A dentist’s office in Ohio. A manufacturing firm in Michigan with 40 employees. A landscaping company in Colorado. What do they have in common? All three were breached in the past year alone, and all three had something else in common: they thought they were too small to be worth targeting.
They were wrong.
The modern cyberattack economy has made every business with an internet connection a potential target. The question isn’t whether you’ll be attacked. For most small and medium businesses, it’s already happening. The question is whether you’ll notice before something critical gets encrypted, stolen, or held hostage.
The Economics Have Shifted
Here’s what’s changed in the past few years. Ransomware groups used to focus on big enterprises because that’s where the big paydays were. You go after a Fortune 500 company, you might get a $10 million ransom. Easy calculus.
That calculus is broken now.
The rise of ransomware-as-a-service means anyone with a few hundred dollars and minimal technical skill can rent attack infrastructure. Meanwhile, AI has automated the tedious parts of cybercrime: phishing email generation, vulnerability scanning, credential stuffing. What used to require a skilled operator now runs in fully automated attack pipelines that churn through potential targets 24/7.
The result is that small businesses have become the path of least resistance. A 40-person accounting firm has fewer security resources than an enterprise but often stores the same types of sensitive data—client financial records, Social Security numbers, tax documents. Attackers know this. They’re not picking on you specifically; you’re just in the pile, and the pile keeps getting larger.
What the Numbers Actually Say
Let’s talk about actual risk instead of marketing FUD.
SonicWall’s 2026 report found that SMBs face seven critical security gaps on average, with network edge devices being the most commonly exploited entry point. The report noted that attacks are evolving faster than many SMB defense capabilities can keep up.
The cybercrime economy is now estimated at $10.5 trillion annually. About 43% of cyberattacks specifically target small businesses, according to multiple industry sources. The average cost of a breach for a small business? Somewhere between $120,000 and $1.2 million, depending on the study and what you count. For many businesses this size, that’s existential.
But here’s the number that should keep you up at night: 60% of small businesses that experience a significant cyberattack shut down within six months. Not because the attack itself is always fatal, but because the recovery costs, reputational damage, and regulatory fallout compound faster than the business can handle.
The Accountability Gap
Here’s the uncomfortable truth about most small businesses: cybersecurity falls to whoever has bandwidth, and nobody has bandwidth.
In an enterprise, there’s a CISO, a security team, maybe an MSSP. At a 50-person company, IT might be one person who also handles billing and schedules vendor meetings. Cybersecurity isn’t their job; it’s one of fourteen things they do between outages and software updates.
This is what some researchers call the accountability gap. Nobody owns security holistically. Nobody has time to stay current on threats. And nobody’s job depends on getting it right—until they get it wrong.
The result is predictable: outdated software, reused passwords, no multi-factor authentication on critical systems, no tested backups. The same vulnerabilities that security professionals have been screaming about for years, still unpatched because there’s always something more urgent.
What Actually Works
Let me be concrete. If you’re running a small business and your security budget is “whatever’s left over,” here’s where to focus.
Multi-factor authentication is non-negotiable. Not optional, not someday. Turn it on for everything that supports it: email, banking, cloud services, remote access. Use an authenticator app or hardware key rather than SMS if you can. This one change alone would have prevented a significant percentage of the breaches I track.
Assume your backup will fail when you need it. Test it. Actually restore something from backup and verify it works. The number of businesses that had backups that turned out to be corrupted, incomplete, or mapped to the wrong VM is absurd. If your backup has never been tested under realistic conditions, you don’t have a backup; you have a hope.
Lock down remote access. RDP exposure to the internet is still one of the most common breach paths for small businesses. If you need remote access, use a VPN or better yet, a zero-trust network access solution. Port 3389 should not be directly accessible from the internet under any circumstances I can think of.
Segment your network. Your HVAC vendor doesn’t need to be on the same network as your finance systems. Neither does your point-of-sale, if you have one. Network segmentation won’t stop a breach, but it will limit what an attacker can reach once they’re inside.
The Stuff That Gets Skipped
I want to address the “we don’t have budget for this” objection because it’s sometimes valid and sometimes not.
Yes, some security tools are expensive. But the most impactful security measures aren’t: MFA is free on most platforms. Backups are as old as computing. Network segmentation is a configuration change, not a purchase order.
What often gets skipped isn’t the expensive stuff—it’s the boring stuff. Documenting what you have. Knowing which vendor has access to what. Having a conversation with your team about what phishing looks like. These aren’t glamorous, but they’re where breaches actually come from.
A realistic security posture for a small business doesn’t require a security operations center. It requires that you know what you’re protecting, you control who has access, and you can recover when something goes wrong.
What to Take Away
The threat landscape isn’t going to get simpler. AI will make attacks more sophisticated and more automated. The supply chain for cybercrime will keep lowering barriers. The businesses that survive won’t be the ones with the biggest security budgets—they’ll be the ones that did the basic things consistently.
Start with the basics: MFA everywhere, tested backups, locked-down remote access, network segmentation, and an actual plan for when things break. Everything else is refinement.
If you want a starting point, NIST’s Small Business Cybersecurity page has practical guides that aren’t written for security professionals. They’re written for people who have a business to run and need to know what actually matters.
The attackers aren’t going to slow down. But there are legitimate steps you can take that don’t require a six-figure security budget. Start somewhere. The cost of starting is far less than the cost of not starting.
