.
To help SMEs break free from the cycle of underinvestment in cybersecurity, Clift urges insurance agents and brokers to guide their clients toward practical, high-impact solutions. Common misconceptions, such as the belief that small businesses are not targets for cybercriminals, often lead to insufficient investment in security measures.
Clift points out that many business owners over-rely on managed service providers (MSPs), assuming they are fully covered. However, the level of protection offered can vary significantly. If an MSP only provides support during business hours, companies may find themselves vulnerable after hours or on weekends.
For those SMEs that recognize their risk, financial constraints can prevent them from acquiring advanced security tools and talent. This lack of investment not only increases their vulnerability but can also make them less appealing to insurers, leading to higher premiums.
To combat these challenges, Clift suggests several straightforward steps for SMEs to enhance their cybersecurity posture. These include maximizing existing tools from cloud providers, collaborating closely with MSPs to ensure comprehensive coverage, and prioritizing foundational security measures such as multi-factor authentication, regular backups, and employee training on phishing awareness.
Clift concludes by reminding us that improving cybersecurity is a continuous process. A small company will not have the same resources as a larger organization, but with the right approach, they can still significantly reduce their risk of cyber incidents.