Research Hub > SMBs Should Be Concerned About Ransomware and Social Engineering Attacks
3 min

SMBs Should Be Concerned About Ransomware and Social Engineering Attacks

A new report from Sophos documents cybercriminals’ sophisticated approaches to stealing data from small and midsized organizations.

While cyberattacks on big businesses tend to grab the headlines, new research from Sophos shows that small and midsized businesses are equally attractive targets. Last year, more than 75 percent of the incidents handled by the Sophos X-Ops incident response team occurred in businesses with fewer than 500 employees.

According to them2024 Sophos Threat Report, cybercriminals have built a robust ecosystem of underground marketplaces and services around gaining access to and stealing data from SMBs.

The appeal of SMBs as targets makes sense, considering that they make up the vast majority of businesses worldwide. In the U.S., SMBs generate 44 percent of the nation’s overall economic activity and employ more than 61 million people. SMBs may be small, but they have plenty of data, including proprietary assets and health and financial records.

Our findings are based on telemetry gathered from Sophos cybersecurity software on customers’ networks, data from our managed detection and response service, and data from our incident response team. Here are a few of the key takeaways.

SMBs’ Vulnerability Attracts a Thriving Cybercrime Market

Cybercriminals know that SMBs are more likely to have inexperienced security teams and lean budgets that make it difficult to deploy effective cyberdefenses. The most common vulnerabilities, as shown in Sophos’s report, will be familiar to many SMBs: insufficient security software, unmanaged computers with improper configurations and software that has aged out of manufacturer support.

These and other vulnerabilities feed into a brisk trade in “Malware as a Service.” For example, a single remote-access Trojan, Agent Tesla, was the delivery framework that accounted for nearly 51 percent of the malware detected on customer networks in 2023. Meanwhile, cybercriminals also use access brokers, who amass access to vulnerable systems and stolen credentials and sell them on the black market.

Off-the-shelf tools — including trial versions of remote desktop access software, file compression and transfer tools, and other open-source and free utilities — are commonly used as well, making it difficult sometimes for SMBs to distinguish malicious behavior from benign activity by employees.

Users and Mobile Devices Are Key Targets for SMB Cybercrime

Ransomware remains the biggest threat to small organizations. In sheer numbers, it isn’t the most frequent type of malware uncovered in our research, but it’s hard to overstate its impact on small businesses. Our analysis also revealed a significant jump in the remote execution of ransomware, in which hackers leverage unmanaged devices on a network to encrypt files elsewhere in the system. These attacks can leverage a single unprotected device on a business’s network to attack others — a danger exacerbated in SMBs by the frequent use of personal devices not protected by organizational security policies.

Hackers also target SMB data to perform other scams; for example, stealing employee credentials to gain access to accounting software and then convincing customers to redirect their payments to a hacker-controlled bank account. The use of social engineering to collect data from targets is a growing area of concern, partly because tactics have become incredibly sophisticated. Social media information, combined with internal organizational data, makes it relatively easy to craft personalized messages that trick employees into sharing confidential information or performing improper actions.

Increasingly, hackers are also targeting mobile devices. SMB employees perform enormous amounts of work on their smartphones, from point-of-sale transactions to accounting entries, making these devices a valuable target.

Security Solutions Empower SMBs with a Proactive Defense

Unfortunately, when an attack occurs, small businesses may be much less likely to recover from the financial impact and disruption. For many, the best defense is to engage a proactive threat-hunting service from a managed detection and response provider or to deploy a self-managed platform that will help leaders triage their security alerts so they can focus on the most important ones.

In either case, SMB leaders can rest easier knowing they’re taking the proper steps to make themselves less vulnerable to hackers and better able to withstand attacks.


Small businesses face no shortage of threats. Staying safe takes a comprehensive plan and layered defenses.

Sean Gallagher

Principal Threat Researcher, Sophos
Sean Gallagher is a principal threat researcher in Sophos’s X-Ops group. Previously, he was an information security and technology journalist, including 10 years as Ars Technica’s IT and national security editor.