Seven cybersecurity trends and tips for small and medium-sized businesses to stay protected

Cyberattacks are a major challenge for organizations of all sizes, but small and medium-sized businesses (SMBs) face distinct threats when it comes to cybersecurity. Unlike large companies, they often lack the resources and expertise to implement extensive security measures or manage complex solutions, making them prime targets for malicious actors.

To help us better understand the security needs and trends of SMBs, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a research focused on security for companies with 25 to 299 employeesBy sharing the insights below and the initial actions that can be taken to address them, SMBs can find additional best practices to stay safe in the Be Cybersmart Kit (in English).

1. One in three SMEs has been the victim of a cyberattack

With the rise of cyberattacks, SMEs are increasingly affected. Research shows that 311,000 SMEs have been victims of cyberattacks, such as ransomware, phishing, or data breaches. Despite this, many SMEs still harbor misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equals security. It's crucial to understand that malicious actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks.

How can SMEs approach this?

Microsoft, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices for building a strong cybersecurity foundation:

• Use strong passwords and consider a password manager.
• Enable multi-factor authentication.
• Learn to recognize and report phishing.
• Make sure you keep your software up to date.

2. Cyberattacks cost SMEs over $250,000 on average and up to $1,400,000

The unexpected costs of a cyberattack can be devastating for an SME and make financial recovery difficult. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident and fines associated with the data breach. Cyberattacks not only present an immediate financial strain but can also have long-term impacts on an SME. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to lost business opportunities in the future.

It's difficult to anticipate the impact of a cyberattack because the recovery time can range from a day to over a month. While many SMEs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time it will take to restore operations and resume normal business activities.

How can SMEs approach this?

SMBs can conduct a cybersecurity risk assessment to understand security gaps and determine steps to address them. These assessments can help SMBs identify areas open to attack to mitigate, ensure compliance with regulatory requirements, establish incident response plans, and more.

Effective and proactive planning can help minimize the financial, reputational, and operational costs associated with a cyberattack, should one occur. Many organizations provide self-service assessments, and working with a security specialist or security service provider can provide additional expertise and guidance during the process, as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and their ease of use through simple interfaces create significant challenges for SMBs when used by employees. Without the right tools to protect company data, the use of AI can lead to sensitive or confidential information falling into the wrong hands. Fortunately, more than half of companies that don't currently use AI security tools plan to implement them within the next six months for more advanced protection.

How can SMEs approach this?

Data security and governance play a critical role in the successful adoption and use of AI. Data security, which includes labeling and encryption of documents and information, can mitigate the chance of sensitive information being referenced in AI prompts. Data governance, or the process of managing, understanding, and protecting data, can help establish a framework for effectively organizing data.

4. 94% consider cybersecurity critical to their business

Recognizing the critical importance of cybersecurity, 941% of SMEs consider it essential to their operations. While it hasn't always been considered a priority, given limited resources and internal expertise, the rise of cyberthreats and the increasing sophistication of cyberattacks now pose significant risks to SMEs. Managing work data on personal devices, ransomware, and phishing are cited as the main challenges SMEs are facing.

How can SMEs approach this?

For SMBs looking to get started with the resources available to train and educate employees, security topics in  Cybersecurity 101, Phishing (in English) and more are provided through the website of Cybersecurity Awareness from Microsoft.

5. Fewer than 30% of SMEs manage their security internally

Given the limited resources and expertise within SMEs, many turn to security specialists for assistance. Fewer than 30% of SMEs manage security internally and often rely on security consultants or service providers to manage their security needs. These professionals provide crucial support in the research, selection, and implementation of cybersecurity solutions, ensuring that SMEs are protected against emerging threats.

How can SMEs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage comprehensive IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support may include researching and identifying appropriate security solutions for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on behalf of SMBs. This model allows SMBs more time to focus on core business objectives, while MSPs keep the company protected.

6. 80% intend to increase their cybersecurity spending, with data protection as the main area of investment

Given the growing importance of security, 801% of SMBs intend to increase cybersecurity spending. The main drivers are protecting against financial loss and safeguarding customer and consumer data. It's no surprise that data protection is the top investment area, with 65% of SMBs saying this is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other key spending areas include firewall services, phishing protection, ransomware protection, device protection, access control, and identity management.

How can SMEs approach this?

By prioritizing investments in the above areas, SMBs can improve their security posture and reduce the risk of cyberattacks. Solutions like Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaking outside the company, Endpoint Detection and Response (EDR) helps protect devices and defend against threats, and Identity and Access Management (IAM) helps ensure only the right people have access to the right information.

7. 68% of SMEs consider secure data access a challenge for remote workers

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes permanent. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To protect sensitive information in a hybrid work environment, it is vital to implement security and device management solutions so that employees can work securely from anywhere.

How can SMEs approach this?

Implement measures to protect data and internet-connected devices, including promptly installing software updates, ensuring mobile apps are downloaded from legitimate app stores, and avoiding sharing credentials via email or text message, only sharing them over the phone in real time.

Next Steps with Microsoft Security

• Read the full report to learn more about how security continues to play an important role for SMEs.
• Get the Be Cybersmart Kit (in English) to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit the website. Favorite the Security blog (in English) for expert coverage on security issues. Also, follow us on LinkedIn (Microsoft Security) and in X (@MSFTSecurity) for the latest cybersecurity news and updates.v