Skip to Main Content

Public Statement


The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses

Commissioner Luis A. Aguilar

U.S. Securities and Exchange Commission*

Oct. 19, 2015

This article was published in the autumn 2015 edition of the Cyber Security Review, which was made public on October 19, 2015, but it was written in late August. Accordingly, it does not reflect any events or developments that may have occurred thereafter.

I. Introduction

The internet has become an indispensable tool in today’s business world. Companies of all sizes have woven the internet into almost every aspect of their operations, a trend that is likely to accelerate as companies embrace mobile and cloud computing to an even larger degree.[1] And while the internet has fostered a tremendous degree of economic growth,[2] it has also introduced profound security risks. Reports of massive data breaches have become commonplace, and the average cost of such breaches reached record levels last year.[3] Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses. The reason is simple: small and midsize businesses (“SMBs”)[4] are not just targets of cybercrime, they are its principal target. In fact, the majority of all targeted cyberattacks last year were directed at SMBs.[5] Even more disconcerting is the fact that cybercrime represents an existential threat for SMBs. It has been estimated that half of the small businesses that suffer a cyberattack go out of business within six months as a result.[6]

Yet, it is not just smaller businesses that need to be concerned. Many SMBs have direct and indirect business relationships with larger organizations, a fact well known to cybercriminals. It has been reported that cybercriminals are focusing on SMBs as a gateway into larger organizations, since SMBs’ cyber defenses are typically less robust than those of larger organizations.[7] In fact, it is believed that the cybercriminals responsible for the breach of Target’s systems in November 2013—which led to the theft of 70 million individuals’ personal information[8]—gained access to Target’s system by penetrating the network of the small business that Target used for heating and air conditioning services.[9] The new reality is that large organizations are, in effect, a “sprawling network” of interconnected business partners, any one of whom could serve as the vector for a cyberattack.[10] Business leaders have asked for government assistance with this critical issue,[11] and there is a clear need for a coordinated approach.

This article will discuss the special challenges confronting SMBs as they contend with cybersecurity issues, and will explore possible solutions, with a focus on the important roles the private and public sectors will need to play.

II. Cybercrime Represents a Very Real, and Very Serious Threat to SMBs

The past several years have witnessed an array of successful cyberattacks against some of the most prominent firms in the country. In the past two years alone, eBay, JP Morgan, Home Depot, and Target all suffered major breaches at the hands of cybercriminals.[12] These breaches, which affected approximately 353 million customers collectively,[13] were spectacular not only because of their size, but also because of the relentless pace at which they seemed to occur. Since the popular press tends to focus on attacks, like these, that target the largest firms, it can be easy to overlook the fact that SMBs are at even greater risk, and are far more vulnerable once they are victimized. In fact, for every high-profile breach, there are many more threats to confidential data held by local businesses. According to a list of data breaches maintained by the California Attorney General, wine shops, dentist offices, community centers, and small manufacturers have all been victims of cybercrime in the past few years.[14]

Some basic statistics will help to frame the scope and urgency of the problem that SMBs face. The number of known cybersecurity incidents rose by 48 percent last year,[15] and cyberattacks targeted against SMBs have become more prevalent. According to one study, 60 percent of all targeted cyberattacks last year struck SMBs.[16] That trend continues this year, as a June report confirms that SMBs remain cybercriminals’ favorite target. In fact, approximately 75 percent of all spear-phishing scams in June were directed at SMBs, with the very smallest companies—those with 250 employees or fewer—bearing the majority of those attacks.[17] Moreover, these attacks have become far more costly, as the losses from phishing scams increased from $525 million in 2012 to $800 million last year, an increase of more than 50 percent.[18]

A recent survey conducted by the National Small Business Association underscores just how serious a threat cybercrime poses to SMBs. According to the survey, half of all SMBs surveyed reported being the targets of a cyberattack, a 14 percent increase over the prior year.[19] The survey revealed other disturbing trends, as well. For example, the survey found that the cost of the average attack rose from $8,699 in 2013 to $20,752 last year—an increase of almost 140 percent in only one year.[20] The rate of the increase was even more pronounced for firms whose bank accounts were hacked, as the average cost of those attacks rose by almost 187 percent.[21] The survey also found that it is becoming increasingly difficult for SMBs to recover from an attack. The number of firms reporting that it took them at least three days to recover from an attack rose to 33 percent last year, up from only 20 percent the year before.[22] And, in an especially dispiriting development, the survey found that SMBs that were the victims of a cyberattack were more likely to be targeted again.[23]

