Cyber Security and the Small Firm Misconception



Big names in business tend to make big headlines, especially when it comes to data breaches and other forms of cybercrime. In contrast, it rarely makes the news when small- to midsize businesses (SMBs) fall victim to such attacks, which would logically imply that it happens less often. This misconception can be a dangerous blind spot for small business owners, as nearly half (43%) of all data breaches occur among small businesses, according to Business News Daily1. Considering there are nearly eight million small businesses operating in the U.S., it seems odd that SMB data breaches are not making the news every day.

The reason for this, according to a recent report by Axios, is not that attacks are not happening, but that victims are opting to keep them under wraps. “Small-business breaches are somewhat the neglected and underreported arena," chief information security officer at Veracode, Sohail Iqbal, told Axios. "Financially motivated adversaries find SMBs a soft target due to the insufficient security controls and shortage of skilled resources at their disposal2."

This reality is something the FBI is hoping to change through outreach, as noted by FBI Supervisory Special Agent Michael Sohn at a CNBC business event last December. “The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture… So, what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses.” Sohn added that basic cyber hygiene could have prevented nearly every cyberattack the FBI investigated3.

Indeed, changing the narrative on who is the most vulnerable to cybercrime is crucial, considering a recent survey conducted by which found that 59% of SMBs believe they are too small to be targeted4. For small- to midsize accounting firms, these dangers are especially real as the finance and insurance industry is the second most-targeted in the world. So, what can you, the small firm practitioner, do to bolster cyber security?

Find and seal data leaks. Not to be mistaken with a data breach, data leaks are an accidental exposure of sensitive information which are not initiated by an external component. For example, according to a 2021 UpGuard study, an analysis of the public records of Fortune 500 companies revealed that half were leaking information cybercriminals would find useful for reconnaissance. The best ways to shore up these leaks include ensuring all software used within an organization have properly configured settings for each user; preventing the use of recycled (previously used) or otherwise weak passwords with too few characters or types of characters; continuous employee awareness training to improve vigilance against social engineering and other common scams; implementation of proper hiring and firing techniques for employees and contractors so that loss of physical hardware or other devices is mitigated against potential malicious internal threats; and regular software evaluations to determine if and where software vulnerabilities exist5.

Consider the value of cyber insurance. According to Forbes, 60% of small businesses that experience a cyber-attack end up permanently closing their doors within six months6. For many, this is an alarming statistic but doubly so when one considers that 64% of small business owners are not familiar with cyber insurance, AdvisorSmith reports7. Further, of those SMBs that are familiar with this type of insurance, the vast majority (72%) purchased it after they or someone they know experienced a cyberattack or after hearing about increased risks within their industry. The problem with this is that cyber insurance, like all other forms of insurance, is only useful when purchased before tragedy strikes. All SMB leadership should strongly consider their cyber insurance options, and especially if they do not have a dedicated IT department or third-party solution.

Create and implement a data loss prevention strategy (DLP). While a DLP cannot prevent every form of data leak, recall that most cases investigated by the FBI could have been prevented with basic cyber hygiene practices. If your organization lacks a DLP, now is the time to sit down and consider the following5:

  • Does your firm have a strong grasp of what information should be considered sensitive and, if so, is it being stored securely? Does it have a backup?
  • Does leadership have visibility on the location of the firm’s data? Do you know where your business and client data are stored and who is responsible for managing it?
  • What are the security standards of any associated third-party vendors, and do their security measures protect your information?
  • Is network access within your firm being actively monitored?
  • Are your remote operations secure? As mentioned earlier, employees that can access organizational software on their phones, laptops or other devices should be regularly reminded of safe use practices and kept aware of trending social engineering and email/text/phone phishing scam risks.
  • Does your firm currently use a DLP software product?
  • Does your firm encrypt all of its data?

If the answer to any of these questions was ‘no’ or if your firm has yet to implement a DLP strategy, the time to act is now. Consider the steps outlined above as a guide on how to get started with protecting your firm and its client data right away. Plus, join one of our summer learning programs to learn more about the latest cyber threats and mitigation techniques, available now on the MICPA Store.


  1. Halperin, Alex. “Worried About a Cyberattack? What It Could Cost…Business News Daily. 21 Feb. 2023. Accessed on 28 Jun. 2023.
  2. Clark, Peter Alan. “Cyber Threats to Small Businesses Prompt…Axios. 4 Apr. 2023. Accessed on 28 Jun. 2023.
  3. Thomas, Ian. “The FBI Is Worried About a Wave of Cyber Crime…CNBC. 16 Dec. 2022. Accessed on 28 Jun. 2023.
  4. 51% of Small Businesses Admit to Leaving Customer Data 21 Mar. 2022. Accessed on 28 Jun. 2023.
  5. Tunggal, Abi Tyas. “What is Data Loss Prevention (DLP)?UpGuard. 2 May 2023. Accessed on 29 Jun. 2023.
  6. Sayegh, Emil. “Businesses Shutting Down Business.Forbes. 16 Aug. 2022. Accessed on Jun. 29 2023.
  7. Mak, Adrian. “Report: 46% of Small business Owners Not Familiar With Cyber Insurance.AdvisorSmith. 30 Nov. 2021. Accessed on 29 Jun. 2023.

Source: MICPA

 Back to List