Cyber protections, from best practices to cyber liability insurance, are no longer a nice-to-have, but a must-have. The urgency is underscored by the fact that small- to medium-sized businesses (SMBs) are being targeted nearly four times more than large organizations, per Verizon's 2025 Data Breach Investigations Report. And 46% of all cyber breaches impact businesses with fewer than 1,000 employees, according to StrongDM.

Instead of waiting for a cyber incident to occur, SMBs can take a proactive approach. October, being Cybersecurity Awareness Month, is the perfect time for business owners, employees, and vendors to empower themselves with knowledge and tools to protect their businesses.

In this three-part blog series, we will address:

• Part I: Frequently Asked Questions About Cyber Threats for Small Businesses
• Part II: Protecting Your Business: Cyber Liability, Interruption & Continuity
• Part III: Why Many Small Businesses Skip Cyber Liability (and Why That’s Risky)

OK, let's jump into Part I!

Part I: Frequently Asked Questions About Cyber Threats for Small Businesses

What Are the Most Common Cyber Threats for Small Businesses?

While there are many types of cyberthreats, Connectwise cites the following as major cyberthreats for 2025:

●     Ransomware

●     Vulnerabilities

●     Defense evasion

●     Phishing

●     Malware

●     Distributed denial of service (DDoS)

●     Supply chain attacks

●     Insider threats

●     Business email compromise (BEC)

Read a full explainer piece, here.

What About Social Engineering - What is That?

Social engineering is the psychological manipulation of people into performing an action, sharing confidential information, or providing access. It takes place where human interaction is already happening, such as email or texts.

Here’s an example:

A cybercriminal AKA threat actor got into an email thread between our client and one of their vendors. Yes, you read that right, our client was already in a real conversation with a vendor. A six-figure payment was due, and the threat actor got a hold of the invoice, changed the payment account, and re-sent it to our client. It looked like a normal invoice that they had paid before, so they paid it. Eventually, the real vendor asked for payment again, which is when the client realized the payment went to the threat actor.

How Do Cyber Criminals Use AI?

Here are a few examples:

In March 2024, the FBI warned of cyber criminals using Artificial Intelligence (AI) “to conduct sophisticated phishing/social engineering attacks and voice/video cloning scams.”

According toVerizon’s 2025 Data Breach Investigations Report, “..there is evidence of [Generative artificial intelligence (GenAI)] use by threat actors as reported by the AI platforms themselves.” Verizon also shares that synthetically generated [from AI] text in malicious emails has doubled over the past two years.

In thisblog post, Connectwise discusses the various malicious uses of AI – like prompt injection, phishing, deepfakes, data poisoning and maleware development – to look out for. They also share a specific real-life example: “I recently spoke with an MSP who asked ChatGPT for Microsoft’s support phone number, and they were given the number to a threat actor posing as Microsoft support.”

As you can see, threat actors are leveraging AI to fuel their malicious activities.

Why Vendor Partners May Expose Your Network

In thisinfographic, Verizon reports that breaches involving partners have increased from 15% to 30% over the past year, urging organizations to adopt a “unified cybersecurity posture with partners and suppliers” to reduce vulnerability.

By aligning your cybersecurity practices with those of your partners and suppliers, you can reduce vulnerability and strengthen your overall cybersecurity. Conduct a security assessment of your partners.Auditboard provides tips for a vendor security assessment, with questions like “Are your backups maintained?”, “Do you use MFA?” and many others.

If I skip my software update, will it compromise my security?

Software updates help address new vulnerabilities. By skipping updates, you are potentially leaving “holes in the boat” AKA openings for cybercriminals to exploit outdated software. When software updates pop up, resist the urge to “do it later.”

Regular updates are not just a chore; they can help be a shield against cyber threats. By ensuring your team is following suit, you can significantly enhance your defense against attacks, making your business more secure.

Is Public Wi-Fi Safe to Use?

This question arises often, particularly since many businesses support a remote or hybrid workforce. The bottom line is, public Wi-Fi poses several risks because public networks are usually unsecured. It’s also worth noting that there was a 300% increase in cyberattacks during the pandemic when many people worked remotely.

If you must use public WiFi, also use a VPN (virtual private network) to encrypt your connection. Alternatively, consider using mobile data instead of public WiFi when handling sensitive information.

Do I Really Need to Set Up Multifactor Authentication (MFA)?

Yes, it is strongly recommended for email and when using any software or program that offers MFA.

As we discussed in our blog post, "9 Common Cybersecurity Mistakes Remote Workers Make,"  MFA can help reduce the risk of unauthorized access. MFA comes in many forms such as a passkey, a unique code within your authentication app, or a code sent to your mobile device or email inbox.

By now, you might be thinking, 'This is a lot.' Especially if you are an SMB owner who is wearing all the hats. Rest assured, this blog post is not intended to instill fear, but rather to provide you with awareness.

In addition to reviewing the data and suggestions above, we strongly recommend implementing a training program for your team and investing in three key protections: cyber liability insurance, cyber interruption insurance, and business continuity planning. We cover all of this in Part II: Protecting Your Business. Stay tuned!

Disclaimer:The information provided in this blog is for general informational purposes only and should not be construed as professional advice. While we strive to keep content accurate and up to date, we make no guarantees of completeness, reliability, or suitability. Any reliance you place on this information is strictly at your own risk. For guidance tailored to your situation, please consult with a qualified professional.