"Before vulnerabilities are publicly discovered and patches are released, bugs and zero-day exploits can cause a lot of information to be stolen, invisible to the victims,” said Alexander Michael, director of consulting at Frost & Sullivan, in a research note. “SMBs are just as vulnerable as large corporations – but they lack the resources to protect themselves – and they are more likely to use open source platforms (e.g. WordPress), which are vulnerable to many common attack vectors.”

He added, "However unpleasant the thought, we should never forget that criminal hackers are all about money. They are highly skilled and trained, and highly motivated by profit."

According Frost & Sullivan, it is shockingly easy for hackers to compromise someone's website, but businesses have been slow to realize the potential damage that can be caused: websites are after all not just websites, but mission-critical pieces of organizations’ operations. In many cases, compromised websites result in emails and other valuable digital assets being compromised.

“Entire email archives may be stolen, for example, and that may seem harmless, because it is old information, but email archives will invariably contain recovered password to other resources, like social networks or internet banking, allowing countless new attacks to be perpetrated,” Michael noted.

He also warned of dangers in moving to cloud services – an ongoing IT transformation for businesses of all sizes. “A lot of people rely on their web email accounts as a form of cheap cloud-based storage. It is a big mistake to assume that an e-mail account will be safe, just because it is delivered by one of the world’s top e-mail service providers,” Michael noted. “Not realizing how easily an e-mail account can be compromised, people lay themselves and their customers open to unspeakable damage.”

Fortunately, the information security industry is waking up to the particular challenge of providing cost-effective and accurate solutions, allowing SMEs to protect themselves against web vulnerabilities, the research firm found. It’s up to businesses to implement them, however.

“Despite these very positive moves by the security vendors, cybercrime will always exist,” Michael concluded. “Security needs to be an integrated part of everything we do – not an afterthought – and everybody must understand risk and change their behavior accordingly.”