Recent trends confirm that SMBs are confronted with a varied and constantly shifting cyber threat landscape. For example, ransomware has emerged as a very serious threat to SMBs.[24] These attacks, in which a cybercriminal encrypts a firm’s files and demands a ransom payment to release them, are becoming more frequent, effective, and costly. According to one source, the number of such attacks more than doubled last year,[25] and ransomware programs can now target more than 230 different types of computer files, up from only 70 in 2013.[26] The past two years have also witnessed the emergence of fraudulent transfer schemes, in which cybercriminals exploit publicly available information and weaknesses in email systems to trick SMBs into transferring large sums of money into ersatz bank accounts.[27] According to the FBI, such schemes cost companies around the world more than $1 billion between October 2013 and June 2015, and while companies of all sizes have lost money to such schemes, SMBs are believed to be the biggest targets.[28] Finally, the advent of the internet of things offers cybercriminals new attack vectors, many of which may not be readily apparent. Network printers and copiers that allow organizations to scan and email documents within the organization, for example, can present attackers with an unexpected means of launching a lateral attack into a business network.[29]

III. Why SMBs Are Such Attractive Targets for Cybercriminals

SMBs are attractive targets for a number of reasons, but foremost among them is that SMBs are easier targets than larger organizations.[30] The reason for this is all too simple: SMBs face precisely the same threat landscape that confronts larger organizations, but must do so with far fewer resources. Studies suggest that many SMBs lack sufficient in-house expertise to deal with cyberattacks,[31] and the problem is especially acute for the smallest firms. The owners of such firms handle cybersecurity matters themselves roughly 83 percent of the time,[32] and the results are perhaps predictable. According to one survey of firms with fewer than 50 employees, just 29 percent of such firms know the steps needed to improve their cybersecurity measures, and even fewer have written policies in place to respond to a data breach.[33] Unfortunately, this situation seems only to be getting worse. One study found that companies with less than $100 million in revenues actually reduced their spending on cybersecurity last year, despite the fact that the number of detected cyber incidents—and the associated losses—rose to new heights.[34]

More troubling still, there is reason to believe that many SMBs may not be taking cybersecurity as seriously as they should.[35] One recent survey of 400 small firms found that 27 percent of them have no cybersecurity protocols at all, and that a similar number of firms have difficulty implementing even the most rudimentary cyber defenses, such as routinely backing up their data.[36] Another survey found that most SMBs fail to respond appropriately to successful attacks. Specifically, this survey found that 60 percent of the surveyed SMBs did nothing to buttress their security protocols in the wake of a breach.[37] This type of apathy is ill advised given the increasing sophistication and expertise of cybercriminals, who are now collaborating to a far greater degree,[38] resulting in a marked increase in the quality, quantity, and complexity of attacks.[39] Given that network security has been estimated to be effective only 24 percent of the time,[40] a proactive approach appears to be warranted.

IV. Potential Solutions

Cybersecurity is a profoundly difficult problem, one that takes on added complexity in light of SMB’s limited resources. Nevertheless, the issues identified above point to certain steps that could be taken to help SMBs better address this persistent threat. A strong public-private partnership is likely a key element in helping SMBs overcome their resource constraints. Some potential steps that policymakers could consider include the following:

