December 17, 2024 – NEW YORK, NY — Entering 2025, millions of small and medium-sized businesses (SMBs) are setting New Year’s resolutions to improve their operations, grow their customer bases, and achieve financial success. But in today’s digital age, top security experts suggest a different set of resolutions should rise to the top of every SMB’s list: safeguarding their business from cyber threats.
The Cyber Readiness Institute (CRI), a non-profit organization dedicated to helping SMBs strengthen their cybersecurity, warns that the risks are too significant to ignore. Despite a sharp rise in cyber attacks in 2024, many SMBs failed to implement even basic measures to protect their business—leaving themselves vulnerable to devastating consequences.
Recent studies reveal that almost half (41%) of the world’s more than 350 million small businesses experienced a cyberattack in the past year, a number that continues to grow. The financial fallout can be overwhelming: Microsoft reports cyber attacks cost SMBs an average of $250,000 and, in some cases, as much as $7 million—losses that most small businesses cannot afford.
“SMBs are prime targets because they often lack the resources and expertise to defend against attacks,” said Karen S. Evans, Managing Director of CRI. “But there are simple, affordable steps SMBs can take to reduce their risk and build resilience against cyber threats – we call them the ‘5 for ‘25’.”
CRI’s top cybersecurity “resolutions” for SMBs in 2025:
- Enable Multi-Factor Authentication (MFA).
MFA requires users to verify their identity through two or more factors, such as a password, smartphone, or biometric data. For instance, when a bank sends a code to your phone during login, it’s using MFA. The U.S. Cybersecurity and Infrastructure Security Agency reports businesses using MFA are 99% less likely to be hacked. Many software products used by SMBs offer MFA as a built-in feature, but users typically need to activate it. See CRI’s 2024 Global Multifactor Authentication Survey of nearly 2,300 SMBs.
- Appoint a “Cyber Leader.”
Every SMB should designate a “cyber leader” responsible for monitoring cybersecurity threats, sharing best practices, and promoting cyber awareness within the organization. This doesn’t have to be a full-time role, but having a point person can significantly enhance a company’s readiness to respond to risks by educating fellow employees to create a culture of cyber readiness.
- Educate Your Employees.
Human error is one of the leading causes of cyber breaches. Mistakes, often due to a lack of awareness or training, can open the door to attackers. CRI offers a free online cyber readiness course designed specifically for SMBs, which takes about an hour to complete. Four out of five SMBs report a significant improvement in their cyber readiness after completing the program. The course is available at https://cyberreadinessinstitute.org/the-program/.
- Create a Business Continuity Plan.
Cyber incidents can disrupt your business operations, making it critical to have a plan to recover quickly. A business continuity plan outlines steps to maintain or restore essential operations in the event of a cyberattack, natural disaster, or other disruption. CRI recommends including clear roles and responsibilities, data backup strategies, and recovery procedures to minimize downtime and losses.
- Purchase Cyber Insurance.
Most SMBs don’t think twice about protecting their businesses with physical security systems and business insurance, but they often overlook protecting valuable digital assets such as customer information, personal data of employees, transaction records and so much more. A full range of cyber policies are available from major insurers and can cover financial losses, legal threats, reputational harm and other damage caused by a breach. “There’s simply too much at risk – your brand, your reputation, the trust of your customers and suppliers — not to do so,” Evans said.
About the Cyber Readiness Institute (CRI):
The Cyber Readiness Institute (CRI) is a non-profit initiative providing free cybersecurity tools and resources for small and medium-sized businesses. CRI focuses on improving human behavior and promoting employee education to enhance the security of global supply chains. The organization operates under the Center for Global Enterprise, a New York-based non-profit applied research organization. CRI member companies include Apple, Mastercard, Microsoft, and T-Mobile, with continued support from ExxonMobil, General Motors, and PSP Partners.
For more information, visit www.cyberreadinessinstitute.org.
