Only 50% of Cyber Security Attacks Target Small Businesses

  • According to the National CyberSecurity Alliance, over 50% of cyber attacks today target the SMB market. This might sound scary, but if you are in the SMB this is great news. Of course, if you are in the enterprise, this is very bad, but not unsurprising, news.

    It's all about statistics. Something like 99.9% of all businesses, are small businesses. So if attacks were "even", SMBs would get 99.9% of the attacks.

    Of course I made up the 99.9% number. If you want to do the math, the actual ratio as of 2010 is 27,900,000 SMBs to 18,500 SME or larger companies. That's 1550:1. So far less than .1% are not SMBs. And that's an extremely liberal use of SMB. Most people still consider the majority of the 18,500 larger companies to still be SMBs and IBM officially considers anyone smaller than the 18,500 to not even be a company at all! So we are being extremely generous with the numbers hre.

    So since we know that just a small handful of companies in the pool of 18,500 largest companies get half of all of the cyber attacks, that leaves almost no attacks for the remaining 27.9 million small companies. That means that there is only something like a .03% chance that your SMB will ever be targeted at all by a cyber attack, let alone have it be a serious threat. As we know, the majority of cyber attacks fail.

    So thanks to Dara IT and @Breffni-Potter who pointed us to this interested bit of security wisdom. Who know that the SMB was so safe and had so little need of protection?

    Actually, most of the SMB actually does know this. Most SMBs have essentially no security, do almost nothing to protect themselves, and almost always get away with it. Imagine how safe they could be if they actually tried in any way at all! We actually see this lack of attacks play out every day as small companies hire incompetent IT professionals, do nothing to actually be secure, follow myths that undermine real security, and yet stay safe.

    What most people interpret this as is that the security myths actually work and are protecting them. But that is not the case. In reality, it is simply that the threat was imagined - it never really existed. Not unlike how companies pay for, but get scammed on high availability systems, but never catch on because the actual trick was convincing them that the systems were so fragile in the first place when they were not. So they never notice the lack of HA, because it was never needed.

  • This is why math is so important. I think the original article was meant to convince people in the SMB that they were at risk. But the math shows instantly that it says exactly the opposite. Anytime someone gives you a stat, always go to the math and see what that stat really tells you.

  • Is it half of all cyber attacks performed?

  • @tim_g said in Only 50% of Cyber Security Attacks Target Small Businesses:

    Is it half of all cyber attacks performed?

    Yes, that is how they worded it.

  • Not half of all successful.

  • What are you defining as a cyberattack?

    sql injection attempts on websites?
    mass scan activity?
    apache struts attacks?
    email phishing attempts?

    I work for a very small electronics firm that makes infrastructure monitoring stuff for service providers(cell, electricity, police, local state fed govt).

    There are thousands of these types of login attempts on our portal site and other sites here daily, mainly from Russia and China ip ranges.

  • @momurda said in Only 50% of Cyber Security Attacks Target Small Businesses:

    What are you defining as a cyberattack?

    Where "you" = "National CyberSecurity Alliance"

Log in to reply