Small Medium Business (SMBs)

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

“Let’s do some word problems!” — said no one ever (except math teachers) 

In certain prior reports, we have compared and contrasted small and medium businesses (SMBs) against large organizations to determine whether the attack surface differed significantly between them. Increasingly, both SMBs and large companies are using similar services and infrastructure and that means that their attack surfaces share more in common than ever before. This has led to a convergence of attack profiles regardless of the size of the organization. However, what is very different is the ability of organizations to respond to threats due to the number of resources they can deploy in the event that they are attacked. 

The tables on the right illustrate the fact that SMBs and large organizations have increasingly become similar to each other. This phenomenon began several years ago, and by now there is so little difference based on organizational size that we were hard-pressed to make any distinctions whatsoever. Therefore, this year we decided to look at these a bit differently53 by looking at the implementation of security controls for various size SMBs (smaller, midsize and larger) and how they may overlap or differ. 

In past reports we have discussed the research we conduct with regard to controls—in particular, the work we have done with MITRE to map VERIS to ATT&CK. This year, we would like to take this research a bit more into the real world and apply it to how you would use these mappings with the appropriate CIS Implementation Group protective controls.

Small businesses (less than 1,000 employees)



699 incidents, 381 with confirmed data disclosure

Top patterns


System Intrusion, Social Engineering and Basic Web Application Attacks represent 92% of breaches

Threat actors


External (94%), Internal (7%), Multiple (2%), Partner (1%) (breaches)

Actor motives


Financial (98%), Espionage (1%), Convenience (1%), Grudge (1%) (breaches)

Data compromised


Credentials (54%), Internal (37%), Other (22%), System (11%) (breaches)

Table 3. At a glance for SMB

Large businesses (more than 1,000 employees)



496 incidents, 227 with confirmed data disclosure

Top patterns


System Intrusion, Social Engineering and Basic Web Application Attacks represent 85% of breaches

Threat actors


External (89%), Internal (13%), Multiple (2%), Partner (2%) (breaches)

Actor motives


Financial (97%), Espionage (3%), Ideology (2%), Convenience (1%), Fun (1%) (breaches)

Data compromised


Internal (41%), Credentials (37%), Other (30%), System (22%) (breaches)

Table 4. At a glance for large organizations

It’s not easy being small. 

Let’s assume you’re a startup — company in its infancy. You have very, very limited resources for implementing security controls of any kind. Your IT person is also your security person is also your Jack- (or Jill-) of-all-trades who wears many hats and never sleeps. 

The first step is to see which controls are recommended for your level of security maturity and resources. But where to begin? We like the CIS Critical Security Controls Navigator as a good starting point.54 It breaks down each of the CIS Controls into small, easy-to-consume chunks and then maps them to various security standards that an organization may want to comply with as their adopted standard. You will see that they are broken into three Implementation Groups, and each one is geared to the organization’s maturity level. Since we’re at the beginning here, we will start with Implementation Group 1 (IG1). While these are all good controls and should be on the road map, let’s take a more threat-centric approach in our scenario. 

You can see in Tables 3 and 4 that regardless of an organization’s size, they are going to face the System Intrusion pattern most commonly. In last year’s report, we mapped the Controls to the pattern and showed which were most commonly going to help you in an attack.55 The result in IG1 shows Controls 14 (89%), 11 (80%) and then 5 (67%).

When you drill further into the Sub- Controls, more granularity should guide you in your quest for maturing your organization’s security posture. Each organization will need to customize and prioritize according to its own risk profile and tolerance, but it is at least a place to begin. Once the most likely suspects are accounted for, move onto the next mostly likely attack pattern you may be facing and determine how to handle that. Using data-driven information on your most probable risk areas is a defensible strategy toward prioritizing controls with few resources. Hopefully after some progress is made, your Jack-/Jill-of-all-trades can go back to sleeping at night.






Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.



Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a preincident and trusted state.



Access Control Management
Use processes and tools to create, assign, manage and revoke access credentials and privileges for user, administrator and service accounts for enterprise assets and software.

Table 5. CIS Implementation Group 1 Controls for Incident Classification Patterns most commonly encountered by SMBs

Midsize is the right size 

You’ve been at this a while. You’re not tiny, but you’re not quite at the enterprise level just yet. You have been working diligently at maturing your processes in both IT operations and in information security. You have put in place the Controls in IG1 and are now eyeing IG2 to take your company to the next level of protection. 

