Most small and medium-sized business (SMBs) owners begin carrying a massive burden well before their organization creates a searchable website. Building a business plan, budgeting, hiring, marketing, and acquiring legal representation are the tip of the iceberg—and they only get an SMB started. The responsibilities can seem endless, and to make matters even more stressful, they often fall outside the scope of expertise of a SMB owner.
Now add another mission-critical competency to the list: cybersecurity. According to the World Economic Forum’s “Global Cybersecurity Outlook 2025” report, “some 35% of small organizations believe their cyber resilience is inadequate, a proportion that has increased sevenfold since 2022.” Given the current landscape, the percentage of SMB owners and operators who are at significant risk of cyber threats but just aren’t aware of it is likely much higher.
SMB owners are busier than ever at the start of a new year—a time when they are often poorly equipped to face increasingly sophisticated and accessible cyberattacks. It all adds up to these businesses being more attractive targets for bad actors, which means it is essential for SMBs to understand the risks and begin implementing a plan to combat large and emerging cyber threats.
The Emerging Cybersecurity Threats You Should Know
Artificial intelligence
The threat of AI to all businesses takes many forms, making it incredibly difficult for smaller operations to get their arms around. The risk often stems from a simple lack of recognition of threats, including deepfakes, phishing scams, and AI-generated malware. Businesses are also often unaware of how employees are using AI-powered chatbots like ChatGPT or Gemini, which can inadvertently create an access portal to a company’s sensitive information. Because many SMBs haven’t yet invested in AI security, many owners have no idea what their company’s exposure to AI-driven cybersecurity risk may be.
Compromised credentials
An enormous percentage of all security breaches fall into the category of compromised credentials, essentially a subset of the AI threat—but one that merits its own category. The proliferation of artificial intelligence and its growing connectivity to our everyday systems allows bad actors to create convincing deepfakes that take advantage of human error to collect credential information. This is particularly true among SMBs.
Example: An employee receives a message on Teams from someone who appears to be the company’s IT manager (an identity that could be found on LinkedIn) asking for that employee’s credentials to fix an issue in Salesforce. The communication is professional but conversational—quite human-like, politely seeking information that would seem a reasonable enough request from that employee. It is one of the simplest yet most effective forms of social engineering, increasingly used by threat actors.
Cyber inequity
Returning to the World Economic Forum’s annual report, “71% of cyber leaders at the Annual Meeting on Cybersecurity 2024 believe that small organizations have already reached a critical tipping point where they can no longer adequately secure themselves against the growing complexity of cyber risks.” Small businesses inherently face greater cybersecurity risks due to a relative lack of resources, which has only encouraged threat actors to redouble their efforts to target SMBs. And unlike larger companies, whose valuation and scale can build in a level of resilience, 78% of SMBs that suffer a breach are out of business within four months.
How Small Businesses Can Create Cybersecurity Resilience
There is no such thing as a cybersecurity magic bullet. No matter the size of a business, every organization must create a cybersecurity plan that investigates how employees are using technology and systems in any work capacity, identifies breach risks, including supply chain vendors and other third-party partners, and builds in preventive tactics and countermeasures with a combination of tech tools, expert surveillance, and response. Workforce cybersecurity training should also be part of this plan, along with routine follow-ups with refreshers and updates.
If that sounds weighty and potentially cost-prohibitive, your instincts are probably correct. Creating an in-house security operations center (SOC) is a $2 million investment, and a 16- to 24-person outfit would cost roughly another million dollars annually to run. Qualified analysts are also becoming increasingly hard to come by, as more companies are getting wise to the dangers of insufficient cybersecurity infrastructure. For many start-ups, developing their own SOC would likely feel like creating two small businesses.
The logical solution for most SMBs, then, is a third-party security operations center. Rather than attempting to build a SOC from scratch (often without the benefit of experience or expertise in implementing that process), small businesses can hire an outside agency to take stock of their cybersecurity outlook—work systems, day-to-day operations, resources—to determine its exposure risk and provide guidance, training, hands-on services, or some combination of all of the above.
Most small businesses simply lack the financial resources and know-how to create and operate their own security operations center. A trusted vendor featuring a team of analysts and experts steeped in modern cybersecurity can provide SMBs with the always-on tools and expertise to protect their business and systems from the evolving threat of cyberattacks.
Stephan Tallent is a cybersecurity revenue leader with more than 20 years of experience building and scaling managed security and partner-led businesses, including a decade at Fortinet. As Chief Sales Officer at ArmorPoint, he leads sales and go-to-market execution with a focus on accelerating partner-sourced growth, expanding recurring revenue, and enabling MSPs and MSSPs to deliver differentiated security outcomes for their customers.