The overarching problem is that a lot of SMB's simply do not care about security or data loss because it will cost them money to care, or just do not understand the issues so just ignore them. There have been many occurrences of hacking and data theft reported, where the target has shrugged it off and continued as normal, still with no security in place, and have been hacked again. The GDPR will go some way to alleviate this by dishing out fines to businesses that ignore security and fail to protect their data, so will hopefully make people start to take the subject of security seriously when it will potentially be more expensive not to. A shocking 37,000 websites on average are hacked every single day, due to poor or non-existent security and not being maintained. These hacked websites are then used to target visitors to those websites and distribute malware or steal data. Many SMB's are not even aware they have been hacked, I have had a couple of clients myself whose systems were actually compromised several years ago, and the criminals had been reading their emails, stealing their data, getting all their staff's personal details and passwords, all unhindered and undetected. One of the most common answers I get when I discuss the subject with folks is "Oh I have an IT guy". Imagine you have no security alarm in your home, rubbish locks on the doors, open windows etc, easy access for any criminal right?, but you say "I know a police officer". Knowing a police officer is not going to stop criminals breaking into your premises, getting in through your open windows or getting past the non-existant security since that police officer you know is not going to be guarding your property 24/7, in fact knowing him will not make any difference what so ever. In the same way, having or knowing an IT guy also is not going to stop cyber-criminals, or stop you being hacked if you have poor security, as your IT guy is not monitoring and maintaining your IT systems 24/7 or looking for vulnerabilities or reviewing your password policies. At the absolute least, folks need to use a decent cyber-security protection suite rather than just free anti-virus. I personally use BitDefender myself and this is what I recommend to my clients. It is not a solution by itself, but is considerably better than nothing and does afford a decent amount of protection against common threats.