By Matthew Olney on June 07, 2023

SMEs in the Crosshairs: Why do Hackers Target Small-to-Medium Sized Enterprises?

Industry Trends & Insights

Cyber security is a critical issue for businesses of all sizes, but small-to-medium-sized enterprises (SMEs) are particularly vulnerable to the threat with data showing that 43% of cyber-attacks target SMEs and that 60% of small businesses hit by a cyber-attack go out of business within six months.

In this blog we look at why SMEs are attractive targets for cybercriminals?

The Too Small To Be A Target Myth

The most common myth in cyber security is ‘We’re too small to be a target’. It’s a myth that many a small business has unfortunately believed and as a result it has cost them dearly. In recent years SMEs have begun to take the risk they face from cyber threats more seriously but there is still plenty of work to be done.

The misconception that hackers are only interested in large corporations likely comes from the media. Coverage of breaches at large companies make for spicier headlines but also misconstrued the reality. Small businesses are attacked just as often as bigger ones and the hackers success rate is often a lot higher as these businesses often lack robust security measures, making them easier targets.

In many SMEs, security may be limited due to budget constraints or lack of cyber security knowledge. These firms may not employ dedicated IT staff or invest in the latest security technology. As a result, they are less equipped to monitor their networks, identify threats, or respond effectively to breaches, which makes them more appealing to cybercriminals.

Cybercriminals are like any other type of criminal in that they look for easy prey. If something is too difficult to breach they’ll move on and keep searching for an easier score.

CTA-Incident-ResponseValuable Data: Small in Size, Big in Value

While an SME might not possess the quantity of data that a large corporation holds, the data they do possess is often just as valuable. Customer databases, financial information, intellectual property, and personal employee data are all attractive to cybercriminals. In particular, if an SME operates in a niche industry, their data can be extremely valuable and difficult to replicate, further heightening its appeal to cybercriminals.

The Weakest Link

Cybercriminals often exploit SMEs as a way to attack larger and more profitable targets. SMEs are a prime target as they are often part of supply chains for larger companies and can provide a backdoor to these organisations who take advantage of their often weaker security. In short, SMEs are often the weakest link in the chain and by compromising an SME, hackers can infiltrate a larger, more secure network. This tactic is often easier than directly attacking the bigger firm due to the typically weaker security measures in SMEs. This attack method is so effective that in 2022 data showed that supply chain attacks surpassed the number of malware-based attacks by 40%.

mdrpsLess Regulatory Oversight

Many industries impose stringent cyber security regulations on large businesses, but these same requirements are often less rigorous for smaller businesses, if they apply at all. This differential in regulatory oversight can leave gaps in an SME's cyber security measures, making them more vulnerable to cyber attacks. However there are schemes in place to assist SMEs such as the UK’s Cyber Essentials scheme which is designed to help smaller businesses shore up their defences.

What are the consequences for SMEs?

A successful cyber attack can cause severe financial and reputational damage, which is often more devastating for an SME than for a larger business. The cost of dealing with a breach, coupled with the potential loss of customer trust, can threaten an SME's very survival and is the reason so many smaller businesses are forced to close following an attack.

SMEs are far from helpless, however and can adopt various strategies to mitigate these risks -

  • They need to discard the dangerous misconception that they are too small to be targeted. Regardless of size, all businesses are potential targets. SMEs need to be proactive, not reactive, in their approach to cyber security.
  • SMEs should invest in cyber security measures appropriate for their size and industry. This investment includes not only technological defences but also staff training. Employees need to understand the nature of cyber threats and the role they play in preventing them. An MSSP can assist with improving defences, training and can create tailor made defences for your business.
  • SMEs should consider obtaining cyber security insurance to help mitigate the potential financial losses from a cyber attack. They can also collaborate with larger businesses in their supply chains to improve their shared security measures.
  • Cyber security is an ongoing commitment, not a one-time fix. SMEs must regularly update and review their cyber security measures to ensure they keep pace with the evolving threat landscape.

CRA Journey BannerIntegrity360 can help secure your SME

Cyber security can be tricky, but you don't need to master it all at once. That's what we do at Integrity360. Our team is filled with cyber security pros who have spent years learning the ropes, so you can trust us to keep your business safe.

At Integrity360 our expert team takes the time to learn about your specific needs and find the right solutions for you. We're more than just a service, we're a partner in protecting your business. Contact us today and discover how we can empower your business against the cyber threat.

Contact Us


Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.