Security-focused managed service providers (MSPs) know that small to midsize businesses (SMBs) often take a more cavalier approach to cybersecurity than larger organizations. They often believe that because they are small and less well-known, they’re less likely to draw the attention of cybercriminals. 

The message to these companies has always been that, despite their small size, they are just as likely to be targeted – or maybe even more likely – because they often have fewer protections in place, are more likely to pay out in the event of a ransomware attack, and are more vulnerable to cybercriminals seeking bigger payouts through lateral attacks targeting larger enterprises. 

For example, in a 2014 data breach impacting Home Depot, attackers used stolen credentials from a third-party vendor to access customer credit card data and e-mail addresses. The previous year, Target Corp. suffered a significant data breach after an attacker stole login credentials from a small, third-party HVAC vendor and accessed the big box retailer’s security and payment systems.

Data from Barracuda reveals some of the ways that smaller firms face a greater danger from email-based cyberattacks than their larger counterparts.

Small firms seeing 6X the email attacks as enterprises

Email-based attacks are widespread and proliferating. Barracuda’s email threat detection data from June 2023 to May 2024 shows that companies of various sizes have different risk profiles regarding the types of email attacks they face. 

According to the Barracuda data, the largest organizations – those with 2,000 or more mailboxes – received an average of around 7,500 phishing threats over 12 months. Small firms with fewer than 100 mailboxes received fewer threats (around 180) in the same period. 

However, while individual mailboxes at the most prominent firms were only hit an average of once in 12 months, the smallest firms saw six incidents per mailbox. 

Why? It could be due to several factors, including organizational structures and the likelihood that more individuals within a small company may have privileged access to data, applications, and networks. 

The type of email attack also varies based on company size. Conversation hijacking and business email compromise (BEC) are consistent regardless of company size – just one to two percent of attacks for the former and between 14 percent and 21 percent for the latter. 

However, smaller companies are much more likely to be targeted by phishing attacks (71 percent for the smallest companies, 41 percent for the largest) and extortion (seven percent compared to two percent). This could be because smaller companies are less likely to have robust email security in place.

42 percent of email attacks on large companies were lateral phishing

Larger firms face more significant lateral phishing attacks from a compromised internal email account. Around 42 percent of email attacks detected for the largest companies were lateral phishing, compared to 2 percent for the smallest companies. This may be because larger companies are a more valuable target and offer large distribution lists of employees who already receive a high volume of emails.

For MSPs, knowing the differences between the threats companies face based on size can open opportunities for more nuanced conversations about which security measures clients should invest in. Talking to SMBs about the high frequency with which their employees are targeted and the types of phishing emails they may receive can help open their eyes to the need for more advanced threat detection and security technology. 

Some specific strategies and technologies can help MSPs direct smaller clients to the proper cybersecurity hygiene practices. Those include: 

• User education and training should be tailored to the threats these clients are likely to face. Security awareness should not just focus on the latest and most common threats, but also on the types of widespread phishing scams SMBs are most often the target of and how to identify them. MSPs can also help these companies alter their structure (when possible) so that fewer employees have privileged access or privileges are limited by roles.
• Artificial intelligence (AI) and machine learning (ML) technology should be part of the security mix. These solutions can help quickly detect unusual email activity (like that related to an account takeover or compromise) and put automated tools in place to stop the attack before it spreads. The email solution should also monitor internal and outside mail.
• Implement multifactor authentication (MFA), edge protection, and Zero-Trust strategies to help keep data and applications safe.

By having an informed conversation with clients about the security threats they face (not just the general threat landscape) and pointing out how their company size can make them more vulnerable to certain attacks, MSPs can potentially increase business while also tailoring security solutions that address the varying needs of companies of all sizes. 

Chris Crellin is senior director of product management for Barracuda MSP, a provider of security and data protection solutions for MSPs. He is responsible for leading product strategy and management.