In today’s fast-paced world, new technologies and innovations emerge daily, often with the goal of making our lives easier. But with these modern-day conveniences come new security risks that can wreak havoc on individuals and businesses. When it comes to protecting sensitive information, small business owners, who are often already strapped for resources, may experience more hurdles than their enterprise-level counterparts. To this end, it’s critical to understand cyber risk, how much of it your business carries, and how to protect your organization in the wake of a cybersecurity event. 

OK, so what is cyber risk?

Many people make the mistake of thinking of cyber risk as purely a technology risk. 

It’s not. 

In the 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk.

Cyber risk directly impacts every facet of a company, making it a full-on business risk. This type of risk is almost always tied to financial loss, and can very quickly damage a brand’s reputation. Organizations that have not taken the proper steps and implemented cybersecurity best practices to protect their sensitive information are at the highest risk. For smaller companies, one major security incident could lead to significant losses including the business itself. 

Of course, some level of cyber risk is inherent when running a business, there’s really no working around that. Storing sensitive information is simply a necessary part of running a business. But it’s a matter of understanding the type and volume of sensitive information that you carry, so that you can reduce non-essential information while protecting the critical components. It’s also crucial to have visibility into exactly where this information lives (on what devices, networks, etc.) so that you can easily reduce your risk by eliminating non-essential files (such as duplicates) and isolating older but still relevant information. 

The fact is most users tend to store everything they can across their devices, exposing the business to more potential financial liability than needed. It was once nearly impossible to know how much sensitive information you had, where it was stored, and how much it could cost you in the event of a breach or cyber event. Thankfully, business owners now have visibility into these critical components with easy-to-use tools that help manage sensitive information, lowering the potential information risk liability.

Who needs to pay attention to cyber risk?

Literally everyone in the company, from the executive team to the most junior employees. When everyone has a basic understanding of cybersecurity and adheres to the company’s best practices, there’s less room for error. 

You might be thinking, “I get it, but I’m not a huge corporation, there’s no possible way I’m carrying that much risk.” We wish it worked that way, but no business – regardless of size – is immune from cyber risk and its related consequences. 

What type of information carries the most cyber risk?

Consider all of the information your company relies on to operate. Within this valuable data are two primary types of sensitive information that are prime targets for bad actors. These include personally identifiable information (PII) and personal health information (PHI)

Let’s start with PII. This includes any information that is used to help identify an individual (names, addresses, social security numbers, etc.) and carries the potential for privacy risk. Chances are you have a lot of this type of information on hand, as almost all businesses carry PII (and are responsible for protecting it!).  

Learn more about PII and PHI in our free ebook

PHI is another big one. These records are exactly what they sound like; they contain all of the information that a healthcare provider might need to collect in order to provide patient care. PHI is often heavy on demographics, medical history, tests and lab results, mental health conditions, and  insurance information. According to recent reports from both IBM and Verizon, the average healthcare data breach cost is 65% higher than any other industry. 

Bottom line: The higher the volume of PII and PHI, the greater your cyber risk. 

How likely are small businesses to experience a cybersecurity event?

According to a 2022 report from Barracuda Networks, small businesses are three times more likely to be attacked by cyber criminals than larger entities.  Not only are small businesses prime targets for attack, but the volume of cyber crimes globally is expected to cost the world $10.5tn by 2025, per recent research from Cybersecurity Ventures. 

Furthermore, 61% of all small and medium-sized businesses (SMBs) have reported at least one cyber attack in 2021, per Verizon’s latest Data Breach Investigations Report. The same report shows that 43% of all data breaches involve SMBs. 

It’s worth noting that cyber attacks can be performed by bad actors, or they can happen due to negligence with sensitive data. This is why a big part of understanding your cyber risk starts as an inside job. This involves ensuring employees are being intentional with information and following the company’s cybersecurity best practices. 

Bottom line: Cyber risk impacts businesses of all sizes across all industries (companies carrying volumes of PII and PHI are the highest risk). 


The effects of a cybersecurity event can be long-lasting, especially for small business owners — with some businesses being forced to close their doors for good. It’s not a matter of “if” your company will be attacked, but “when.” Taking steps to understand and measure your risk can help you protect what you’ve worked so hard to build. 

Learn more about cyber risk in our free ebook.