Skip to main content

How are small business owners tackling cybersecurity today?

Small business owners balance business innovation with cybersecurity. Presented by Chase for Business.

minute read


    • From payment fraud to supply chain disruption, cybersecurity threats are top of mind for business owners in 2024.
    • Unique risk factors make small businesses targets of cybercriminals.
    • Small businesses are learning new tactics to ramp up their defenses against cyberattacks.


    When you’re running a small or medium-sized business (SMB), it can be easy to put cybersecurity on the back burner. After all, the latest ransomware attack you read about couldn’t happen to your company ... right?

    But here’s the truth: According to a recent report by cloud security firm Astra IT, SMBs now account for 43% of cyberattacks each year, with attacks costing these SMBs an average of $25,000. For a large corporation, that might be just an annoying cost of doing business. But for a smaller company, it can be a massive hit that takes a long-term toll on profitability.

    In today’s digitally connected world, protecting your business against cyberthreats should be high on your priority list. And sure enough, the most recent Chase Business Leaders Outlook survey shows that cybersecurity is top of mind for many small business owners. So let’s dive in and look at the small business cybersecurity landscape, including the latest cyberthreats and the steps any owner can take to protect their business.


    What are the top cyberthreats for small businesses?

    According to the 2024 Chase Business Leaders Outlook survey, 46% of small business owners are “very” or “extremely concerned” about cybersecurity. But while scary threats like ransomware grab headlines, as a small business owner you’re most likely to worry about simpler threats:

    • Payment fraud — At 16%, payment fraud ranks as the top cyberthreat concern in the year ahead. Payment fraud occurs when cybercriminals access your business payment systems through tactics like phishing to steal or redirect funds via unauthorized withdrawals or fraudulent purchases.

    • Malware — Coming in a close second at 15%, malware (aka malicious software) infects networks and devices, often through email spoofing and look-alike domains . Malware can be a gateway for ransomware attacks, which happens when cybercriminals lock you out of your computers and demand a ransom to let you back in. Malware-led attacks like these can be disruptive for any company, especially a small or medium-sized business with fewer resources to recover from it.

    • Data theft — Tied for second place at 15%, data theft occurs when sensitive business information is accessed and stolen through tactics like phishing scams that use email spoofing. The data can include customer records, financial information, intellectual property or other company assets. More than a breach of information, data theft is a breach of trust with your customers that has the potential to cause lasting damage to business operations and customer relationships.

    • Supply chain disruptions — A cyberattack is one way to disrupt a supply chain that you may not have considered. When a critical third-party vendor or supplier gets hacked, it can also expose your business operations to risk. While actual incidents are rare, 9% of survey respondents see supply chain disruption as a risk that can’t be ignored, given how interconnected modern business is.


    Why small businesses are targets

    Why would cybercriminals zero in on local stores or small service companies rather than a big corporate whale? Turns out, smaller businesses have specific vulnerabilities that can make them softer targets:

    • Smaller security budgets — Large companies spend millions on cybersecurity teams, tools and training. For small businesses, a more cost-conscious approach is often the best they can do within their budget constraints.

    • Competing demands — Even the most cyber-savvy small business can’t always focus on security while juggling sales, customer service, operations and everything else.

    • Training new hires — Small businesses often have limited resources for thorough cybersecurity training, so getting new employees up to speed on cyberthreats like phishing scams, best password practices or safely handling sensitive data can be a challenge.

    • Automated attacks — Many SMBs are often just innocent bystanders caught in an attack focused on larger prey that affects the whole business ecosystem.

    • Deep (enough) pockets — Attackers sometimes bank on smaller businesses having the insurance or cash reserves to pay ransoms, without the same resources to defend themselves that larger companies have.


    Simple ways to safeguard your business

    The good news is that protecting your small business from cyberattacks doesn’t have to be that complicated or expensive. By putting practical safeguards in place, a little cyber defense can go a long way:

    • Prioritize staff training — Regular security awareness training can turn your staff into your first and best line of defense. Specifically train your team to spot sneaky phishing scams via subtle changes in the spelling of web domains or email addresses. Also train them to identify social engineering schemes and other attacks aimed at fooling them.

    • Use strong passwords — Use strong, unique passwords and change them up regularly. Go for at least 12 characters with a mix of letters, numbers and symbols. Turn on multifactor authentication for extra protection in case a password is stolen. Roll out a password manager so that cybercriminals can’t easily hack into your accounts and systems.

    • Leverage free protections — Take advantage of free antivirus apps, firewalls, endpoint security and email filtering that are included in operating systems and software. They provide a solid defense against common attacks.

    • Back up regularly — Keep current backups of critical data, files and systems. Use separate drives and the cloud. Regularly test restoring from backups to make sure you can get up and running again if disaster strikes.

    • Keep up with updates — Make it a habit to patch and update your operating systems, software, apps, plugins and platforms as soon as stable updates are available. The best time to shut down security flaws is before criminals can exploit them.

    • Review controls and policies — Review delegation, oversight and security policies, and double check who has access to your accounts. Validate payment requests made over the phone by calling back using known phone numbers. Audit any systems where employees can access data, which devices they use and what business channels they can share on. Set security policies and enforce them. Purchase look-alike domains to prevent them from being used against you. For example, this could mean buying misspellings like “” to protect yourself from typosquatting (when fraudsters register domains with slight misspellings to trick people).


    The takeaway for small business owners

    Whatever kind of company you own, you don’t need the nightmare of falling for a cyberattack to learn just how crucial cybersecurity can be for your business.

    The good news is that by focusing on things like staff training, strong passwords, software updates, data backups and solid cybersecurity policies, you can manage your cyber defenses without breaking the bank.

    Implementing even a few of these security basics can quickly take your defenses from an afterthought to a priority and put your company in a much stronger position. Don’t wait for a breach — it’s worth investing a little time and effort now to secure your business against a future attack.

    Looking to strengthen your small business against cyberthreats? Reach out to a Chase business banker today. We’re always ready to help small business owners take care of what matters most.


    About the 2024 Business Leaders Outlook survey

    This survey was conducted by Chase Insights from November 9 through 20, 2023. It features data from 1,012 business leaders across the professional services, retail, technology, healthcare and other key industries. The results of this online survey are within statistical parameters for validity, and the error rate is plus or minus 3.1% for the findings, at the 95% confidence level.