How SME Leaders Can Make Cybersecurity a Strength in 2024

By Netanel Amar, Co-Founder & COO, Cynet

The financial damage wrought by cyberattacks on small to midsize enterprises (SMEs) is climbing far faster compared to larger organizations. For companies with 1,000 to 5,000 employees, the average cost of a data breach reached $4.87 million in 2023 — a year-over-year increase of nearly 20%, according to IBM.

As Cynet's COO, my team and I help SME risk management executives around the world safeguard their most critical operations and valuable assets. I'll distill that real-world experience into four trends, quantified by recent research, and offer timely advice to boost organizational resilience in 2024. Business leaders can also take advantage of resources like the 2024 Cybersecurity Planning Checklist for a holistic understanding of the security technologies, services, and initiatives needed to manage risk in the year ahead.

1. Address AI as an Asymmetric Advantage Against Adversaries

Executives will be challenged to boost security awareness, expertise, and capability — without adding costly headcount.

Generative artificial intelligence (GenAI) as cause for cybersecurity concern is nothing new. Many a forecast has feared a future when adversaries are empowered to invent malware with the click of a button, overwhelming their targets with never-before-seen variants. In reality, existing threats weren't replaced; they were amplified to unprecedented scale. Sheer volume will be the defining challenge for security teams striving to prevent automated attacks in 2024.

Despite inbound threats increasing exponentially, security team resources are being scaled back. PwC estimates that one in five organizations will shrink or freeze their security budget for 2024. Also, 47% of organizations plan to reduce security team personnel, according to an Observe survey. These reductions are impossible to offset without automation. We've found automating threat investigation and response can reduce manual incident handling 90% to resolve threats 50 times faster. The result is less pressure on overburdened security teams and less risk for the organizations they protect.

2. Elevate Awareness as an Organizational Advantage

Security leaders should implement programs for ongoing enablement as employee exposure to GenAI increases.

Over half — 52% — of CISOs and CIOs expect Gen AI to lead to catastrophic cyberattacks next year, per a PwC poll. The peril will be most acute for SMEs. Lean security teams must guard against the same threats facing large enterprises — but with a fraction of the personnel, budget, or bandwidth.

Company culture can help close this gap. Employee incentives — such as linking risk to performance bonuses — can boost awareness and reinforce resilience. According to another Gartner survey, 50% of C-suite leaders will have performance requirements related to cybersecurity risk embedded in their contracts by 2026. The 2024 SME Cybersecurity Planning Checklist identifies key components of a holistic security training program. By implementing these initiatives, SME executives can reduce organizational risk by boosting situational awareness, promoting responsible best practices, and empowering employees to respond appropriately if they believe an incident is underway.

3. Prioritize Prevention to Minimize Financial Risk

SME execs can mitigate their exposure by implementing proactive capabilities to qualify for favorable insurance coverage.

Security incidents in 2024 will be more common — but also more costly, especially for SMEs. As financial stakes skyrocket, more organizations will invest in cybersecurity insurance for an additional layer of protection. The market for cyber insurance, on track to exceed $20 billion in 2024, has grown by 186% since 2020. Standard policies offer a safety net for damage and recovery costs, while more comprehensive options extend to forensics, investigations, lawsuits fines, lawsuits, and even ransomware payments.

The key to unlocking optimal coverage is capability. Just as auto insurers are wary of covering bad drivers with dodgy safety records, cyber insurers will reject applicant organizations that fail to demonstrate required security standards. Specific criteria vary by provider, which can be confusing for a small team wondering where best to begin. The 2024 Cybersecurity Planning Checklist offers guidance to find and qualify for the best policy based on your organization's unique needs. By prioritizing prevention with an automated security platform to proactively detect and destroy stealthy threats, you can check the boxes insurers want to see and better protect the bottom line.

4. Insulate Your Organization From Geopolitical Chaos

Ideologically motivated cyberattacks will comprise a larger proportion of threat actor activity.

Ideologically motivated cyberattacks were once relatively rare, accounting for 1% of incidents in 2021 and 2022. That norm has been upended amid geopolitical turmoil. By April 2023, ideological attacks surged to comprise 35% of breaches, according to research by StationX. And that data is from April, before conflicts such as the Israel–Hamas War further inflamed hacktivist activities.

As hacktivism spikes in 2024, small businesses in sectors once thought of as "safe" from cybercrime must recognize that ideological adversaries could view them as easy targets. Executives across industries must therefore approach security as an organizational enabler, not a narrow niche for technical specialists, and build it into the fabric of their operations. Guides like "How to Build a Security Framework" can offer you a helpful head start.

Conclusion

Lapses in cybersecurity can be catastrophic for an SME. Security should be integral in all aspects of decision-making, from product development to supply chain management. By embracing new opportunities to holistically manage risk in collaboration with their technology teams, business leaders can improve their organizational resilience in 2024.

About the Author

Netanel Amar is Co-Founder & COO of Cynet, Co-Founder of BugSec, and former CTO of a leading information security company, where he directed IT and data security projects for corporate clients. Prior to this, he was CISO – Director of Information Security for Israel's National Institute of Testing & Evaluation.