Yigal Unna.

Opinion
While Israel-Iran cyber war steals headlines, our forgotten SMEs remain vulnerable

"The most critical aspect of cyber’s overlooked defensive reality is that 96% of all cyber-attacks target SMEs," writes Yigal Unna, the former Director General of Israel’s National Cyber Directorate and current Consulting Specialist at CyFox XDR

$22 Billion is no small amount of money and represents the global investment in cybersecurity, but what’s truly incredible is that 40 percent, almost half of every dollar spent is invested in Israel. The set of unique threats that Israel faces has driven innovation and made the tiny country of 9 million a cyber superpower. However, while Israel is doing plenty right, its actions, along with headlines that focus on sexy stories about state actors and major corporations, overlook a critical aspect of Israel’s security and economic stability – SMEs. Without a radical rethink of our national strategy, SMEs in Israel remain a vulnerable and costly blind spot. Making cybersecurity for SMEs a top priority is long overdue.
1 View gallery
Yigal Unna
Yigal Unna
Yigal Unna.
(Oded Karni / GPO)
My service made the blindspots clear
Israel’s Prime Minister appointed me as the Director General of the Israel National Cyber Directorate (INCD), where I served for four years after 23 years in cyber with Israel’s domestic security agency, Shin Bet. I strived to protect the people of Israel from malicious actors, and we succeeded to a large extent; however, I noticed a big discrepancy. When attackers became infamous and Iran, Anonymous, or some other high-profile malicious actors took over websites or targeted critical infrastructure or companies, it warranted the utmost attention, while our SMEs, the target of most attacks, were always overlooked.
Israel’s problem is a global one
This year, cybercrime costs are set to total $8.15 trillion globally and are projected to hit an astonishing $13.8 trillion by 2028, according to common estimations. While Microsoft breaches and AI-driven attacks on governments or critical infrastructure flood the headlines, what often goes unseen are the unsung heroes – governments, corporations, and startups – who work tirelessly as a protective force to keep our digital worlds safe. CISOs and analysts work under extreme pressure to keep up with and prevent cyberattacks, playing their cards to determine the attackers’ next moves.
The biggest victim is virtually defenseless
The most critical aspect of cyber’s overlooked defensive reality is that 96% of all cyber-attacks target SMEs. They don’t make the headlines and represent a vast swath of cyberspace, they are underappreciated or completely overlooked. SMEs are often targeted not by a state actor or a sophisticated hacktivist group but by everyday dark web thieves and opportunists who have little to lose, with tools that cost a fortune on the dark web and average ransomware payouts of $8,100.
Additionally, while large enterprises have CISOs and budgets providing proactive services from threat intelligence to pen-testing, SMEs are virtually defenseless when relying on traditional methods. They lack the expertise, and many of their proactive tools return false positives that are time-consuming and costly - ultimately causing more harm than help. Government and private enterprises coming together are vital to being able to provide world-class training that can make a difference and even develop skills similar to their competitor companies before costs spiral.

A public-private Partnership for Change
While governments can’t mandate that small businesses should make cyber a top priority, they should support small businesses by helping spur the private sector to expand their solutions specifically tailored to the needs of SMEs and reward businesses that adopt by facilitating advantageous insurance rates or tax breaks.
From a private sector perspective, the economics, even without government intervention, are changing rapidly. With the rise of AI, it’s easier to reduce false positives and provide an alert layer to identify and contain attacks better while minimizing the manual work of skilled cyber analysis. Also, it’s possible to reach SMEs through MSPs and MSSPs rather than through an arduous business-by-business approach. This can provide added value while being unique among the competition by fulfilling not only their traditional role but that of CISO as well.
The reality is that with the cost of cyber-attacks skyrocketing, bad actors constantly adapting to overcome defenses, and SMEs being virtually defenseless, cybersecurity should be at the forefront of priorities. Government and the private sector must work together to help SMEs recognize the importance of cyber defense and not just compel them to be certified as compliant. Winning against bad actors will prove difficult, but shifting market forces and government action will be critical to spurring the will that will make the notion of secure SMEs no dream.
Yigal Unna is the former Director General of Israel’s National Cyber Directorate and current Consulting Specialist at CyFox XDR