  • Provide SMBs with More Guidance About Cybersecurity: During recent Congressional testimony, certain panelists emphasized that broad efforts to improve our nation’s cybersecurity must be coupled with programs to educate SMBs about how to detect and respond to cyberattacks.[41] The government could play a vital role in developing and disseminating such educational programs. In fact, a major step has already been taken in this regard, with the development of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (“Framework”).[42] As one panelist noted, this Framework can serve as a “foundational educational tool for SMBs.”[43] Implementation of the Framework is still in its infancy even for the largest firms, but federal agencies could play a key role in helping SMBs understand and adapt this Framework to their unique systems and vulnerabilities.[44]
  • Identify Ways of Fostering Economies of Scale for Cybersecurity Solutions: Ultimately, responsibility for cybersecurity lies with the SMBs themselves, not with the government. Even so, to help alleviate the resource constraints faced by SMBs, policymakers could explore ways of encouraging the development of economies of scale for cybersecurity solutions. There are myriad possible avenues in this regard, but one possibility is to develop tax credits for vendors that would encourage them to develop cost-effective cybersecurity solutions tailored to the unique needs of SMBs.[45] Similarly, policymakers could consider measures to help the incipient cyber-insurance market reach a level of maturity that will bring costs down and provide solutions specifically for SMBs.[46] Some possibilities include having the government act as a reinsurer for the cybersecurity insurance market during its adolescence,[47] or establishing a program, akin to the National Flood Insurance Program, to help buttress the private market in the event of catastrophic, wide-spread attacks.[48]
  • Provide SMBs with Additional Resources for Cybersecurity: One theme that consistently emerges from the available data is that SMBs, particularly the smallest firms, typically lack the resources to mount a legitimate cyber defense. SMBs often rely on older, more orthodox security solutions, and while these tools may block the best known types of malware, they are ineffectual against today’s “dynamic, multi-vector, multi-stage cyberattacks,” such as advanced persistent threats.[49] Small business owners have called for government assistance in this critically important area, and this seems a reasonable approach, given that cybersecurity is a problem in which our entire society has a stake.[50] For example, the British government recently embarked upon a voucher program that will offer SMBs up to £5,000 to retain cybersecurity specialists to help bolster SMBs’ cybersecurity protocols.[51]
  • Devote Additional Resources to Fighting Cybercrime: One way that government agencies can better assist SMBs is to aggressively prosecute cybercriminals.[52] As one cybersecurity expert recently told Congress, an especially effective means of protecting SMBs is to target the 100 top-tier authors of malware.[53] In this regard, law enforcement at the local, state, national, and international levels could be given additional support to identify, prosecute, and incarcerate these programmers, who form the center of the malware ecosystem. Although the FBI has done much to fight cybercrime,[54] a more aggressive posture that focuses on the most acute threats could be one of the most effective tools available to policymakers.

V. Conclusion

Leveraging innovative technologies is essential if SMBs are to succeed in the modern economy, but SMBs must be mindful of the dangers that new technologies pose. The primary responsibility for cybersecurity rests with the SMBs themselves, and the data suggests that SMBs can do a better job of implementing basic cyber defenses. Nevertheless, today’s cybercriminals enjoy significant advantages over SMBs. A vibrant and dynamic partnership between the public and private sectors could do much to level the playing field. This article has suggested but a few potential avenues for such collaboration, and there are undoubtedly many more that merit careful consideration. Let us hope that policymakers and SMBs can work together to identify the most affordable and effective solutions for SMBs. The failure to do so leaves us all at risk.

* The views expressed in this article are my own, and do not necessarily reflect the views of the SEC, my fellow Commissioners, or members of the staff.

[1] Louis Columbus, Roundup Of Small & Medium Business Cloud Computing Forecasts And Market Estimates, 2015, Forbes (May 4, 2015) (noting that “78% of U.S. small businesses will have fully adopted cloud computing by 2020 more than doubling the current 37% as of today.”), available at

[2] It has been estimated that the internet accounted for fully 21 percent of the growth in gross domestic product in mature economies between 2006 and 2011. James Manyik and Charles Roxburgh, The great transformer: The impact of the Internet on economic growth and prosperity, 1 (Oct. 2011), available at

[3] Ponemon Institute, LLC, 2015 Cost of Data Breach Study: Global Analysis, 1 (May 2015) (noting that “the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million,” representing a 23 percent increase), available at

[4] For purposes of this article, I define the term small and midsize businesses to include businesses with up to 2,500 employees.

