For years now the firms with the most to lose by cyber crime have been investing in cyber defense technologies, techniques and procedures designed to mitigate threats. Motivation do enhance defenses has largely been directly correlated to the potential for loss. Resources put on cybersecurity and threat mitigation has been correlated to size of a business. If a firm has a lot to lose and a lot to invest, like one of the top ten banks, for example, very well developed cyber security programs can be expected.

The largest firms are mounting such a significant defense that attackers are shifting their focus. It can be far more lucrative to target a mid-sized business.

Cybercriminals view the mid-sized business as right in a sweet spot of having resources to target but not enough defenses.

Our reporting on has shown indications of this shift. Although the big attacks (Target, HomeDepot, OPM, Anthem, NSA etc) get lots of media attention, most attacks are on smaller firms.  Statistically 95% of attacks are against mid-sized or small businesses. 50% of attacks are against firms with less than 250 employees.

What is troubling about this is that smaller firms have a much harder time recovering from attack. Breach requires cleanup, forensics, notification of employees, customers, clients, causes costly damage to brand, may diminish goodwill, and can result in direct financial loss. A smaller firm can have a very hard time recovering. In fact, according to surveys by the National Cyber Security Alliance, approximately 60% of small businesses that fall victim to a cybercrime each year go out of business six months after an attack.

Digital life is unfair. The big guys like Target, Home Depot, eBay all recovered from massive cyber attacks with no noticeable impact on share price a year after their attacks. But mid-sized businesses may well be driven to bankruptcy.

Yep, life is unfair. So if you are a mid-sized business, get over how unfair it is and think through what to do about it. Some questions to consider:

  • Do you know what data is most important to you and your business? What would cause a potential extension event if it were compromised or corrupted? How are you protecting that data? Is it encrypted? Who manages the encryption? How do you do identity management and access management/control over access to that data?
  • Do you have a process in place to learn from others? No matter what your industry is there are places to learn best practices and procedures to improve your security. One place to start is the National Cyber Security Alliance, but most businesses will also be able to tap into organizations focused on your sector.
  • Do you have external advice and assistance from professionals who know cybersecurity, the cyber threat and cyber risk mitigation strategies? No one can do this alone. We would love to help. Get in touch at: Crucial Point.
  • Are you tracking the strategic cyber threat? We provide a free daily newsletter called The Threat Brief which provides succinct context that can inform your cybersecurity strategy and help you optimize your cyber defenses. Sign up free at

Life is tough for the small to midsized business. Our view is it should not be any tougher than it needs to be.