Cyber Attacks: Why Small Businesses Are Prime Targets & How to Protect Your Company
Cybercrime is no longer a distant threat for large corporations; it's a clear and present danger for businesses of all sizes. According to the latest Hiscox Cyber Readiness Report, the frequency and severity of attacks are rising sharply, with small and medium-sized enterprises (SMEs) increasingly in the crosshairs. In an exclusive interview, Gisa Kimmerle, Head of Cyber at the specialist insurer Hiscox, breaks down the critical findings and offers actionable advice for business owners.
This deep dive explores why cyber insurance is becoming essential, how attack strategies are evolving, and the sobering realities of ransomware payments. Whether you run a small startup or a mid-sized firm, understanding this landscape is crucial for your company's survival.
The Alarming State of Cyber Attacks: Key Data from the Report
The report paints a concerning picture, particularly for Germany:
- Surge in Attacks: The percentage of German companies experiencing cyber attacks rose from 46% to 58% year-over-year. The median number of attacks per firm increased from 6 to 10.
- High-Risk Sectors: Globally, industry, logistics, and the energy sector were the most targeted over the past three years. Logistics saw the highest cost increase (up 28%).
- Top Business Risk: German companies now rank cyber attacks as their number one business risk, ahead of even the talent shortage.
Financial Impact: An Existential Threat for Many
While the median cost of an attack decreased slightly to €14,800, the tail risk is severe. One in eight firms faced costs exceeding €250,000. Most alarmingly, 21% of attacked companies reported that the impact was so grave it threatened their very economic existence.
"This is precisely why it is essential for small and medium-sized firms to take out good cyber liability insurance and protect themselves against existential risks, such as a prolonged business interruption," emphasizes Kimmerle. She highlights the critical importance of assistance services included in policies, as SMEs often cannot quickly access the necessary experts or service providers in an emergency.
Evolving Hacker Strategies: Business Email Compromise Leads the Way
The threat landscape is dynamic, with criminals professionalizing their operations. The most popular attack method remains Business Email Compromise (BEC), accounting for 35% of incidents, followed by hacking via corporate or cloud servers (31% and 29%). A significant 43% of companies suffered financial loss due to payment diversion fraud, where criminals use fake domains to send fraudulent payment instructions.
Why Small Businesses Are Vulnerable Targets
Contrary to the belief that they fly under the radar, small businesses (up to 49 employees) saw a 50% increase in attack rates, now standing at 38%. They are often victims of untargeted attack waves designed to hit as many companies as possible with a bundle of different malware.
"If an email is sent out millions of times, an opening rate of just one in 1,000 emails with malware is enough," Kimmerle explains. "Smaller companies often have fewer financial resources to secure their IT infrastructure and are thus often an easier target." However, awareness is growing. Average spending on cybersecurity in Germany has risen 39% over three years to €155,000, with micro-companies (under 10 employees) quadrupling their investment in two years.
The Ransomware Dilemma: To Pay or Not to Pay?
Ransomware remains a severe threat, affecting 22% of hacked companies. Phishing emails are the primary delivery method (74% of cases). The report reveals a troubling trend: 55% of German firms that were attacked paid the ransom, up from 46% the previous year (though still below the global average of 63%). The median ransom paid rose to €9,844.
Common reasons for paying included protecting sensitive company and customer data (43% and 42%) and resuming operations quickly (40%). However, Kimmerle strongly advises against payment, citing stark data:
| Outcome of Ransom Payment | Percentage of Cases |
|---|---|
| Data fully restored | Only 37% |
| Victim of a subsequent attack | 24% |
| Stolen data published despite payment | 34% |
"A ransom payment does not guarantee a favorable outcome," she states. "A regular backup of sensitive data is a much more effective means of not making yourself vulnerable to extortion by cybercriminals."
Essential Prevention Strategies: Building a Resilient Defense
Kimmerle outlines a multi-layered approach to cybersecurity that goes beyond basic software:
- Strengthen Core IT Infrastructure: Maintain secure firewalls, keep all systems updated, and employ network segmentation to isolate and protect critical data.
- Implement Rigorous Patch Management: Continuously scan for and apply software patches to close security gaps. Effective security is only as strong as its weakest link.
- Develop a Robust Backup Strategy: Given sophisticated attacks, online backups connected to the main system are no longer foolproof. Kimmerle recommends incorporating offline, analog storage (e.g., on disconnected USB drives or tapes) as part of a comprehensive backup plan.
- Invest in Employee Training: Since phishing is the top attack vector, regular training to recognize suspicious emails is a critical first line of defense.
- Secure Financial Transactions: Implement verification protocols for payment instructions, especially those requesting changes to bank details.
Conclusion: Proactive Protection is Non-Negotiable
The data is unequivocal: cyber risk is a mainstream business risk. For SMEs, the combination of being a softer target and facing potentially existential costs makes proactive preparation essential. This involves a dual strategy: implementing robust technical and procedural cybersecurity measures and transferring the residual financial risk through a comprehensive cyber insurance policy with expert incident response support. In the digital age, this isn't just IT management—it's fundamental risk management for business continuity.