Cybersecurity: The New Catalyst For SMB Growth

Uploaded on 2025-06-27 in TECHNOLOGY--Resilience, FREE TO VIEW

SMBs are at a critical crossroads, where the drive to innovate is colliding with the escalating pressure to defend against increasingly sophisticated cyberattacks. Shots are being fired from all directions, with the traditional threats of malware, phishing and ransomware intertwining with AI advances, human insider risk and the seemingly impossible challenge of securing the supply chain.

Add to this the ever-evolving demands of regulatory compliance and SMBs, in no uncertain terms, have their work cut out. But despite these challenges, midmarket businesses should not see security as an innovation blocker.

Turning strategy on its head, threats can become opportunities as cyber strategies shift from a defensive necessity to a proactive business catalyst that propels growth.

Challenge One – Achieving Business Cyber Resilience

The reality is, that even with all the defences available today, cyberattacks are on the rise. 48% of SMBs have experienced an attack in the last year meaning it’s no longer a question of whether a business will encounter threat actors, it’s a question of when. It takes an average of 258 days for security teams to identify and contain a data breach, according to the Cost of a Data Breach Report 2024, released by IBM and Ponemon Institute, and by that point, you’re already on the back foot, because if an attack is inevitable, then it’s not just about the breach. It’s also about the bounce back.

43% of organisations that experienced a breach lost existing customers because of the attack.

60% went out of business within six months.

When an attack happens, the speed at which a business recovers and becomes fully operational again will make or break its chances of success, which is why business cyber resilience needs to be achieved.

Business cyber resilience is the ability to withstand, adapt to and rapidly recover from cyberattacks while continuing critical operations and the key to achieving it, is to plan and test.

A Cyber Incident Response Plan (CIRP) should be a documented, written plan covering the six important phases of preparation; identification; containment; eradication; recovery and lessons learned. It will help IT teams and employees to recognise and handle a data breach or cyberattack with regular updates and training. Remember, the threat landscape is ever evolving so what works today, may not work tomorrow. Plan, test and test again – regularly – to reveal flaws in your plan and to ensure a level of business cyber resilience that will keep data protected and the business thriving.

There’s no point waiting for a breach to happen, only to discover that your response plan includes a two week roll back – a real-life anecdote which resulted in the sinking of the business in question. On another occasion, an SMB encountered a hack via a voice phishing social engineering attack. This led to a financial loss when a human was socially engineered to transfer data without the correct processes in place to ensure that the transfer and destination was legitimate.

Challenge Two – Handling Regulatory & Compliance Pressures

SMBs are under more pressure than ever to meet regulatory and compliance demands but many don’t know where to start. Knock on the door of any small or midmarket business and ask them to explain the incoming changes to the NIS2 Directive or whether they can cite the key expectations of ISO27001. It takes a proactive, conscious effort and real expertise to keep on top of regulatory compliance, but being able to classify your data is where many SMBs hit the first hurdle. They can’t classify their data, because they don’t know where it is. You need to be able to identify and document where your data sits so that it can be controlled. In my experience, SMBs are getting better at fixing the plumbing of security – device management, BYOD (Bring Your Own Device) policy and mobile application management – but compliance is all about data.

What do you have, where is it and is it likely to cause an issue? Many SMBs can’t answer these questions, which makes securing the data feel like a mountain to climb.

My advice? Start with discovering what data you have by leveraging tools such as Microsoft Purview where you can gather insights that help to deduce what data you have and where it sits, before deciding what taxonomy the organisation will adopt. Labelling of data can then govern what can be accessed and by whom and whether it is public, general, confidential or highly confidential. From here, data flows can be mapped out and taxonomy adopted. This puts businesses in a strong position for proving adherence to compliance regulations.

Once the data handling processes are in place, data loss prevention can be adopted helping the organisation to secure the data, supporting growth, building confidence with customers and creating trust, which can become real market differentiators the SMB space.

Challenge Three – Ensuring Supply Chain Security

Supply chains have become a critical cybersecurity focus for SMBs with interconnected vendors, partners, cloud platforms and service providers having access to sensitive systems or data that make them high-risk attack vectors. Ensuring supply chain security is crucial in maintaining operational integrity and in turn, business growth.

Securing the supply chain isn’t easy and it’s an ever-evolving challenge but starting with a risk assessment will put firms on the right foot. By mapping out the service providers, partners and vendors that have access to a company’s systems you can determine the type of integration each one has and from there you can start to build a picture of where security vulnerabilities lie.

