Site icon AdvisorSmith

Cyberattacks Targeting Small Businesses

Common Cyberattacks on Small Businesses

As cyberattacks become more and more prevalent, cybercriminals are increasingly setting their sights on small businesses. While the payoff for hackers may not be as large when targeting smaller businesses, the success rate for an attack is generally much higher, as many small businesses lack the resources and expertise to implement robust cybersecurity protocols.

In order to better protect your business from cyber risk, you must first understand the types of threats you are likely to face. In this article, we cover some of the most common cyberattacks and threats that target small businesses, as well as a few best practices to safeguard against these risks.

Get a quote on Cyber Insurance

Small Business Cyber Threats

While there are a number of different cyber threats and attacks, below we’ve listed some of the more common ones that small businesses may see.


Ransomware is any malicious software that infects a device and locks down the system or blocks certain resources until the business pays a ransom. Ransomware has become a much more popular method of cyberattack in recent years, with hackers often asking for payment in bitcoin or other hard-to-track digital currencies.

Ransomware often comes in two main forms:

Your computer systems can be infected with ransomware through a variety of means, including clicking on malicious emails or links, downloading infected files and attachments, or visiting unsafe websites.

Double Extortion Ransomware

Double extortion ransomware is a form of ransomware that is even more damaging for a victim. In a double extortion attack, the hackers threaten not only to prevent access to the victim’s system or data, but also to release the data to the public. This can be particularly damaging for small businesses with sensitive or confidential data, like protected health information or financial records.

Private business data that is released to the public or dark web can create even more headaches for a small business. The business may face litigation from customers whose data was compromised, regulatory fines, or shareholder lawsuits. The potential damage for a business can lead hackers to ask for greater ransom amounts, further exacerbating the problem.


Malware is any type of software intentionally designed to damage or exploit a computer, device, server, or network. Malware can come in many forms, including viruses, spyware, Trojan horses, worms, ransomware, and adware. This malicious software can be also be spread through a variety of means, including email attachments, malicious links or apps, infected USB drives, filesharing, messaging, and more.

Spear Phishing

While you may have heard of phishing, which is when a hacker poses as a trusted authority in order to gain personal information like passwords or credit card numbers, spear phishing is a more sophisticated form of phishing that uses personalization to trick the victim. While phishing attacks are often done at a large scale with non-personalized messaging, spear phishing attacks are targeted at specific individuals, often using unique details like location, names of friends or colleagues, or names of businesses the victim works with.

Spear phishing attacks have a much higher success rate than ordinary phishing, as hackers put more time and effort into finding personal information on the victim to make any messaging look more trustworthy and believable. Once the hacker gains the trust of the victim, they usually make a simple request, like asking the victim to click a link, open an attachment, or provide credentials.

Even if just one of your employees falls for a spear phishing attack, your entire company may be at risk. Once a hacker gains access to one device or platform, they can quickly make their way into other devices or systems on the network.

Credential Stuffing

Credential stuffing is a simple and common way that small businesses may be hacked. Essentially, credential stuffing is taking a username and password and trying them on a variety of websites. If a cybercriminal has somehow obtained an employee’s username and password for their Facebook account, for instance, they may try the same username and password to log in to corporate accounts, bank accounts, and more.

Credential stuffing is not the most sophisticated cyber threat, but it is often successful as many people reuse usernames and passwords across multiple sites and platforms. If a hacker can obtain just one of these credentials, they could potentially have access to a myriad of accounts. 

Business Email Compromise

Business email compromise (BEC), or email account compromise (EAC), attacks are increasing in frequency, with devastating losses for businesses. These attacks involve tricking the victim into thinking they are receiving email from a legitimate, trusted source, and then convincing the victim to share confidential data, wire money, or other compromising activity.

BEC attacks can be carried out through a variety of methods, including spear phishing, spoofing (creating an email or website that looks authentic), or malware. Cybercriminals have been known to pose as vendors, partners, senior-level executives, customers, and other trusted entities. All it takes is one employee to fall for a scam, and your entire business could be put at risk. 


Doxing (or doxxing) is a type of cyberattack that is used to obtain and release embarrassing, confidential, or sensitive information about the victim. Generally, the purpose of doxing is to extort the victim or cause reputational or financial damage. For small businesses, your leaders may be most at risk of doxing. If negative information on your leadership is released to the public—even if it has nothing to do with the business itself—it could have a detrimental effect on your business as a whole. 

Doxing can be achieved through a variety of methods, including phishing, tracking IP addresses, or using data brokers to purchase information on a victim. 

