This article is written by Mihai Ionescu, CEO of Blackshell, and published on Substack.
Picture this
You're a small business owner. Your company turns a profit, but not by much - just enough to keep the lights on and make those sleepless nights worthwhile. You manage a team of fewer than twenty people. Some work on company laptops, while others use their personal devices - it saves money, so why not?
You've heard about cybersecurity before. Perhaps a friend who runs a business got hacked and lost access to critical data, including customer information. Maybe your broker asked about security policies when you applied for business insurance. Or perhaps someone from our team reached out about NIS2, the new EU cybersecurity legislation.
The truth is - you don't care. You barely have any infrastructure to protect; the chances of being attacked seem slim; and cybersecurity feels big, scary, and expensive. But since everyone's talking about it, you go online, look up the major cybersecurity vendors, and schedule some meetings. You bring along your overworked IT person - you know they'd rather be doing something else, but they're more likely to understand what these companies are trying to sell you.
You leave the calls more confused than ever. The sales reps (who often barely understand their own products) take you on a buzzword rollercoaster. They throw around terms like XDR, EDR, Zero-Access, and CASB; they mention post-quantum encryption and IAM. At one point, they try to sell you smart video cameras for your "corporate headquarters". They ask about assets, infrastructure, and edge devices. They tell you the fees run into tens of thousands but assure you it's actually a bargain compared to other options.
Cybersecurity boils down to risk management. In the end, you'll probably do what most others do: take the risk and hope you don't get attacked.
How did we get here?
We've watched this exact story play out with many of our customers, and it's never their fault. We (the cybersecurity industry) have done a terrible job of creating products that smaller, medium-sized, and even large non-tech companies can actually use. It’s easy to see why:
- Historically, only mega-enterprises and public institutions were worth attacking: banks, energy sector giants, and the like. They were the only ones with enough data and digital infrastructure to make an attack worthwhile
- These companies employ thousands and own countless devices, with teams of engineers and security experts on staff
- Supply follows demand, so the major security vendors of the '90s, '00s, and '10s built products tailored to enterprise customers
What changed?
Over the last 5 years, cybersecurity has changed drastically, from an enterprise-level concern to a non-core but critical function – similar to accounting, banking, or HR.
For the first time, small and medium-sized businesses have become viable targets. Digital infrastructure is everywhere, and every company relies on some combination of IT systems, hardware, or SaaS tools (like CRMs or ERPs). LLMs have made it easier than ever to write simple exploits and distribute them in a spray and pray manner, so nobody is safe. This has directly sparked demand for SME-focused security tools. Meanwhile, authorities, insurers, banks, and others have realized that unprotected SMEs pose a risk and have begun raising security requirements, adding fuel to the fire.
Unsurprisingly, most vendors have not adapted their offerings. Smaller businesses have different needs - they care about compliance and security but can't handle the complexity of datacenter-grade hardware or platforms that requrire dedicated security teams to manage. Price is another barrier – most enterprise solutions cost far more than these companies can afford, leaving them vulnerable.
Of course, there are a few companies out there that build SME-first solutions - other than Blackshell, Coro and Aikido come to mind. However, products are only part of the solution – the other half of it is doing a better job explaining how we’re collectively helping companies.
Over the coming months, this series will break down common security concepts in plain English. While some topics will get technical, we'll keep the discussion straightforward and accessible.