[5] Symantec, 2015 Internet Security Threat Report, 6 (Apr. 2015) (noting that “[l]ast year, 60 percent of all targeted attacks struck small-and medium-sized organizations.”), available at

[6] Testimony of Dr. Jane LeClair, Chief Operating Officer, National Cybersecurity Institute at Excelsior College, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), available at Although Dr. LeClair does not provide a citation for this statistic, it appears to come from a 2012 study by the National Cyber Security Alliance, which found that 60 percent of small firms go out of business within six months of a data breach. National Cyber Security Alliance, America’s Small Businesses Must Take Online Security More Seriously (Oct. 2012), available at

[7] PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, 8 (Sept. 30, 2014) (noting that “sophisticated adversaries often target

small and medium-size companies as a means to gain a foothold on the interconnected business ecosystems

of larger organizations with which they partner.”), available at

[8] Jia Lynn Yang and Amrita Jayakumar, Target says up to 70 million more customers were hit by December data breach, The Washington Post (Jan. 10, 2014), available at

[9] Nicole Perlroth, Heat System Called Door to Target for Hackers, The New York Times (Feb. 5, 2014), available at

[10] Id.

[11] J.D. Harrison, Small business leaders urge Congress to rethink cybersecurity measures, The Washington Post (Apr. 23, 2015), available at

[12] Ponemon Institute, LLC, 2014: A Year of Mega Breaches, 1 (Jan. 2015), available at; Symantec, 2014 Internet Security Threat Report, 7 (Apr. 2014) (dubbing 2013 “the Year of the Mega Breach”), available at

[13] Ponemon Institute, LLC, 2014: A Year of Mega Breaches, 1 (Jan. 2015), available at; Symantec, 2014 Internet Security Threat Report, 7 (Apr. 2014), available at _threat_report_ITU2014.pdf.

[14] E. Scott Reckard and Tiffany Hsu, Small businesses at high risk for data breach, The Los Angeles Times (July 4, 2014), available at

[15] PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, 5 (Sept. 30, 2014), available at

[16] Symantec, 2014 Internet Security Threat Report, 6 (Apr. 2014), available at _threat_report_ITU2014.pdf.

[17] Symantec, Symantec Intelligence Report, 5 (June 2015) (noting that, in June 2015, only 25.1 percent of all spear-phishing attacks were directed against organizations with more than 2,500 employees, and that fully 38.1 percent of all spear-phishing scams were directed at companies with 250 employees or fewer), available at

[18] Stay Safe Online, Scams Are On the Rise — What You Can Do (July 14, 2015), available at

[19] National Small Business Association, 2014 Year-End Economic Report, 16 (2015), available at

[20] Id.

[21] Id.

[22] Id.

[23] Id.

[24] Ruth Simon, ‘Ransomware’ a Growing Threat to Small Businesses, The Wall Street Journal (Apr. 15, 2015), available at; Carolyn Schrader, 2015 Mid-Year Trends of Cybersecurity Threats to Small Businesses, Cyber Threats (July 14, 2015) (noting that “[r]ansomware continues to be a major threat to small businesses.”), available at

[25] Symantec, 2014 Internet Security Threat Report, 7 (Apr. 2014) (noting that “[r]ansomware attacks grew 113 percent in 2014”), available at _threat_report_ITU2014.pdf.

[26] Ruth Simon, ‘Ransomware’ a Growing Threat to Small Businesses, The Wall Street Journal (Apr. 15, 2015), available at

[27] Ruth Simon, Hackers Trick Email Systems Into Wiring Them Large Sums, The Wall Street Journal (July 29, 2015), available at

[28] Id.

[29] Carolyn Schrader, 2015 Mid-Year Trends of Cybersecurity Threats to Small Businesses, Cyber Threats (July 14, 2015) (noting that “[h]ackers are expanding their efforts into products that can easily be accessed. They will go after products such as network printers for a lateral attack into a business network.”), available at

[30] FireEye, Not Too Small To Matter: 5 Reasons Why SMBs are a Prime Target for Cyber Attacks, 7 (2015), available at

[31] Ponemon Institute, The Risk of an Uncertain Security Strategy: Study of Global IT Practitioners in SMB Organizations, 6 (Nov. 2013) (noting that “[o]rganizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities.”), available at

[32] Endurance International Group, New Survey Finds A Vast Majority Of Small Business Owners Believe Cybersecurity Is A Concern And Lawmakers Should Do More To Combat Cyber-Attacks (May 4, 2015), available at

