Getting SMBs on board with cybersecurity

Download Listen

Small and medium-sized businesses (SMBs) are an underserved target group when it comes to cybersecurity solutions. They know cybersecurity is important, but they don’t understand the threat or how to protect themselves. Cybersecurity providers can help.

Cybersecurity is essential for SMBs

It is not just a technology issue. It’s a business issue.

Small and medium-sized businesses (SMBs), especially those that do not see themselves as digital or tech-intensive, may struggle to appreciate the risk of cybercrime for their businesses. Additionally, these companies may lack in-house IT expertise, hence may not have a clue what to do about it. Yet, being cybersecure is key to making a business better – i.e., being able to address its customers’ needs more reliably.

For the uninformed, free versions of antivirus software, for example, have formed the basis of their cybersecurity measures to date. But SMBs may not appreciate the limitations of these free protections. Even some paid-for software (e.g., Microsoft 365) may fail to protect them if the company does not know what to look out for or how to respond to alerts that come through.

Couple this with the fact that cybercriminals are increasingly capable and indiscriminate in their ability to exploit vulnerabilities (thanks to AI), and it becomes clear that not only is there a need, but a growing urgency to address this segment which is a cornerstone of national economies.

In the main, SMB leaders agree that cybersecurity is important, and they recognise this is an area where regulation is increasingly placing demands on them. A recent STL Partners’ survey (the basis of our recent report, Cybersecurity: What do small and medium businesses need?) found that 91% of SMBs agree that it is a management priority.  So, what more can cybersecurity providers do to help this segment and encourage them to invest in such protection?

What do CISOs say?

Lessons shared by a panel of chief information security officers (CISOs) at TechEx Global 2025 (which took place on 5 and 6 February 2025 in London, UK) provide some insight on this. Panel members spoke about how their roles have expanded from technical IT security-type positions to business advisory roles – with a need to justify cybersecurity investment from a business perspective.

This approach should be taken at SMBs where leaders are frequently the final decision-maker in a purchase journey, according to our survey.

Cybersecurity providers need to change the historical narrative that positions this type of security as a technical hurdle or a ‘handbrake’ for the business – one that that is slows down or even prevents its progress. Furthermore, CISOs spoke about the need to understand how businesses make decisions in order to communicate and frame risks most effectively:

• Overly emphasising technical vulnerabilities is less compelling than directing attention to potential revenue or market share impacts as well as cost reductions (i.e., how security can protect business value).
• Keeping cybersecurity simple for the business (i.e., making solutions easy and lean) is another way to increase acceptance.

CISOs also discussed the importance of getting enterprise leaders to care about cybersecurity, as this sets the tone for a business overall.

• Leaders should be encouraged to consider cybersecurity in their decision-making processes – thereby embedding security into the company culture (e.g., asking whether a new development is going to impact cybersecurity).
• Those leaders who demonstrate their commitment to cybersecurity and its benefits are most likely to have employees that care about the same.

STL Partners’ cybersecurity survey confirmed that employees are often regarded as the weakest link when it comes to cybersecurity. Lowunderstanding of the matter (possibly stemming from low digital literacy) and irresponsible device practices are main concerns in this area.

When asked to identify the biggest security issue, 78% of businesses point to issues relating to employees

Source: STL Partners

More than half of SMBs claimed that employee cybersecurity awareness and policy training were a key challenge.

What help is out there to build SMB employee cyber resilience?

Governments may offer free resources to help companies improve employee cyber resilience, but a range of exhibitors at TechEx Global 2025 indicate that there are more ways to do this beyond generic online training courses. A few examples stood out at the show.

SMBs can turn to managed service providers such as Huntress which provides online training videos to familiarise employees with different cyber threats. Huntress can run interactive tests to further personalise instruction based on areas where employees show weakness.

Other companies provide more specific solutions to address this pain point. One such example is KnowBe4 which has a human risk management platform (HRM+) that leverages AI to simulate phishing attacks and in this way, audits employee cyber skills. The solution can then serve up relevant training content, based on the results.

There was even an ‘old-school’ board game on display: Dutch company CyberGoose has gamified cybersecurity awareness training. The physical game comes with annual expansion packs to ensure that learning remains current. Companies can buy the board game or have CyberGoose deliver workshops using the same.

Cybersecurity providers must be creative in the way they address such SMB pain points in a cost-effective manner. Once SMB leaders have grasped the business importance of cybersecurity, they will look for simple and effective solutions to protect their companies and bring their employees on the journey with them and, in doing so, embed secure practices into the company culture.

Customers of our Executive Briefing Service can find a synopsis of our survey findings in the report Cybersecurity for small and medium business: Survey highlights.