Fortifying small businesses against the rising tide of cyberattacks

An alarming 73% of small business owners reported cyberattacks last year. In fact, nearly 43% of cyberattacks are directed at small and mid-size businesses (SMBs). And even more concerning, only about half of SMBs have cyber insurance policies or coverage because it's an extra expense that many can't afford.

Without the resources to properly defend themselves, SMBs are increasingly at risk. As a result, nobody is "too small" for today's cyber criminals. However, despite limited resources, SMBs can drastically improve their cybersecurity posture with a combination of effective change management and the most talked-about emerging technology on the market: artificial intelligence (AI).

SMBs' cybersecurity blind spot: Overreliance on compliance
Many SMBs believe compliance with industry regulations means they're secure, but this isn't always true. For example, while Payment Card Industry (PCI) compliance is a critical tool to ensure the proper handling of credit card data and customer information, cybercriminals target multiple access points and data types during a breach. 

So, while small businesses are required – for good reason – by their payment processor to follow PCI compliance standards for safeguarding digital payments or face penalties, this once-per-year compliance action doesn't necessarily guarantee a broad enough security posture.

SMBs often lack the scale, time, and expertise to design, implement, and maintain their own cybersecurity capabilities, leading them to simply focus on staying PCI compliant instead of taking steps necessary to be more broadly cybersecure. That's because acceptable implementation of PCI compliance can stop at the card data environment, leaving other portions of a merchant's digital environment vulnerable to cyberattacks.

PCI Data Security Standard Version 4.0 went into effect March 31, 2024, and that's just one of many industry regulations and best practices SMBs must monitor. There are other frameworks like the NIST Cybersecurity Framework or the FCC's Cybersecurity Tip Sheet that focus on overall merchant cybersecurity for all industries and organizations regardless of their size or level of cybersecurity sophistication as well.

With cybercriminals using emerging technologies like AI along with the rise in popularity of mobile payments and contactless transactions, SMBs will face a greater burden to keep up their cybersecurity and compliance posture. Last year, 39% of small businesses had a breach of sensitive customer data, with more bound to follow suit as cybercrime is expected to cost the world $10.5 trillion by 2025. SMBs must converge their compliance and cybersecurity actions or risk becoming part of the 60% of small businesses that close their doors after falling victim to cyberattacks.

Small businesses can leverage AI technology to help them close this gap and ease the cyber resilience burden amid limited resources.

AI: The secret weapon to overcome blind spots
AI is evening the playing field for cyber resilience by helping SMBs without adequate resources or cyber expertise to uplevel their security postures by:

1. Breaking through the noise

You can't defend against what you can't see. In fact, 25% of small business employees don't feel they have the tools and training needed to identify potential cyber threats at work. They don't have the time or expertise to identify and map out all organizational digital assets at risk, nor pinpoint which vulnerabilities need to be patched or which networks are most likely to be the next target. That is where AI steps in.

With AI, the process becomes easier, allowing small teams to see pertinent information on all vulnerabilities, potential security incidents, and remediation efforts at a quick glance — significantly streamlining threat detection and response, and helping businesses stay one step ahead.

AI is a powerful tool for SMBs — and its adoption will only grow over time — but it's not the only tool. AI tools should build on the organization's current cyber tools (i.e., firewalls, endpoints, and vulnerability scanners that feed security telemetry to the AI model) offering a multi-layered approach to understanding where cyber risks lie. When AI is working alongside existing cyber tools, the view of cyber risk changes from a black and white photo into a high resolution, color image.

2. Combining compliance and cybersecurity actions

Cybersecurity protection is increasingly a requirement, not an option, for SMBs across all industries and geographies, driven by both business need and regulations like PCI. Protecting cardholder data and keeping business uninterrupted from cyber threats can no longer be a 'point-in-time' effort, as PCI and other forms of compliance traditionally have been.
While industry best practices conveyed in the NIST Cybersecurity Framework and FCC guidance help businesses with modest or no cybersecurity expertise put the right plans and procedures in place, these baseline recommendations are only the beginning of what's needed to drive ongoing cyber resilience.

AI tools make it possible for SMBs to easily understand their cyber risk as part of the compliance process — no technical skills or internal resources required. SMBs should consider adopting AI tools that combine compliance and cybersecurity together, ensuring "always on" cyber defense alongside compliance with industry regulations and recommended frameworks.

3. Taking the guesswork out of it

With the evolution of generative AI (GenAI) chatbots, even non-expert SMB employees can more effectively achieve and maintain cyber resilience and compliance with evolving industry regulations. New GenAI chatbot tools can customize the level of cyber event detail, complexity, and vocabulary for each user's level of cybersecurity expertise based on their unique online and compliance security environments. This means that anyone can easily understand their vulnerabilities and find answers to risk mitigation best practices, no matter their skill level, minimizing room for error.
Looking forward
Addressing SMB cyber risk requires a multi-layered approach, including a combination of technology and process improvements, to understand where cyber risks lie and how to best address each risk. Cybersecurity and compliance risks are more complicated than ever — and yet only 33% of SMBs have implemented new systems or technology to ensure security in the past year. In the fight against cybercriminals, SMBs need support, and AI is the co-pilot needed to drive results despite leadership's potential lack of time and expertise.

AI is not just for large companies — tools also exist that are helping SMBs identify which vulnerabilities are most pressing to patch, suggest the next best actions to remediate those issues, and ensure they stay compliant with important industry regulations like PCI. Cybersecurity and compliance must be elevated to mission critical for SMBs — or they risk getting caught in the crossfire of cybersecurity attacks.