[33] Chad Brooks, 4 Ways to Improve Your Cybersecurity Today, Business News Daily (Jan. 19, 2015) (detailing the results of a survey conducted for Norton by Research Now), available at

[34] PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, 7-8, 19-20 (Sept. 30, 2014) (noting that “[t]his year, companies with revenues less than $100 million say they reduced security investments by 20% over 2013.”), available at

[35] The need to take such threats seriously is underscored by a recent ruling by the U.S. Court of Appeals for the Third Circuit, which held that companies that fail to take cybersecurity seriously can face an enforcement action by the Federal Trade Commission. See Federal Trade Commission v. Wyndham Worldwide Corp., No. 14-3514, 2015 WL 4998121 (3d Cir. Aug. 24, 2015) (holding that the FTC can use its authority under § 5(a) of the Federal Trade Commission Act, which empowers the FTC to prevent “persons, partnerships, or corporations . . . from using . . . unfair or deceptive acts or practices in or affecting commerce,” to bring claims against companies that fail to employ reasonable and appropriate cybersecurity measures for consumers’ sensitive personal information), available at; Alison Frankel, Thanks to 3rd Circuit, companies are accountable for lax cybersecurity, Reuters (Aug. 24, 2015), available at

[36] Time Warner Cable Business Class, Security and New Technology Upgrades a Challenge for Small Business Owners According to Time Warner Cable Business Class Small Business Survey (May 2015), available at

[37] CloudEntr, The State of SMB Cybersecurity in 2015 (2015), available at

[38] Testimony of William Noonan, Deputy Special Agent, U.S. Secret Service Criminal Investigative Division Cyber Operations Branch, before the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies (Feb. 12, 2015), available at

[39] Id.

[40] Michael Hickins, What The Verizon Data Breach Report Means To Corporate Data Security, Forbes (Apr. 21, 2015) (quoting Naresh Persaud, senior director of Oracle’s security product marketing), available at

[41] J.D. Harrison, Small business leaders urge Congress to rethink cybersecurity measures, The Washington Post (Apr. 23, 2015), available at

[42] National Institute of Standards and Measures, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), available at

[43] Testimony of Steve Grobman, Intel Fellow and Chief Technology Officer, Intel Security Group, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), available at

[44] Id.

[45] Id.

[46] Testimony of Ola Sage, Founder and CEO, e-Management, before the Senate Committee on Commerce, Science, and Transportation Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security (Mar. 19, 2015) (noting that her firm “could not find cybersecurity insurance products designed specifically for SMBs [because] [t]he cybersecurity insurance industry was and is still in a nascent stage.”), available at

[47] Trusted Integration, Trusted Integration Submits Responses to DHS’s RFI on Cyber Security Solutions for SMBs,

[48] Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636, 24 (2014), available at

[49] FireEye, Cybersecurity Strategies for Small to Medium-Sized Businesses, 3 (2014), available at

[50] Javier Ortiz, Cyber Espionage should concern us all, The San Diego Tribune (July 4, 2015), available at

[51] United Kingdom Department for Culture, Media & Sport and Ed Vaizey MP, New £5000 Government grant for small businesses to boost cyber security (July 16, 2015), available at

[52] In addition to prosecuting cybercriminals, government agencies can address systemic cybersecurity risks by using their regulatory authority to ensure that firms adopt a cybersecurity posture that will protect both themselves and their customers. For example, as discussed in footnote 35, supra, the Federal Trade Commission has authority to bring enforcement actions against companies that fail to implement reasonable and appropriate cybersecurity protocols for consumers’ sensitive personal information.

[53] Testimony of Richard Bejtlich, Chief Security Strategist, FireEye, Inc., before the U.S. House of Representatives Committee on Oversight and Government Reform Subcommittee on Information Technology (Mar. 18, 2015), available at

[54] The FBI’s recent announcement of a $3 million bounty for information leading to the arrest of a Russian hacking suspect who stole more than $100 million since 2011 is one example of how the FBI is actively pursuing the most dangerous cybercriminals. See Conor Gaffey, FBI Issues $3 million Bounty for Russian Hacker, Newsweek (Feb. 25, 2015), available at

Print Facebook Twitter Email Share
Facebook Twitter Email
Modified: Oct. 22, 2015