Why Small Businesses Often Say ‘Why Bother?’ When Dealing With Cybercrime

Small Business Say Why Bother with CybercrimeWell, it happened again. As a security professional, I hear a lot of things being said that are exaggerated or just plain untrue. I’ve become used to that, however, there is one phrase that really drives me crazy when I hear it. That phrase is, “Why even bother trying?”

As security professionals, many of us are constantly observing situations in different settings with an eye toward security. Recently, I noticed my doctor entering his password so he could add notes to a patient profile. The password was a single digit. Just…one…digit. I couldn’t let that pass without some fun-loving teasing, which he took very well. This is when he said the magic words. He said he had just read about the SolarWinds debacle and how it had taken over so many networks and he wondered, if they can get into those networks, “why should I even bother trying”? He knows even though he is small that he is still a target. He is not confused about that, as he had heard of many other small medical offices scammed or hit by ransomware. 

There it was, out in the open. The truth about how he felt. He feels helpless to defend against the attacks. He said that the person who recently set up his new digital x-ray machine told him he should not connect it to the network, but should take the data from the machine, put it on a USB drive and walk it over to his EMR station and attach it to the record there. He asked the rep why it mattered when it was going into a cloud-based system anyway, to which the rep had no good answer.

The Problem

As security professionals who live immersed in the world of scams and cyber criminal attacks, we sometimes forget that not everyone lives in this world. My chiropractor has patients to care for, the bakery down the street has pastries to finish. They are not cybersecurity experts, but they do handle valuable data, no matter the size of the organization. What they don’t have is the confidence that the time and effort they put into securing things will have any impact. 

This feeling of hopelessness in the face of the threat is a real issue. While they may have an MSP (a.k.a. the IT person) that helps, they are usually focused on break/fix activities or setting up new machines, not securing the office. It can be tough to get small business owners to pay for services, like securing devices and people, when they don’t believe that there is value in doing so. Instead, they accept the risk, often without understanding what that risk really is. Even with the looming threat of HIPAA violations and potential fines, they believe that they have to risk it. 

Now What?

So, how can we, the cybersecurity industry, help them? It starts with the messaging. We need to educate small business owners on the fact that most of the successful attacks they hear about with their peers is often the result of human error. This error could be sending information to the wrong person, or it could be clicking a bad link in an email. Both can be avoided, or at the very least, the risk can be reduced greatly by working with the staff.  

We need to stow the FUD. FUD (Fear Uncertainty and Doubt) is the tool of marketing departments trying to sell “solutions”. We are better than that. We should educate these small business owners on the risks they face and ways to reduce the risk. They need understanding, not fear.

In my opinion, there are very few ways to reduce risk in these organizations that are better than a focus on the human factor since this is the root of so many issues. Before starting, we need to acknowledge the issue without blaming the individuals. Yes, they are the source of a lot of issues, however like the doctor or business owner, they have other jobs to do. To get the best ROI, training needs to be constant, not just a PowerPoint presentation once a year. This means short lessons that are relevant to them and current events. These lessons should cover best practices for password hygiene, spotting phishing emails and text messages and phone calls and tie them to current events. We also need to explain why certain things are so important instead of just telling them to do it.

An example of this is teaching people that reusing passwords is bad. Rather than just demanding compliance, teaching them a little about credential stuffing can help them understand why it’s bad and has a better chance of changing the behavior. Teaching people that phishing attacks usually rely on creating an emotional response and demonstrating how that works is better than trying to teach them about every iteration of these attacks. It’s like a magic trick. Once you know how the trick operates, it doesn’t matter if the magician uses a playing card or foam ball to do the trick; you can spot the trick.

There are a lot of free tools that are valuable as well. Many of these will support the training. If you teach people not to reuse passwords, while also providing them with a tool, such as a password manager, it will help them be successful. There are free and low-cost versions for any size business. 


While we won’t stop all cybercrime, we can’t choose to ignore it either. As security practitioners, we also have a role of being security advocates. When we see or hear situations with poor security hygiene, we need to address it without being judgmental and help them to understand better. If we all do some of this, even for the smallest organizations, we can make progress against the cybercrime that is so rampant today.    

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews