How Small Businesses Can Fight a Growing Wave of Cyber Crime - WSJ What’s News

Summary5 min read

WSJ What’s News: How Small Businesses Can Fight a Growing Wave of Cyber Crime

Date Released: August 10, 2025
Host: Kate Bullivant
Guests:

James Rundle – Cybersecurity Reporter, The Wall Street Journal
Seong Jun – Lead Cyber Analyst, Dragonfly (a Dow Jones company)

Introduction and Overview

In the August 10th episode of WSJ What’s News, host Kate Bullivant delves into the escalating threat of cybercrime targeting small businesses—the backbone of the US economy. The discussion highlights the increasing sophistication of ransomware attacks and the impact of geopolitical tensions involving nations like China and Russia. The episode underscores the often-overlooked vulnerability of mom-and-pop shops amidst rising cyber threats.

The Surge of Cyberattacks on Small Businesses

Kate opens the discussion by referencing recent high-profile cyberattacks:

Microsoft endured "active attacks targeting its server software" (00:17).
The US Government issued warnings about increased cyber attacks linked to conflicts with Iran (00:17).

James Rundle emphasizes that cybercrime has transitioned from a "background risk to a constant threat" for small and medium-sized businesses. He explains that advancements in artificial intelligence and automation have lowered the barriers for cybercriminals, enabling them to conduct large-scale attacks with minimal technical expertise (02:45).

Impact of Cyberattacks on Small Businesses

A poignant account from an unnamed small business owner illustrates the personal and financial toll of cyberattacks:

"Secure my account or I will lose access to it. I get emotional because this took a huge financial burden on my family and myself. It was the worst week of my life. We literally sat there crying and just responding to people for days and days and days. It felt like an eternity." (01:23)

A forthcoming Mastercard survey reveals that nearly half of small and medium-sized businesses have experienced a cyberattack, with about one in five victims resorting to bankruptcy or closure due to these incidents (01:19).

Seong Jun adds that small businesses often appear on cybercriminals' victim lists not because they are specifically targeted, but because attackers seek the "path of least resistance" to maximize payouts with minimal effort (03:39).

Why Cybercriminals Target Small Businesses

When questioned about the rationale behind targeting small businesses, James Rundle explains:

"The risk calculus has changed. As big companies have improved their cybersecurity, the criminal focus has shifted downstream. Small businesses often have weaker defenses and hold just as much valuable data as larger companies." (04:19)

Furthermore, small businesses frequently serve as suppliers or service providers to larger firms, making them attractive as both direct targets and entry points into more substantial entities (04:19).

Seong Jun highlights the lack of specialized cybersecurity departments in small enterprises:

"They have just as much valuable data... but they are less equipped to respond to these sorts of incidents." (04:09)

Sectors Most Susceptible to Hacks

While cyberattacks span various industries, certain sectors are particularly vulnerable:

Healthcare: Constant targets due to the high value of medical data and the critical nature of uninterrupted services. The cyberattack on Change Healthcare exemplified how even brief revenue interruptions can severely impact smaller healthcare providers (05:42; 06:27).
Other Targeted Industries: Airlines, retail, and gaming sectors have also been prominent targets for groups like Scathard Spider (05:42).

Consequences of Cyberattacks on Small and Medium Enterprises (SMEs)

The ramifications of cyberattacks on SMEs extend beyond immediate financial losses:

Direct Impact: Operational downtime can halt revenue streams and, in sectors like healthcare, disrupt essential services (06:27).
Ancillary Effects: Costs associated with notifying customers of data breaches, complying with diverse data privacy regulations, and potential legal repercussions (06:34).
Reputational Damage: Particularly acute in industries where privacy and trust are paramount, such as law firms and healthcare providers (06:34).

Seong Jun emphasizes that small businesses often lack the resources to swiftly mitigate attacks, exacerbating the severity of their consequences:

"They are usually less able to mitigate the impact of it early on... that's why small and medium sized businesses can be so heavily affected." (05:32)

Broader Economic Impact and Government Response

Small businesses contribute over 40% to the US GDP, making widespread cyber attacks a significant economic concern. James Rundle notes that cyberattacks on SMEs disrupt supply chains and delay deliveries, causing ripple effects throughout larger communities and companies (08:21).

In response, policymakers at municipal, state, and federal levels are increasingly attentive:

Government Initiatives: Offering grants, guidance, and tax incentives to bolster cybersecurity measures among small businesses (08:21).
Limitations: While the government can set standards and provide resources, the onus remains on individual businesses to implement robust defenses (08:21).

Strategies for Protecting Small Businesses

A report from the World Economic Forum indicates that over one-third of small institutions deem their cyber resilience inadequate. Seong Jun outlines essential strategies for enhancing cybersecurity:

Employee Vigilance: Regular phishing tests and up-to-date training to recognize evolving social engineering tactics, including voice phishing powered by generative AI (09:19).
Technical Measures: Keeping software updated, maintaining regular data backups, implementing multi-factor authentication, and investing in anti-DDoS protection services (09:19).
Incident Response Planning: Developing a basic plan to manage and mitigate potential attacks transforms them from potential disasters into manageable disruptions (10:47).

James Rundle reinforces the importance of fundamental cybersecurity practices:

"Strong passwords, multi factor authentication, software updates, data backups, employee training... these steps... can drastically reduce the odds of a successful attack." (10:47)

The Role of Cybersecurity Firms

Given the resource constraints of small businesses, cybersecurity firms play a pivotal role:

Managed Services: Offering enterprise-level protections such as monitoring, endpoint security, and incident response at scalable and affordable prices (11:40).
Filling the Expertise Gap: Cybersecurity firms help bridge the "cyber poverty line" by providing essential services that small businesses might otherwise forgo (12:28).

However, Seong Jun cautions about the increasing risk of supply chain attacks as businesses rely more on third-party vendors:

"Adding more and more software into these business operations also increases the risk of things like supply chain attacks." (12:25)

Conclusion

The episode underscores the urgent need for small and medium-sized businesses to prioritize cybersecurity amidst a landscape of increasingly sophisticated and automated cyber threats. While government initiatives provide essential support, the responsibility ultimately falls on businesses to adopt fundamental security measures and leverage the expertise of cybersecurity firms to safeguard their operations and, by extension, the broader economy.

Notable Quotes:

James Rundle: "Cybercrime has moved from a background risk to a constant threat for small and medium sized businesses." (02:45)
Seong Jun: "Cybercriminals generally go for the path of least resistance, trying to get the biggest payout for the least amount of effort." (03:39)
James Rundle: "The fundamentals really do go a long way... strong passwords, multi factor authentication, software updates, data backups, employee training." (10:47)

This summary was produced based on the transcript of the WSJ What’s News podcast episode released on August 10, 2025.

Loading summary

Transcript31 lines

[00:00]
Viking Sponsor
Viking committed to exploring the world in comfort. Journey through the heart of Europe on an elegant Viking longship with thoughtful service, cultural enrichment and all inclusive fares. Discover more@viking.com hey, what's news, listeners?
[00:18]
Kate Bullivant
It's Sunday, August 10th. I'm Kate Bullivant for the Wall Street Journal. This is what's News Sunday, the show where we tackle the big questions about the biggest stories in the news by reaching out to our colleagues across the newsroom. Help explain what's happening in our world. On today's show, we're going to talk about how a surge in cyber attacks is increasingly hitting small businesses, the backbone of the US Economy. It comes as the number of overall cyber attacks are ramping up thanks to more sophisticated ransomware and escalating geopolitical tensions with countries such as China and Russia. In just the past few months, we've reported how Microsoft was hit by, quote, active attacks targeting its server software as well as the US Government, government warning companies to watch for increased cyber attacks linked to the conflict with Iran. And while we often hear about how cyber attacks are hitting large businesses, the impact these attacks are having on mom and pop shops can be overlooked.
[01:19]
Unnamed Small Business Owner
There are constantly people, you know trying to do these scams all the time.
[01:24]
Kate Bullivant
It said that they need me to.
[01:25]
Unnamed Small Business Owner
Secure my account or I will lose access to it. I get emotional because this took a huge financial burden on my family and myself. It was the worst week of my life. We literally sat there crying and just responding to people for days and days and days. It felt like an eternity.
[01:46]
Kate Bullivant
According to a forthcoming survey from Mastercard looking at over 5,000 small and medium sized businesses across four continents, nearly half of business owners have experienced a cyber attack on their current business and nearly one in five that suffered an attack then filed for bankruptcy or close their business. At the same time, the World Economic Forum reports that a split is emerging regarding the resilience of small organizations to cyberhacks compared with how their larger counterparts weather the storm. To explore what's going on here and why small businesses are an appealing target for cyberhackers, I'm joined by Journal cybersecurity reporter James Rundle, as well as Seong Jun, who's the lead cyber analyst at a security intelligence provider Dragonfly, which is part of Wall Journal owner Dow Jones. James, I want to start by asking you, how much of a critical issue has cybercrime become for small and medium businesses?
[02:45]
James Rundle
Cybercrime has moved from a background risk to a constant threat for small and medium sized businesses, and the big driver behind that is Scale. So in the past, an attack required planning, patience, a pretty high degree of technical skill. But today, artificial intelligence and automation have really lowered the barrier to entry. So an attacker with the right tools, which you can easily find on the darknet or even rent from cybercriminal gangs, can generate tailored phishing campaigns that are customized to imitate or target specific people. They can craft malware, they can scan thousands of systems for weaknesses with very little technical know how. And that means attackers can hit hundreds of targets at once. So small businesses are facing this critical issue and they're not being singled out because they're suddenly more interesting. It's because they're caught in the nets due to the mechanization of cybercrime, making everyone a target.
[03:37]
Kate Bullivant
And Siyong, what are you seeing?
[03:39]
Seong Jun
In my monitoring of these cybercrime and ransomware groups, something that is quite surprising is seeing how many small and medium sized businesses appear in their victims list, even though for these major cybercrime groups, these wouldn't seem like obvious targets. And it really just has to do with the fact that cybercriminals generally go for the path of least resistance, meaning they are trying to get the biggest payout for the least amount of effort. And the reality is a lot of small and medium sized firms have invested less in cybersecurity protections and are less equipped to respond to these sorts of incidents.
[04:10]
Kate Bullivant
And James, as Siong pointed out, you'd think that hackers would have bigger fish to fry here. Why are hackers targeting small businesses in the first place?
[04:20]
James Rundle
Well, they still go after the bigger fish. That's absolutely still happening. But the risk calculus has changed. And that's really the irony here. As big companies have improved their cybersecurity and actually done what they've been told to do for years, that's shifted the criminal focus downstream. Small businesses often have weaker defences. They have smaller budgets, but they have just as much valuable data as larger companies. And also many are also suppliers or service providers to larger companies, which makes them attractive both as direct targets and as potential beachheads or entry points into those bigger clients.
[04:51]
Seong Jun
For a lot of small and even medium sized businesses, they don't really have specialized cybersecurity departments. They'll have IT staff, maybe a couple of people working on this, but no one that actually has a lot of experience necessarily in things like instant response or more advanced cybersecurity setups. So this means that when you have a small business that experiences a cyber attack, they are usually less able to mitigate the impact of it early on. So when an attacker gets into a company's internal networks, you can limit the scale of the damage by, for instance, isolating them and preventing them from accessing a lot more system files. But when you don't have people who are able to respond to that readily, especially since cyberattacks also happen out of office hours, that's why small and medium sized businesses can be so heavily affected.
[05:32]
Kate Bullivant
Okay, so small and medium sized businesses are clearly more vulnerable. James, is that across the board or are some sectors even more susceptible to a hack?
[05:43]
James Rundle
There are some hacking groups that have been in the news lately, such as Scathard Spider, which has a modus operandi of going after specific industries such as airlines, retail gaming. But some are more susceptible than others. Healthcare is a good example of this. It's a constant target. And small practices really are no exception. As we saw during the cyber attack on Change Healthcare last year, even a revenue interruption of a few weeks can seriously imperil smaller healthcare providers. And they just can't afford downtime generally, not just financially. If systems go down, then patient care stops and that urgency makes them more likely to pay quickly to restore operations. Medical data is also uniquely valuable on the black market for fraud purposes. You can't simply cancel your health records or your Social Security number in the way you can cancel a credit card.
[06:28]
Kate Bullivant
So once a small or medium enterprise has been hacked, why are the consequences more dire for them?
[06:34]
Seong Jun
Apart from just being unable to limit the impact of the attack, there is also a lot of ancillary effects, like the cost of notifying customers of a data breach that's occurred. That's a very common effect of a ransomware attack. And even a small business can have clients all over the world and which means that they would have to comply with different data privacy regulations and notify the customers accordingly. And doing that can become very, very expensive. There is also, of course, reputational damage, especially in industries where privacy is considered very, very important things like law firms, healthcare companies. There's also the potential legal fallout of failing to report a cybersecurity breach on time.
