MYTH BUSTING COMMON BELIEFS: Part 5

Like “We’re too small to be a target for cyberattacks”

“They” say that size matters.

And it can make a big difference…in certain situations.

One of those situations is not the size of your company. And certainly not when it comes to cyberattacks. Because as we are all aware, the biggest risk that comes with a cyberattack is not only the loss of big data but the price tag that comes with it.

And cybercrime doesn’t discriminate when it comes to size.

Some Stats and Figures to Whet the Appetite

In fact, and according to Embroker, stats and trends show that cybercrime is one of the most costly threats to all businesses. Worldwide, cybercrime costs companies an estimated $8 trillion (in 2023), an astounding figure that’s expected to rise to nearly $24 trillion by 2027. 24 Trillion Dollars!

And let’s be honest – when we think of these huge losses, it’s easy to assume that cybercriminals are mostly targeting massive, publicly traded companies. It makes sense. They have the big bucks, the big data.

However, attacks on small and medium enterprises (SMEs) are actually on the rise — and for certain types of cybercrime, smaller enterprises are even more at risk. 

In fact, SMEs face significant risk from cyberattacks. According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses. SMEs are also less prepared to defend themselves against cyberattacks, making them far more attractive to the average cybercriminal.

In the US 41% of small businesses fell victim to a cyber-attack in 2023, a rise from 38% in the 2022 and close to double from 22% in 2021.

In an editorial in IT Ops Times, it was stated –

An average employee of a small business with less than 100 employees will receive 350% more social engineering attacks than an employee of a larger enterprise. The most commonly impersonated brand is Microsoft, used by cybercriminals in 57% of phishing attacks – the most prevalent social engineering attack of 2021.  These findings are from the report Spear Phishing: Top Trends and Threats, which was conducted by Barracuda Networks, a company that provides security, networking and storage products based on network appliances and cloud services.

The trend here? The rising number of SME’s being targeted. Duh.

Although larger organisations face a larger volume of attacks because they are large, the picture is reversed when it comes to the volume of attacks per email mailbox, for smaller enterprises.

Cybercriminals find small businesses an attractive target because collectively they have a substantial economic value, and they often lack security resources and expertise. 

Naughty, naughty SMEs…

The Impact of Cyberattacks

A cyberattack can be devastating for small businesses and can impact them in a number of different ways. From disrupting normal operations and damaging important IT assets or infrastructure to major financial losses. But regardless of the type of attack, every consequence has some form of cost – whether monetary or otherwise – and on some occasions it can be impossible for SMEs to recover without the budget or resources to do so.

Unfortunately, the consequences of a cyberattack can impact your business weeks, if not months, later. Below are 5 areas where your business may suffer –

1.   Financial losses – while exact figures for South African SMEs aren’t yet readily available, current reports indicate that South African businesses have faced an average data breach cost of R44.1 million in 2025 and the national economy has so-far lost approximately R5.8 billion to cybercrime already. Given that SMEs are heavily targeted and can lose significant sums—up to R171 million in extreme cases—their collective losses are substantial, even if not precisely quantified.

2.   Loss of productivity – a cyber threat can disrupt your day-to-day business operations significantly, leading to a loss of productivity. Major malware or security breaches can force companies to place many of their operating systems on pause while they investigate the attack. This downtime can lead to a damaged reputation, potential loss of clients, and, ultimately, (and sometimes most importantly) loss of income (which will ultimately affect cash flow going forward).

3.   Reputation damage – cyberattacks can also harm your business reputation. When a major data breach occurs, clients may feel like their data is less secure with your company, which may cause them to re-assess their working relationship with you.  Additionally, when a listed company’s internal systems are down for an extended period, stock price may be adversely affected. A cybersecurity threat can lead to immediate financial burdens, such as fines and liability payments. But it’s the reputation damage that is often the hardest to overcome.

4.   Legal liability – as most law firms are aware, they are often required to hold a large amount of client data (referred to as “big data”) and as such are responsible for its protection. In fact, a lawyers responsibility goes beyond the usual monitoring of rules and drafting of policies simply for compliance’s sake – because how thedata is actually managed (especially as lawyers) is critical. Ensuring data is securely stored and is effectively protected from cyber-attacks is a top priority. And is – in fact – required by law under the South African Protection of Personal Information Act 4 of 2013 (POPIA).  If a law firm or indeed SME (under POPIA) fails to maintain proper cybersecurity measures and those lack of measures eventually leads to a cyberattack or data breach, they could be fined. Your company must be vigilant in cybersecurity prevention and follow specific processes for reporting incidents to avoid severe penalties. 

5.   Business continuity problems – mapping out a business continuity plan (BC) is one of the most important steps a business can take to survive a cyberattack. This allows the company to continue with foundational functions during emergencies, such as power outages, data breaches, and cyberattacks. BCs have become increasingly important in recent years with the digitalisation of practically everything in the business world. A business continuity plan can be the difference between a company failing or succeeding after a major cyber threat.

What are the top threats SMEs should be looking out for?

Well, let’s be clear this is not only for SMEs. These threats are for every size business. See, we don’t discriminate on size either. But considering the rise in SME attacks, SMEs should specifically take note.

Dial-a-nerd has highlighted the following threats to watch out for in 2025 going into 2026 –

1.   Phishing and Business Email Compromise (BEC) – phishing remains the way cybercriminals access company systems. It’s no longer just suspicious links in spam emails — cybercriminals are getting smart, impersonating suppliers, clients, and even your own staff.

2.   Ransomware – ransomware locks your data i.e. so you don’t have access to it, until you pay a fee (aka a ransom) — and SMEs are often more likely to pay the ransom because they lack backup or recovery plans.

3.   Insider Threats – these aren’t always ex-employees or malicious staff members looking to see your business fail — they can also come from well-meaning employees who click the wrong link or use weak passwords. 

4.   Poor Patch Management – many businesses forget to update their software regularly. Unpatched systems are easy targets — especially older operating systems and outdated plugins.

5.   Weak Endpoint Security – with hybrid work now the norm, staff often access company data from personal or mobile devices that aren’t sufficiently protected. Without proper security, every device becomes a potential entry point.

What can you do about it?

Our very own Barry Swart, off the back of his talk on A Different Kind of Ransomware and AI in Action at the Legal Talk Africa 2025 event that just ended in Cape Town on the 26^th of August, gives the following advice for firms preparing their businesses against cyberattacks –

Firms should look at:

1.   Their providers,

2.   Having their own backups of data stored with these providers,

3.   Readiness simulation of a cyberattack,

4.   Incident response plans,

5.   Cyberattack policies,

6.   Data security and Privacy,

7.   Employee Training and Awareness,

8.   Vendor risk management, and

9.   Business Continuity and Disaster Recovery.

We told you that size can sometimes make a big difference. In this case it does. And it seems that the smaller the business the more cyber criminals are taking full advantage. It’s at this point that we are sure you will agree that the answer is plain for all to see – the myth is BUSTED! No firm, enterprise or business is too small to escape the prying eyes (and fingers) of cyber criminals.  

If you are in need of a service provider who has a proven track record or if you want to find out how to incorporate a new tool into your existing practice management suite – or if you simply want to get started with legal tech – feel free to get in touch with AJS. We have the right combination of systems, resources, and business partnerships to assist you with incorporating supportive legal technology into your practice. Effortlessly.

AJS is always here to help you, wherever and whenever possible!

– Written by Alicia Koch on behalf of AJS

(Sources used and to whom we owe thanks – Dial-a-nerd; Business Partners; Embroker; Insurance Business; IT Ops Times; Accenture – The Cost Of Cybercrime; Bizcommunity and ITWeb)