The Cyber Risk SMBs Can't Afford To Ignore

Forbes

10 hours ago

AI-driven threats are rewriting the rulebook. Here's the new cybersecurity playbook every small business must adopt before it's too late
June just marked National Cybersecurity Education Month, an effort to raise awareness and expand the cybersecurity workforce. While public understanding is growing, so is the scale and sophistication of attacks. In the age of AI, threats no longer target only governments and large organizations. Cyberattacks now strike in unexpected places, putting individuals, SMBs, and entire systems at risk. Awareness alone isn't enough. Are we prepared?
A recent conference held at Nasdaq by the Digital Evolution Institute explored the digital fabric comprising AI, data, and cybersecurity, and put a fascinating spotlight on the growing and unexpected risks and consequences.
Byron Loflin, Nasdaq Board Excellence Center at the conference
Digital Evolution Institute founder Julia Valentine stressed throughout the conference the shift from cyber crises as technical incidents to business and leadership-level challenges, and explained why being proactive in cyber crisis preparedness is no longer a luxury but a must-have.
Cyber risk is a business risk
Valentine, Presidential Lifetime Achievement Award recipient, entrepreneur, and a long time investor, is also the founder of AlphaMille, a global technology consulting firm specializing in digital and physical security, stressed at the conference that 'Companies cannot look to the government to protect them from cyberattacks in the AI era. Digital exposure should be treated as any other initiative that creates revenue, reduces cost, and mitigates risk,' she said, offering a familiar example from 2021, when R.R. Donnelley & Sons (RRD), a global provider of business communication and marketing services, which went through a ransomware attack that exposed sensitive client data. In 2024, the SEC reached a $2.125 million settlement with RRD for violating the internal controls and disclosure controls provisions of federal securities laws. As part of remediation, RRD revised incident response policies and procedures, adopted new cybersecurity technology and controls, updated employee training, and increased cybersecurity personnel headcount - all basic cybersecurity measures that shareholders increasingly expect to be put in place as a normal course of business.
'The 'R.R. Donnelley' case was a wake-up call,' Valentine now says. 'Despite being a data-intensive company, they missed key warning signs. This cost them millions and damaged client trust. Overlooking cybersecurity doesn't just increase risk; it sets a company up for sudden and devastating failure.'
Presidential Lifetime Achievement Award recipient, entrepreneur, and a long time investor, Julia ... More Valentine at the conference.
While awareness is supposedly on the rise, cybercrime losses have been steadily increasing, and projections indicate a continued upward trend. Globally, cybercrime costs are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures. The annual cost of cybercrime in the U.S. alone is estimated to be around $639 billion in 2025.
According to Valentine, three things need to happen to change the trend: 'Cybersecurity needs to be elevated to the board level. The board needs to calibrate the right amount of information it needs for effective oversight, and the company needs to right-size its cybersecurity defenses.'
During the conference, broad discussions by key industry leaders explored this shift in priorities from multiple angles. 'As fiduciaries, we are now responsible for the resilience of our organizations, not just our balance sheets.' From a management and board perspective, it was made clear that the change starts there: 'Cybersecurity must be viewed not as an IT expense, but as a strategic differentiator. Boards need fluency in incident response, third-party risk, threat intelligence, and yes, a solid recovery plan. Because a breach today is no longer just a technical failure, it's a governance failure.'
SMBs Are Losing the Battle to Cybercrime
In today's digital economy, small and midsize businesses (SMBs) are no longer flying under the radar of cybercriminals. In fact, they've become prime targets. According to recent industry reports, nearly 60% of SMBs experience a cyberattack each year.
'Many SMBs operate under the dangerous assumption that they're too small or insignificant to attract cybercriminals,' she says. 'In reality, attackers often see SMBs as low-hanging fruit, companies with valuable data but weaker defenses. Whether it's financial records, employee data, or client information, your business is a digital goldmine to hackers.'
Many small businesses are at serious risk without realizing it. Common signs include not using multi-factor authentication, not knowing what systems or tools are in use, and ignoring alerts or phishing emails. Relying on basic IT support, skipping regular backups, running outdated software, and lacking a clear response plan all leave the door open to attacks. Even being denied cyber insurance can be a red flag.
So beyond misconceptions, what's actually preventing SMBs from getting the protection they need?
Valentine outlines five practical barriers that prevent SMBs from getting the cybersecurity protection they need:
Cyber protection is not out of reach. SMBs need focused, outsourced, and staged solutions, not bloated enterprise packages.
"SMBs must treat cybersecurity like a business imperative."
With the different views discussed at the conference, a new 'playbook' was created with the critical steps each business, big and small, must take. Valentine is now outlining The New Cybersecurity Playbook for SMBs: 7 Essential Steps:
'Cybersecurity is a boardroom concern and a business imperative,' she concludes. 'A modern, tested cyber playbook is the best line of defense.'