[07:10]
Kate Bullivant
Coming up, we step back for a look at the wider consequences of when small businesses fall victim to cyber attacks and what they can do to defend themselves. That's break.
[07:24]
Viking Sponsor
This message comes from Viking, committed to exploring the world in comfort. Journey through the heart of Europe on an elegant Viking longship with thoughtful service, destination focused dining and cultural enrichment on board and on shore. And every Viking voyage is all inclusive with no children and no casinos. Discover more@viking.com.
[07:55]
Kate Bullivant
As we've been discussing. Cybercrime has moved from a background threat to a constant risk for small and medium sized businesses. I want to zoom out for a moment. James, we've already mentioned that small businesses are the backbone of the US economy. They account for over 40% of US GDP. At what point does this become an issue for the wider US economy? And do we see politicians doing anything about it?
[08:22]
James Rundle
Well, we're already there. It is a wider economic issue. Cyber attacks on small businesses, they disrupt supply chains, they delay deliveries, they have a tendency to ripple into larger communities and companies. And that's why policymakers are paying more attention. If the municipal, state and federal level, they're offering grants, guidance, and in some cases even tax incentives for better cybersecurity. But it's important to say that there is a limit to what the government can do. It can set standards, it can provide resources, it can even introduce regulation in some critical infrastructure sectors. But it can't be the cyber cop for millions of small businesses. Ultimately, companies do have to take responsibility for their own defences, with the government creating an environment that makes that achievable.
[09:02]
Kate Bullivant
If we're looking at what companies can do to protect themselves, it's striking that a report from the World Economic Forum found that more than a third of small institutions consider their cyber resilience inadequate. What can these institutions do to be more prepared?
[09:19]
Seong Jun
Well, in terms of what companies can actually do to protect themselves, a lot of cyber attacks occur through social engineering. So it's by convincing people to click on links or to download certain files that are malicious that allow an attacker into that system. Now, the Internet is pretty much built on connectivity, not security. So in a way, it makes sense that a lot of people are susceptible to these types of attacks, because if you see a hyperlink, because it's highlighted in a different color, that invites you to click it. That's why it's so important, especially even for small businesses, to remain very vigilant, conduct things like regular phishing tests, and make sure that their employees are up to date on what sort of tactics cybercriminals are using to compromise them. Because these are changing so often. So now, for instance, with the advent of generative AI tools, you have voice phishing becoming increasingly more common, where an attacker will simulate the voice of the trusted individual within the company to try and convince someone to transfer funds or gain access into an employee's account. In addition to just remaining vigilant for these sorts of social engineering attacks, keeping software up to date is also very important. And I'm sure every item in the world knows this as well. But attackers can use automated scanning tools to identify known vulnerabilities in a business's network and then reach them that way. There's also like the very standard things of just maintaining regular data backups, implementing multi factor authentication for your employees, and also if you are concerned about DDoS attacks, investing in anti DDoS protection services. A DDoS attack is essentially when an attacker floods your network with a lot of traffic and takes a website down. And that can be really detrimental. For instance, a small business, if you are relying on online sales to generate a lot of your revenue and just.
[10:47]
James Rundle
To follow on the fundamentals really do go a long way. I can't tell you how many times I've had very senior law enforcement and intelligence officials tell me that 75% of what they deal with would go away overnight if everyone followed the basics. Like Sean said, strong passwords, multi factor authentication software updates, data backups, employee training. These steps aren't expensive. They're not always cheap either. But they can drastically reduce the odds of a successful attack. And having a basic plan for what to do when that happens can really turn what could be a potential disaster into a manageable disruption.
[11:23]
Kate Bullivant
Okay, so small businesses need the basics when it comes to their online security. It makes me wonder where cybersecurity firms fit into this. This is industry that's doing well. A couple of cybersecurity indexes have performed significantly better than the S and P over the past year.
[11:41]
Seong Jun
A lot of cybersecurity firms can offer managed services for smaller companies that may not be able to operate a full cybersecurity team. So that's how they can mitigate against a lot of these risks. But I also think that adding more and more software into these business operations also increases the risk of things like supply chain attacks. So let's say a business relies on a third party vendor for cloud storage services. So if an attacker breaches the vendor, they could gain access to data stored by that business. And a good example of this is actually the recent Microsoft SharePoint attacks. So there was a previously unknown vulnerability in Microsoft SharePoint servers that was first exploited by attackers a few weeks ago. And now we have ransomware groups trying to encrypt the data on some of these servers. And of course, some of this data belongs to companies and government agencies.
[12:26]
Kate Bullivant
And James, what are you finding in your reporting?
[12:29]
James Rundle
Similar to what the World Economic Forum found. There's very much a cyber poverty line between those who have and have not and what cybersecurity firms do for smaller companies is they fill that expertise gap. Most small businesses, as seeing said, can't afford a dedicated security team. But managed service providers who do this for many smaller companies, they can offer enterprise level protections like monitoring, endpoint security, incident response at a scale and price that small business can use. There are still issues in the vendor landscape, particularly when you get into insurance and the gaps in coverage that exists there. There are companies out there who make these services simple, affordable and accessible. So smaller companies can see them really as sort of essential investments and not optional or overly complicated extras, because they are these days.
[13:12]
Kate Bullivant
That was Journal cybersecurity reporter James Rundle and Seong Jun, who is the lead cyber analyst at security intelligence provider Dragonfly, which is part of Wall Street Journal owner Dow Jones. James Siyong, thank you both so much.
[13:28]
James Rundle
Thank you.
[13:28]
Seong Jun
Thank you.
[13:31]
Kate Bullivant
And that's it for what's new. Sunday, August 10th today's show was produced by Charlotte Gartenberg with supervising producer Sandra Kilhoff. We got help from deputy editor Chris Sinsley. I'm Kate Bullivant. We'll be back on Monday morning with a new show. Thanks for listening.