The Cyber Risk SMBs Can’t Afford To Ignore

Posted by Carrie Rubinstein, Contributor | 1 day ago | /consumer-tech, /innovation, Consumer Tech, Consumertech, Innovation, standard | Views: 10


AI-driven threats are rewriting the rulebook. Here’s the new cybersecurity playbook every small business must adopt before it’s too late

June just marked National Cybersecurity Education Month, an effort to raise awareness and expand the cybersecurity workforce. While public understanding is growing, so is the scale and sophistication of attacks. In the age of AI, threats no longer target only governments and large organizations. Cyberattacks now strike in unexpected places, putting individuals, SMBs, and entire systems at risk. Awareness alone isn’t enough. Are we prepared?

A recent conference held at Nasdaq by the Digital Evolution Institute explored the digital fabric comprising AI, data, and cybersecurity, and put a fascinating spotlight on the growing and unexpected risks and consequences.

Digital Evolution Institute founder Julia Valentine stressed throughout the conference the shift from cyber crises as technical incidents to business and leadership-level challenges, and explained why being proactive in cyber crisis preparedness is no longer a luxury but a must-have.

Cyber risk is a business risk

Valentine, Presidential Lifetime Achievement Award recipient, entrepreneur, and a long time investor, is also the founder of AlphaMille, a global technology consulting firm specializing in digital and physical security, stressed at the conference that “Companies cannot look to the government to protect them from cyberattacks in the AI era. Digital exposure should be treated as any other initiative that creates revenue, reduces cost, and mitigates risk,” she said, offering a familiar example from 2021, when R.R. Donnelley & Sons (RRD), a global provider of business communication and marketing services, which went through a ransomware attack that exposed sensitive client data. In 2024, the SEC reached a $2.125 million settlement with RRD for violating the internal controls and disclosure controls provisions of federal securities laws. As part of remediation, RRD revised incident response policies and procedures, adopted new cybersecurity technology and controls, updated employee training, and increased cybersecurity personnel headcount – all basic cybersecurity measures that shareholders increasingly expect to be put in place as a normal course of business.

“The ‘R.R. Donnelley’ case was a wake-up call,” Valentine now says. “Despite being a data-intensive company, they missed key warning signs. This cost them millions and damaged client trust. Overlooking cybersecurity doesn’t just increase risk; it sets a company up for sudden and devastating failure.”

While awareness is supposedly on the rise, cybercrime losses have been steadily increasing, and projections indicate a continued upward trend. Globally, cybercrime costs are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures. The annual cost of cybercrime in the U.S. alone is estimated to be around $639 billion in 2025.

According to Valentine, three things need to happen to change the trend: “Cybersecurity needs to be elevated to the board level. The board needs to calibrate the right amount of information it needs for effective oversight, and the company needs to right-size its cybersecurity defenses.”

During the conference, broad discussions by key industry leaders explored this shift in priorities from multiple angles. “As fiduciaries, we are now responsible for the resilience of our organizations, not just our balance sheets.” From a management and board perspective, it was made clear that the change starts there: “Cybersecurity must be viewed not as an IT expense, but as a strategic differentiator. Boards need fluency in incident response, third-party risk, threat intelligence, and yes, a solid recovery plan. Because a breach today is no longer just a technical failure, it’s a governance failure.

SMBs Are Losing the Battle to Cybercrime

In today’s digital economy, small and midsize businesses (SMBs) are no longer flying under the radar of cybercriminals. In fact, they’ve become prime targets. According to recent industry reports, nearly 60% of SMBs experience a cyberattack each year.

“Many SMBs operate under the dangerous assumption that they’re too small or insignificant to attract cybercriminals,” she says. “In reality, attackers often see SMBs as low-hanging fruit, companies with valuable data but weaker defenses. Whether it’s financial records, employee data, or client information, your business is a digital goldmine to hackers.”

Many small businesses are at serious risk without realizing it. Common signs include not using multi-factor authentication, not knowing what systems or tools are in use, and ignoring alerts or phishing emails. Relying on basic IT support, skipping regular backups, running outdated software, and lacking a clear response plan all leave the door open to attacks. Even being denied cyber insurance can be a red flag.

So beyond misconceptions, what’s actually preventing SMBs from getting the protection they need?

Valentine outlines five practical barriers that prevent SMBs from getting the cybersecurity protection they need:

  1. Cost and Budget Constraints: “Most SMBs see cybersecurity as a cost center, not a risk mitigator. They delay investment until after a breach. Enterprise-grade solutions appear out of reach, even when right-sized versions exist.”
  2. Lack of In-House Expertise: “SMBs rarely have a dedicated CISO or even full-time IT security staff. They rely on generalist IT support or MSPs with variable quality. Without someone fluent in risk frameworks, they struggle to prioritize what actually matters.”
  3. Vendor Overload and Confusion: “Thousands of cybersecurity tools, all claiming to be essential, can be overwhelming.”
  4. Operational Disruption Concerns: “The preconception of ‘We can’t afford downtime,’ and fear that implementing controls (like MFA or encryption) will slow down productivity or frustrate staff.”
  5. Reactive Culture: “Cybersecurity is seen as something to worry about after something goes wrong. This leads to a lack of proactive policies, training, or insurance—no tabletop exercises, no crisis plan, and no designated responder.”

Cyber protection is not out of reach. SMBs need focused, outsourced, and staged solutions, not bloated enterprise packages.

With the different views discussed at the conference, a new “playbook” was created with the critical steps each business, big and small, must take. Valentine is now outlining The New Cybersecurity Playbook for SMBs: 7 Essential Steps:

  • Board-Level Governance
    Treat cyber risk as enterprise risk. Boards must actively oversee cyber resilience, not delegate it to IT. Establish a Cyber Risk Committee or integrate cyber discussions into every board meeting.
  • Asset & Attack Surface Inventory
    Know what you own. Create a live, dynamic inventory of assets, including shadow IT and third-party dependencies. Map your digital perimeter, every entry point matters.
  • Threat Intelligence & Monitoring
    Use real-time threat intelligence feeds to understand what attackers are targeting in your sector. Implement 24/7 monitoring and anomaly detection. SMBs can use MDR (Managed Detection & Response) services.
  • Incident Response & Recovery Plan
    Prepare a crisis playbook. Assign roles, rehearse responses. Have an up-to-date disaster recovery and business continuity plan, tested quarterly.
  • Third-Party Risk Management
    Evaluate vendors like you would employees. Review their controls, require proof (e.g., SOC 2 reports), and include breach notification clauses in contracts.
  • Cyber Hygiene & Least Privilege
    Enforce MFA (multi-factor authentication) everywhere, even for admins.
    Follow the least privilege principle: employees only access what they need.
    Apply patches and updates immediately.
  • Culture & Training
    Make security part of the culture. Run phishing simulations, onboard new employees with security training, and involve the executive team.
    Instill the mindset that “anyone can be targeted.”

“Cybersecurity is a boardroom concern and a business imperative,” she concludes. “A modern, tested cyber playbook is the best line of defense.”



Forbes

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *