Written by Clay Stabert, Senior Vice President and US Cyber Product Manager at Sompo.
It’s a common myth that cybercriminals target only large companies and organizations with deep pockets. While large enterprises can be high-value targets for cybercriminals, they are also more likely to have strong cybersecurity programs that can prevent attacks.
On the other hand, small and medium-sized businesses (SMBs) are often vulnerable to attacks due to gaps in their cybersecurity posture. SMBs often operate with limited resources and competing priorities. That combination creates opportunity for attackers. In fact, small businesses accounted for 43% of cyberattack targets in 2023, according to Accenture.
The first step to protecting SMBs from online criminals is understanding the cyber risks they face and preventive actions to lower those risks:
1. Phishing
Phishing remains the single most effective way for attackers to gain access to systems. It usually starts with an email that looks legitimate, maybe from a vendor, a payroll provider, or even your own leadership team. The message urges the recipient to click a link, download a file, or verify account credentials.
Preventive Actions
Implement a phishing awareness and simulation program. Combine that with strong email filtering, regular employee awareness training, and clear internal processes for verifying financial or data requests. The goal isn’t to eliminate every bad email, it’s to make sure employees know what to do when one lands in their inbox.
2. Credential Stuffing
This type of attack takes advantage of one simple human behavior: password reuse. Attackers use stolen credentials from one breach to attempt logins elsewhere, automating the process with bots until they find a match.
Preventive Actions
Establish multi factor authentication (MFA) across all systems, especially email, VPNs, and cloud platforms. MFA is one of the most effective ways to stop credential-based attacks. Also, implement a password management solution to help employees generate and store unique passwords.
3. Business Email Compromise (BEC)
BEC attacks are more targeted than phishing. They typically involve an attacker spoofing, or sometimes compromising, a company executive’s email account and sending urgent messages to finance or HR staff requesting payments or sensitive data. Emails are often convincing, personalized, and timed for maximum pressure.
Preventive Actions
In addition to the phishing defenses mentioned above, every business should have a multi-step verification process for payment or banking changes. Require employees to confirm requests verbally or through a separate communication channel.
4. Supply Chain Compromise
Attackers increasingly exploit third party providers, software vendors, cloud services, or IT support firms, to access client networks indirectly. These types of attacks can be difficult to detect until the damage is done.
Preventive Actions
Take an active role in managing vendor risk. Maintain an inventory of your key service providers and ask them for details about their cybersecurity practices, especially regarding data handling and incident response. To further strengthen cybersecurity when working with vendors, enforce multi-factor authentication (MFA) on all SaaS tools and remote access methods. Limit vendor access using least-privilege and need-to-know principles and segment your network to isolate their activity. These measures help reduce risk and protect sensitive systems from unauthorized access.
5. Ransomware
Attackers gain access, encrypt data, restrict authorized network access, and often exfiltrate sensitive files before demanding payment. Even when backups are not impacted by the ransomware event, the exfiltration of sensitive data makes recovery complex and costly.
Preventive Actions
The best ransomware defense is a layered approach that includes maintaining frequent, secure, offsite backups that are regularly tested for restoration. Deploy endpoint detection and response (EDR) tools for early threat identification. Ensure patching and vulnerability management are consistent across all systems.
At Sompo, we work closely with insureds to connect them with trusted cybersecurity vendors for training, monitoring, response planning, and recovery. These partnerships help businesses take practical, affordable steps toward cyber resilience, well before an incident occurs.
If you’re unsure where to start, reach out to your Sompo representative or broker. Together, we can help you assess your current posture, identify the right partners, and strengthen your defenses against today’s most common cyber threats.
About Sompo
We are Sompo, a global provider of commercial and consumer property, casualty, and specialty insurance and reinsurance. Building on the 135 years of innovation of our parent company, Sompo Holdings, Inc., Sompo employs approximately 9,500 people around the world who use their in-depth knowledge and expertise to help simplify and resolve your complex challenges. Because when you choose Sompo, you choose The Ease of Expertise.™
"Sompo" refers to the brand under which Sompo International Holdings Ltd., a Bermuda-based holding company, together with its consolidated subsidiaries, operates its global property and casualty (re)insurance businesses. Sompo International Holdings Ltd. is an indirect whollyowned subsidiary of Sompo Holdings, Inc., one of the leading property and casualty groups in the world. Shares of Sompo Holdings, Inc. are listed on the Tokyo Stock Exchange.