All organisations operating within an SMB’s supply chain should be able to provide copies of their latest security audits, penetration testing reports or ISO assessments and be willing to co-operate with security questionnaires.

Regular checks need to be done to ensure continued compliance with these processes. Through this information gathering process a vendor or partner can be given a risk rating score to help security teams understand and address vulnerabilities.

A real non-negotiable within the supply chain is Zero Trust Architecture (ZTA). Although an element of human trust is immediate when two organisations decide to do business together, the technology should absolutely not trust. It should always assume breach, requiring verification of every request that originates from outside the network through Multi Factor Authentication (MFA). Micro-segmentation should be created to limit the impact of any potential breach while Least Privilege Access will limit users and devices to only the resources they need to carry out their job role.

A secure supply chain is critical for effective business scaling. It reduces risk, improves reliability and increases trust while helping to enable compliance with industry standards.

Challenge Four – The Complexities Of AI

AI should not be seen as a threat. Used well, it can enhance business operations through greater efficiencies and better agility. There’s a fear that AI is increasing the complexity of threats and while it’s true that threat actors are harnessing AI to expedite the speed and sophistication of attacks - something which we can’t deny when we read that phishing attacks increased by a whopping 4,151% since ChatGPT's debut in 2022, according to "The State of Phishing 2024" report from SlashNext – AI threats don’t change anything as far as your data security is concerned. If there are gaps in a firm’s security, then those gaps exist regardless of whether or not AI exists. What it does mean however, is that threat actors are more likely to find these existing gaps. This means it’s even more crucial that business cyber resilience plans are firmly in place.

And it’s important that SMBs realise this, and harness AI for good. 97% of organisations report having concerns about implementing AI due to lack of controls to mitigate risks of data leakage. This reluctance to embrace AI can be growth inhibiting. Instead, businesses should look to adopt AI in line with business strategy, supported by a solid education program so that employees have the knowledge to use AI safely. For example, can employees spot AI hallucinations? Imagine a member of the HR department is using AI to search for the latest version of the company whistleblowing policy. AI brings back the 2022 version, and nobody realises. Imagine again, a sales executive uses AI to find an updated solution architecture plan or product datasheet. AI presents the wrong version, and the sales process falls apart. Deal lost.

AI, used well, can revolutionise business efficiency, but we need to keep our wits about us. Human insight and intervention are needed to ensure correctness while good data security processes should be in place, such as Digital Rights Management (DRM), Role-Based Access Control (RBAC), monitoring and auditing, to control the risk.

Challenge Five – Managing Insider Risk

Human error contributed to 95% of data breaches in 2024, driven by insider threats, credential misuse and user-driven errors, according to a new study by Mimecast. In a rush to be agile and propel growth, organisations often neglect cyber security training and the consequences can be devastating.

Creating a security cultured mindset that everybody is part of is crucial in controlling insider risk. When security is front of mind, employees make better decisions.

A program of continuous education which begins by assessing current awareness levels should seek to address knowledge gaps to reduce the risk of mistakes. Even with thorough training, mistakes can happen. More than 75% of insider threats are non-malicious, but one simple email, sent in error and containing confidential data, could sink a business.

Generally, people have a desire to be helpful and often when an insider breach happens, people are just trying to do a good job. I spoke to a CTO recently who explained that a member of his team had been victim of a voice phishing incident, bypassing security to grant network access to the caller on the phone, in a bid to try and help. As the old adage says, you can have all the security protocols in the world but if somebody hands over the keys, well, it’s all fruitless.

This brings the question of who’s responsible for a simple, human-made mistake? The employee that accidentally shared the email containing the confidential document or clicked a malicious link, or the company for not deploying the right data security processes to mitigate that risk?

It all comes back to data. Monitoring it, understanding where it is and knowing where it’s going.

Putting systems in place to catch these mistakes such as Data Loss Prevention (DLP) which will prevent the download or transfer of data to unauthorised locations or stop files from being copied and emails from being forwarded. The technology exists and just needs to be leveraged.

Truly understanding your data in this way leads to better security and compliance while employee education combined with a safety net of security processes will complement a security centric culture to create an environment in which everybody, including the business, can thrive.

Adriaan Bekker is Microsoft Services Director & CISO for Softwerx

Image: metamorworks

You Might Also Read:

Failure Happens, But Recovery Can Be Managed Intelligently:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.