Cyberthreats to Small Businesses

Small businesses are adopting online technology to reach new customers and make sales. But as small businesses evolve, so do cybersecurity threats.

Cybercriminals don't only target large corporations. In fact, small businesses can be even better targets.

They often don't have the budget or the time to devote to security like larger companies. But small businesses have customer, employee, proprietary and financial information that cyberthieves want.

Small businesses can protect themselves and their customers. They can learn about steps they can take to improve their cybersecurity and what the most common cyberthreats they might face are.

First Steps

The first step for small businesses to protect themselves and their customers from cyberattacks is to assess their risk.

Risk assessment finds potential vulnerabilities in businesses' networks, systems and organizations. It also identifies improvements that small businesses can make to improve their cybersecurity and reduce their vulnerability to cyberattacks.

Small businesses without their own IT staff can use risk assessment resources from the U.S. Department of Homeland Security, including a cyber resilience review and cyber hygiene vulnerability scanning.

Get more cybersecurity tools and tips for small businesses to improve their cybersecurity.

Common Cyberattacks

Understanding the most common cyberthreats targeting small businesses can help them to avoid becoming the victims of these attacks.

Malware is malicious software or code used to steal information and damage devices, including computers, servers and computer networks. Two types of malware are viruses and ransomware.

Viruses are harmful programs, code or software that can replicate themselves to spread between computers and other connected devices. They are usually sent through email attachments and can damage computers and hard drives. Viruses give cybercriminals access to businesses' systems.

Ransomware is a form of malware designed to attack an individual or organization's computer network. It restricts access and encrypts data, holding it hostage until a ransom is paid. Ransomware is usually spread through email and exploits unpatched vulnerabilities in software.

The FBI recommends never paying a ransom. North Carolina state agencies must report ransomware incidents.

Phishing is a type of cyberattack in which someone pretends to be a trustworthy person, website or organization to trick the victim into sharing their username, password or other personal information. Phishing emails appear to be from a legitimate person or organization. They often include a link or attachment that, once clicked, releases malware that collects sensitive information onto the user's device.

Phishing attacks can take many forms. Learn more about the different kinds of phishing attacks and how to avoid them.

Understand the definitions of these and other common cybersecurity terms.

About this Page

This page is based on information from the U.S. Federal Communications Commission, Small Business Administration, National Institute of Standards and Technology and Cybersecurity Infrastructure and Security Agency.