Protecting Your Small Business Against Cyberattacks

While the list of cyberattacks may seem daunting, there are a number of simple actions your business can take to protect your data and systems, as well as mitigate risk. Just as an alarm system for your business may ward off potential criminals, basic cyber protections can help to prevent cyberattacks and data breaches. Here are a few steps you can take:

Do small businesses need cyber insurance?

Small businesses can benefit from cyber insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches likely involves security lapses at large corporations, like Equifax or Target, the reality is small businesses are just as at risk.

In fact, small businesses may be even more vulnerable, as many smaller companies lack the time, expertise, and resources to establish advanced security protocols, train employees, and implement strong digital protections. Additionally, the financial costs necessary to remediate a data breach may be out of reach for smaller businesses.

Cyber insurance can provide small businesses with the financial support they may need in the event of a cyberattack.

What does cyber insurance cover?

Cyber insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events. Cyber insurance has two major components: third-party liability coverage and first-party coverage. 

First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. You may choose to purchase either or both types of coverage.

Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen. 

How much does cyber insurance cost?

The average cost of cyber insurance in the U.S. was $1,485 per year in 2020, and our mid-year update in 2021 found that average premiums had risen 7% to $1,589 per year, driven by an increasing number of cyber and ransomware attacks on businesses and a rise in demand for cyber coverage.

The costs of insuring your business against data breaches and hacking attacks will vary based upon the nature and size of your business, as well as the state in which your business is located. Below, we list the average cost of cyber insurance in each state, along with the difference between the state average and the national average.

StateAverage Cost of Cyber InsuranceDifference from National Average
Alaska$1,532.89 3.23%
Alabama$1,539.40 3.67%
Arkansas$1,646.50 10.88%
Arizona$1,581.50 6.50%
California$1,430.18 -3.69%
Colorado$1,521.67 2.47%
Connecticut$1,593.62 7.32%
District of Columbia$1,539.25 3.66%
Delaware$1,446.47 -2.59%
Florida$1,529.82 3.02%
Georgia$1,450.54 -2.32%
Hawaii$1,519.46 2.32%
Iowa$1,505.73 1.40%
Idaho$1,483.70 -0.08%
Illinois$1,434.59 -3.39%
Indiana$1,484.06 -0.06%
Kansas$1,501.38 1.11%
Kentucky$1,587.10 6.88%
Louisiana$1,623.94 9.36%
Massachusetts$1,380.59 -7.03%
Maryland$1,471.18 -0.93%
Maine$1,467.39 -1.18%
Michigan$1,339.33 -9.81%
Minnesota$1,708.11 15.03%
Missouri$1,509.00 1.62%
Mississippi$1,472.55 -0.84%
Montana$1,478.29 -0.45%
North Carolina$1,421.49 -4.27%
North Dakota$1,464.42 -1.38%
Nebraska$1,485.64 0.05%
New Hampshire$1,431.99 -3.57%
New Jersey$1,615.25 8.77%
New Mexico$1,355.36 -8.73%
Nevada$1,507.55 1.52%
New York$1,616.70 8.87%
Ohio$1,553.68 4.63%
Oklahoma$1,513.03 1.89%
Oregon$1,462.50 -1.51%
Pennsylvania$1,466.49 -1.24%
Rhode Island$1,541.58 3.81%
South Carolina$1,398.83 -5.80%
South Dakota$1,489.45 0.30%
Tennessee$1,500.20 1.03%
Texas$1,459.22 -1.73%
Utah$1,515.10 2.03%
Virginia$1,467.83 -1.15%
Vermont$1,457.70 -1.83%
Washington$1,449.80 -2.37%
Wisconsin$1,523.03 2.56%
West Virginia$1,629.64 9.74%
Wyoming$1,426.89 -3.91%

Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.

Final Word

As cyber risk continues to increase for small businesses, it’s important that you stay informed and aware of possible threats, as well as understand how to protect your business against cyberattacks. For most small businesses, even implementing a few simple security measures and training protocols can mean the difference between safety and disaster. While there is a lot to learn in this space, the first step is understanding what the threats are. From that point, you can determine how and what you can do to better prepare your business for cyber threats. If you feel like you need cyber insurance and aren’t covered, check out our analysis of top cyber liability insurance companies.

Expert Commentary

AdvisorSmith spoke with the following experts to provide critical insight on cyber risk for small business owners.

Mathias Plass

  • Assistant Professor, Management Information Systems
  • Lewis University
Mathias' Answers

Shaji Khan

  • Associate Professor, Information Systems and Technology
  • University of Missouri-St. Louis
Shaji's Answers

Tirthankar Ghosh

  • Associate Director and Professor
  • Center for Cybersecurity
  • University of West Florida
Tirthankar's Answers

Q. Should small businesses be concerned about cyber risk?

Q. How can a business effectively organize and manage cyber risk?

Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?

Exit mobile version