With that in mind, let’s take a look at the IG2 controls that cover the Social Engineering pattern, which is the second largest threat for SMBs. The first two controls are the same main categories as they were for System Intrusion, Control 5 (100%) and Control 14 (100%). However, the third control is different for this pattern: 

  • Control 17 – Incident Response Management Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training and communications) to prepare, detect and quickly respond to an attack. 

An Incident Response Management plan is key to all areas of security but perhaps especially so when it comes to Social Engineering attacks for a few reasons. Many of these attacks, such as pretexting, tend to escalate quickly and can have a high impact. Perhaps just as importantly, employees need to feel secure in the knowledge that they have a place they can report these incidents to when they occur because the sooner they report them, the more quickly you can address them.

“You get a resource! You get a resource! Everybody gets a resource!”

Now let’s pivot to look at the larger organizations in the SMB area. To clarify, we are still writing with regard to SMBs, we simply mean the larger companies that still fall into that category (<1,000 employees). When your company reaches this point, there are more resources available to throw at problems, whether in the form of more people, more technology options or just plain more cash,56 and bringing those resources to bear can yield substantial benefits. At this level you have already tackled IG1 and IG2 and are ready for IG3 controls.

These Controls mature along with your organization. Therefore, let us examine the IG3 Controls with regard to the third most common pattern for SMB: Basic Web Application Attacks. The first, Control 17 (100%), we talked about in the section above, but Controls 16 (100%) and 18 (100%) we have not yet discussed. 

  • Control 16 – Application Software Security Manage the security life cycle of in-house developed, hosted or acquired software to prevent, detect and remediate security weaknesses before they can impact the enterprise. 
  • Control 18 – Penetration Testing Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes and technology), and simulating the objectives and actions of an attacker. 

Control 16 is certainly timely, considering the SolarWinds case from last year’s report and the Log4j impact discussed in this year’s report, so we should have no problem seeing the relevance of this Control. Sub-Controls 16.2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities, 16.4: Establish and Manage an Inventory of Third-Party Software Components, and 16.5: Use Up-to-Date and Trusted Third-Party Software Components would have gone a long way to defending against both of those cases.

Once an entity has reached the larger end of the SMB scale, Control 18 also comes into play. Establishing penetration testing capabilities and incorporating their findings into the security processes can only improve the information security posture of a larger SMB. This is basically real-world testing of your controls to make sure they are performing how you expect them to. Like backups, only controls that have been tested and verified should be trusted. 

Now that you’ve already looked at the Controls and prioritized them, you know what you’re most likely to be hit with and you’re working your way through to the end—your ducks are almost all in a row. You have balanced preventive and detective capabilities and are on your way to being able to not only detect when something bad has happened but also respond quickly and appropriately. You have moved from the basics of putting your plan together to implementing a road map. 

A few final things to consider at this point: Are you looking at aligning with a particular compliance framework? Do you track metrics around security in your environment? Do your efforts result in ongoing improvements to your security posture, or do they just provide a point-in-time snapshot that says, “I was good at this moment, but then things changed”? There is quite a bit you can do when you use good information about what is happening in your organization to steer your security strategy.

From the Center for Internet Security: 

Report after report, and study after study, shows that many attacks are successful because network owners did not know their enterprise assets, the software they had running and where their critical data was. Knowing your environment is foundational to any cybersecurity program, so they encompass the first three controls of the CIS Critical Security Controls (Controls). After all, you can’t protect what you don’t know you have. 

After understanding your environment, you can prioritize where to apply and which controls to implement across your enterprise. At CIS we know that this will take time and resources, which is why we have prioritized the Controls and supporting Safeguards to help you plan your security improvement program. We do this through Implementation Groups (IGs). There are three IGs and are based on the risk profile and resources an enterprise has available to them to implement controls. Each IG builds upon the previous one. So IG2 builds upon IG1 and IG3 comprises all the Controls and Safeguards. 

We describe a typical IG1 enterprise as small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of this enterprise is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information.

Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.

But no matter the size or complexity of your business, we recommend that all organizations begin with IG1. We also refer to IG1 as Essential Cyber Hygiene because it provides the actions necessary for an organization to defend itself against the major attack types being used by cybercriminals. IG1 is not just another list of good things to do; it’s an essential set of steps that helps all enterprises defend against real-world threats. And it provides a strong foundation for your cyber maturity growth, or as your security needs change. This is a strong claim, but we back it up with our use of the best-available summaries of attacks (like the Verizon DBIR), and an open, shared methodology (the CIS Community Defense Model v2.057).

53 Again, there is that refocusing thing we keep talking about.


55 2022 DBIR, Appendix B: VERIS and Standards, p. 96

56 And this never really hurts, does it?


Let's get started.