Although major data breaches make headlines, smaller companies are at a larger risk.

Yahoo. Equifax. Marriott. High-profile data breaches involving hundreds of millions of users have become regular occurrences, and their frequency is increasing.

However, more data breaches happen every day than anyone can reliably count, and it’s because they’re happening to organizations that aren’t large enough to make headlines.

Cybercriminals know large-scale enterprises and governments have a huge digital “surface area” that makes them vulnerable to attack. At the same time, however, these large organizations have access to substantial cybersecurity resources and can sometimes even strike back at cybercriminals.

Small and mid-size businesses (SMBs) are a far more attractive threat for most cybercriminals, as shown in our recent white paper, IT Department Security: Password Management Report. The payouts tend to be lower, but so is the risk, and so are the security budgets these organizations tend to field.

As a result, SMBs make up a full 50% of reported cybercriminal victims. Yet, according to the 2019 SMB Cyberthreat Study, 21% of respondents ranked cybersecurity as the least of their worries.

Secure Infrastructure Doesn’t Guarantee Security

Smaller organizations will always have smaller security budgets than enterprises. This is a fact that is not likely to change.

But the technological environment that these organizations inhabit has changed a great deal over the past few years. One of the biggest changes to happen during this time is the move towards cloud applications and software-as-a-service (SaaS) solutions for SMBs and enterprises alike.

While it might be tempting to say the movement towards cloud computing is to blame for the increase in data breaches, that is not the case. Security experts almost universally agree cloud security is superior to on-premises hardware and other traditional technology solutions, especially for small businesses.

Instead of pointing the finger at various technologies, SMB leaders and IT professionals need to accept the fact that secure infrastructure doesn’t automatically grant best-in-class security.

The fact that 81% of hacking-related data breaches leverage weak or stolen passwords is compelling evidence. No security system, no matter how complex, can compensate for bad security decisions — like giving away access to sensitive data by “locking” it behind a bad password.

Establish a Security Policy and Be Prepared for Violations

The important thing for SMB leaders to know is that cybercrime is a constant and dynamic threat. Today’s cybercriminals are using different tools and techniques than the ones who made headlines last year or the year before that.

As a result, any cybersecurity policy that a small business puts in place has to be equally dynamic. Your cyber defenses need to accommodate the constantly changing nature of effective cybersecurity, relying on data gleaned from industry-wide trends as well as your company’s own in-house security profile.

IT leaders who recognize that security needs can, and will, change over time must also be prepared for security violations on behalf of their staff.

In a perfect world, every employee would always follow every order to the letter. In reality, cybersecurity-oriented IT leaders need to balance their policies with an appreciation for their employees’ real-world behaviors.

Yes, some employees are going to write down their passwords. Some of them are going to email login credentials to one another without encrypting them. A good cybersecurity policy doesn’t just tell employees not to make these mistakes — it also stipulates what kind of corrective action you can take when they do.

Small Businesses Need Streamlined Security

There is an essential trade-off between security and UX design. 

If you put too many authentications and verifications between your users and the processes they need to complete, your employees will find ways to work around them and defeat their purpose. If you don’t implement authentications and security verifications, you leave your organization vulnerable to cyberattacks.

The key, especially for SMBs, is investing in cybersecurity resources that streamline the user experience (UX) rather than stunt it. Security tools that reduce UX friction offer better outcomes than more feature-heavy tools with lower rates of real-world user adoption.

When it comes to cybersecurity, the bottom line is that a security tool only generates value if users utilize it as intended. Security systems that help move users along — like password managers and biometrics — offer far better returns than ones that stand in their way.