Small and Medium-Sized Businesses Face Major Obstacles in Achieving Cyber Readiness: The State of SMB Cyber Readiness, 2024


NEW YORK, NY (April 30, 2024) – A report issued today by the non-profit Cyber Readiness Institute (CRI) raises concerns about the state of cybersecurity among small and medium-sized businesses (SMBs) globally.

In the first quarter of 2024, CRI engaged a cross-section of nearly 100 SMBs, large corporations, cybersecurity providers, and non-profit organizations to delve into the challenges hindering the adoption of cybersecurity best practices. Among the notable barriers identified, low awareness, inadequate implementation strategies, and lack of incentives emerged as primary obstacles impeding the adoption of effective cyber readiness measures.

Less than one in five (17%) respondents rate current SMB cybersecurity capabilities “effective” or “somewhat effective,” while a majority (55%) consider them “ineffective” or “somewhat ineffective.” SMBs face an uphill battle with limited budgets, expertise, and time, as well as the misconception that their size makes them unlikely targets. All contribute to the risks facing SMBs, and in turn, their customers, suppliers, and supply chain partners.

More than half of respondents consider phishing emails, business compromise email (BEC) attacks, and ransomware demands the most significant cybersecurity threats to SMBs. At the same time, they expressed confidence in the power of strong passwords and the use of multifactor authentication (MFA) to help bolster SMB defenses and saw value in automated software updates that keep software systems current and fortified against the latest threats.

The findings are part of CRI’s “The State of Cyber Readiness Among Small and Medium-Sized Businesses” report.

“SMBs are highly vulnerable to the threat of cyber intrusion and tempting gateways to bigger prizes such as large enterprises, global supply chains, and critical infrastructure, representing the prime targets of bad actors,” said Karen S. Evans, CRI’s managing director.  “An estimated 350-to-400 million SMBs interact daily with the world’s billions of consumers and occupy essential spots in the global supply chains of the world’s largest corporations. Making these businesses cyber ready will help create a more resilient global economy.”

Collaboration Between Key Stakeholders Needed to Better Secure SMBs

Study respondents identified government grants and subsidies, tax breaks for cybersecurity investments, and reduced cyber insurance premiums for cyber-secure businesses as effective incentives that can encourage SMBs to prioritize cyber readiness. Only one in ten respondents believe current cybersecurity regulations and compliance requirements are “somewhat effective,” highlighting the need to strengthen regulatory frameworks and industry standards worldwide.

In the report, CRI calls for greater collaboration between all stakeholders — including regulators, global enterprises, supply chain operators, industry associations, cybersecurity firms, and SMBs themselves – to increase awareness, facilitate the implementation of solutions, and provide incentives that can help fortify these businesses against evolving cyber threats.

CRI Offers Free Content, Tools, and Programs

For its part, CRI leverages the expertise of its members and partners to offer SMBs access to free cybersecurity resources that can help create a culture of cyber readiness, strengthen business operations, and reduce risk for customers, partners, and supply chains.

Now in its third iteration, CRI’s Cyber Readiness Program has reached an estimated 22,000 individuals in more than 1,300 organizations spanning 178 countries across nearly 100 industry sectors. Four out of five SMBs say they experienced a very high/high impact on their organization’s cyber readiness after going through the program.

“This latest report underscores the urgent need for proactive measures to strengthen cyber resilience among SMBs,” said Evans. “Focusing on human behavior to enhance awareness, address implementation challenges, and provide supportive incentives will empower SMBs to effectively mitigate cyber threats, manage their risks and safeguard their operations.

About the Cyber Readiness Institute

The Cyber Readiness Institute is housed within the Center for Global Enterprise, a New York-based non-profit applied research organization. CRI was launched in 2017 to address the underserved needs of the SMB community by focusing on human behavior and organizational culture. Its co-chairs and members — including Apple, Mastercard, Microsoft, Principal Financial Group, and T-Mobile — see a pressing need to provide resources, technology, and leadership to better secure SMBs against cyber threats. Their collaboration has shaped the development of free content and tools aimed at preparing for, responding to, and recovering from incidents affecting SMBs worldwide. Founding members ExxonMobil, General Motors and PSP Partners continue to support the objectives and programs of CRI.

For more information about the Cyber Readiness Institute and its member companies, please visit To download “The State of Cyber Readiness Among Small and Medium-Sized Businesses” report, please visit HERE.

Additional support for the report:

“The 2024 State of SMB Cyber Readiness report underscores the urgent need for proactive measures to strengthen cyber resilience among SMBs,” said Samuel J. Palmisano, chairman of the Center for Global Enterprise and former IBM chairman. “CRI’s focus on human behavior to enhance awareness and address implementation challenges empowers SMBs to effectively mitigate cyber threats, manage their risks, and safeguard their operations.”

“To protect their companies, business owners want the best tools and strongest security possible. Yet this latest report shows that, for many small businesses, finding the right cyber strategy is often low on the list of priorities,” says Tim Murphy, Chief Administrative Officer at Mastercard. “CRI gives companies the resources they need to quickly go from risky to resilient – and, importantly, without sacrificing significant time or money.”

“As cyber threats continue to evolve, collaboration between larger organizations, non-profits, and the public sector is crucial to building a more secure environment for SMBs and all who do business with them,” said Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft. “As a founding member of the CRI, Microsoft is proud to support CRI’s proven approach to cyber readiness – raising awareness of cyber threats, assisting SMBs in the implementation of cyber policies and procedures, and developing tools and methodologies that improve business resiliency.”

“Leadership buy-in is crucial,” said Meg Anderson, chief information security officer at Principal Financial Group. “When SMB owners and senior leaders prioritize cybersecurity, they send clear messages to their entire organizations about the importance of creating cultures of cyber readiness and managing threats to their businesses.”

“Teaming up with the Cyber Readiness Institute is just one more example of how T-Mobile is investing in small businesses, recognizing their significance in fostering job creation, spurring innovation and nurturing community growth,” said George Fischer, SVP of Sales, T-Mobile Business Group. “We are committed to bringing small businesses solutions that can help them overcome challenges they face today around connectivity, collaboration and security so they can remain vital contributors to our economy.”