If you think your company is too small to be hacked, think again. According to a new report on SMB cybersecurity by the Ponemon Institute and Keeper Security, 66% of small and medium-sized businesses (SMBs) around the world experienced a cyberattack in the past year. In the U.S., the situation is particularly dire, with 76% of SMBs having been attacked in the last 12 months – up from only 55% in 2016.
Further, respondents agreed that over the past 12 months, their businesses had noticed attacks becoming more frequent, sophisticated, and severe in terms of consequences, such as cleanup costs.
Insider mistakes & social engineering are the biggest threats to SMB cybersecurity
The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses was compiled from interviews with leaders at companies worldwide with headcounts ranging from under 100 to 1,000. It paints a picture of an environment where SMBs are struggling to cope with cyberthreats that are becoming increasingly more dangerous as hackers adjust their attack methods to get around technical security defenses, such as firewalls and anti-virus software. Sixty-nine percent of respondents said they’d experienced an attack that got past their intrusion detection systems, and 82% got hit by attacks that evaded anti-virus programs.
How are hackers getting past technical security defenses? By “hacking” humans and stealing their login credentials. Negligence on the part of an employee or third-party vendor caused 63% of global SMB data breaches in the past year, and 70% in the U.S. Third-party mistakes caused 60% of breaches in the U.S. and 55% globally. In the U.S., SMBs are twice as likely to be victimized by a negligent or malicious insider than an external hacker.
Phishing was, by far, the most common type of cyberattack launched against SMBs in the past year; 57% of respondents whose firms were attacked were phished. Other common attack methods included web-based attacks (47%), general malware (36%), compromised or stolen devices (33%), and credential theft (30%).
Proactive cybersecurity measures could prevent most data breaches
SMBs are fully aware of their “human hacking” problem, but they’re not taking the proactive steps they need to keep their employees from getting hacked. Seventy percent of respondents said that employee passwords being stolen or compromised was a major pain point, and 61% complained about employees using weak passwords. But over half (54%) have no visibility into employee password practices, and 45% admitted that their security postures were ineffective at mitigating risks, vulnerabilities, and attacks. A separate study by GetApp, which found that only 27% of companies provide their employees with social engineering training, bolsters these findings.
Hackers like social engineering because it works. Armed with a set of legitimate login credentials, cybercriminals can access enterprise networks undetected, steal data, install ransomware and other malware, and alter or destroy files. Many SMBs have not yet invested in robust, proactive cybersecurity because they think they’re “too small” to be hacked. As the Ponemon report demonstrates, this is clearly not the case, especially in the U.S. It’s not a matter of if a hacker will try to con an employee or vendor into giving up their login credentials, only when.
The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.
Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to cybersecurity regulations, maintain compliance, and secure your systems.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts