Small and midsize enterprises (SMEs) are increasingly in the crosshairs of cybercriminals. However, many remain dangerously unprepared.
Limited budgets, stretched IT resources, and misconceptions about both threats and insurance coverage are keeping SMEs trapped in what experts call the “cybersecurity poverty loop.”
Mea Clift (pictured), senior advisor in cyber risk engineering at Liberty Mutual, said insurance agents and brokers have a unique opportunity to help these organizations break the cycle.
“Smaller organizations often don’t have the security infrastructure of larger enterprises,” Clift said. “They may lack privileged access controls, network segmentation, or round-the-clock monitoring. And when you layer in heavy reliance on third parties, you create more points of entry for threat actors.
“There’s a lot of mythology (about cyber insurance) out there. People hear about denied claims in the news and assume the worst. Brokers can play a critical role in explaining the realities, setting expectations, and helping clients position themselves for success with their carrier.”
According to Clift, the majority of attacks targeting smaller organizations are still rooted in business email compromise (BEC) and phishing. However, the delivery methods are evolving, with text-based phishing, social engineering aimed at executives, and multi-stage compromises that escalate into ransomware becoming more common.
Third-party risk is also a growing problem. “Everybody’s moving to use a lot of third parties because they don’t have the capability in-house,” Clift said. “With that, we see more third-party incidents where a vendor gets compromised and takes out the data or systems of their users and clients.”
And despite their smaller size, cyber events impacting SMEs can have huge consequences. Clift pointed out that a small supplier can be the linchpin in another’s operations. For example, a breach at a $5 million-revenue firm could trigger losses in the billions downstream if it disrupts a major client’s supply chain.
Clift is closely watching two areas of emerging SME cyber risk: supply chain compromises, which are not limited to software vulnerabilities, but also breaches of service providers with direct system access; and AI abuse, including poisoned data inputs, manipulated large language models, and disinformation generation.
“AI has infinite possibilities, which means infinite potential for misuse,” Clift said.
One of the most damaging misconceptions among small business owners is the belief that they are too small to be targeted. This perception often leads to minimal investment in cyber defenses.
“There’s also overreliance on managed service providers (MSPs),” Clift said. “Owners assume everything is covered, but the level of protection depends on what they’ve contracted for. If your MSP only covers you nine to five, and you get hit Friday night, you may be on your own until Monday.”
Even when SMEs recognize the risk, they may find themselves unable to afford advanced tools and talent, which increases vulnerability, which in turn makes them less attractive to insurers or raises premiums.
To help SMEs break out of the underinvestment cycle, Clift urged agents and brokers to focus on achievable, high-impact steps:
By coupling these practical steps with tailored insurance solutions, brokers can position SMEs to weather cyber incidents without catastrophic loss.
“Cybersecurity is a journey, not a destination,” she said. “We have to understand that a 50-person company is not going to have the same controls as a 50,000-person organization.”
