Why should small and medium-sized businesses care about security?

1. Every business, no matter what it does or how big it is, runs on information
2. Information has value to the business, so the business needs to protect the availability and integrity of that information
3. Information has value to others; your customers, your employees, your business partners, and has value to others who can exploit it for their own gain, so that information needs to be protected so that people cannot use it to cause harm
4. Every business needs to ensure that information is used in the right ways at the right time so that customers, employees, and partners get the benefit they need

These four points mean that there needs to be processes and training in place to make sure that the maximum benefit is derived from information and the minimum impact is experienced when something goes wrong. We call this "information security". Information security is not about technology and it is not about "hackers". It's about the proper handling of information for the life of the information and the business.

Information security processes are not new. Businesses of every size need to handle all assets in the same way. In fact, you can replace the word "information" with "asset" in the four points above, and businesses will not be surprised. Information is as important as assets to a business because information is the most important asset.

I think the question is too broad so I will only cover what I think is the main aspect:

Is security, at the end of the day, simply risk management?

That's what it is. There are several risks relevant to SMB which are addressed by information security, for example:

• Ransomware might result in the inability to access data or systems which are critical for the business. Missing or incorrect backups might cause similar problems.
• The competition might get access to secret data and could use these for their own advantage, like underbidding the companies offers or stealing ideas and getting faster to market with these. The competition does not need to be security experts to get this kind of access since hackers doing espionage or sabotage can be hired.
• Being inadvertently part of a botnet which sends spam might cause mails originating from the company being blocked by the mail servers of customers or partners, thus loosing the ability to properly communicate.
• If customer data are affected by a security problem it might result in loosing customers, getting fined and also having problems getting a payment provider for acceptable conditions.
• and likely more ...

Thus, not addressing the risks will likely result in loss of business and loss of money. On the other hand addressing the risk will also need money and time so one has to find a way to balance these and determine which risk is acceptable. But to do this one first have to evaluate what the specific risks for the company actually are.