Radar sweep over a small building surrounded by other targets

We’re Too Small to Be a Target: the Most Expensive Sentence in SMB Cybersecurity

By Resolute Security

Field notes from a senior-led security practice

I hear it every week. Sometimes from a CEO, sometimes from a CFO, sometimes from a board member trying to justify keeping the security budget at $4,000 a year. “We’re too small to be a target.”

I understand why people believe it. It feels like it should be true. The news talks about the Targets and the Equifaxes and the Colonial Pipelines. Breaches that affect 200-person companies don’t make CNN. From the outside, it looks like the world’s attackers spend their days plotting against the Fortune 500.

That world hasn’t existed for at least a decade. Let me explain why, and then let me tell you what changes when the assumption breaks.

Attacks aren’t personal. They’re industrial.

A modern cyberattack against an SMB is not a movie. There is no hooded figure picking your business out of a hat. The overwhelming majority of attacks are run by automated software, programs that scan the entire internet looking for any system anywhere with a known vulnerability. They don’t know your name. They don’t know your industry. They just know that port 3389 is open on a Windows server in Wichita, and the patch for that vulnerability came out eleven months ago.

If you can get hit, you’ll get hit. The attacker has no preference. There are millions of you and one scanner.

This changes the math entirely. The relevant question isn’t “am I a target?”, you are, automatically, the second your IP address is reachable. The relevant question is “am I a soft target?” That’s the only filter the automated software applies.

The economics favor going after you

If you’re a ransomware operator, who would you rather attack, a Fortune 500 company with a full security team, a CISO, an MDR provider, and $50 million in cyber insurance? Or a 40-person manufacturer with a part-time IT person and a Dell server in a closet running Windows Server 2016?

The Fortune 500 company has bigger pockets. It also has lawyers, regulators, an FBI relationship, and people who know what to do. The 40-person manufacturer has none of that. The ransom demand is smaller, but so is the customer’s ability to refuse it, and so is the operator’s effort to extract it.

The math is brutal: a small business is far easier to compromise, far easier to extract a ransom from, and the legal heat is lower. Recent reports from CISA and Verizon’s Data Breach Investigations Report consistently show that SMBs are the primary victims of ransomware, not collateral damage from attacks aimed elsewhere.

If you do the math from the attacker’s side, it would be irrational to ignore you. They’re not.

What happens when a 30-person company gets hit

Let me describe a recent example, anonymized. A regional services firm, 28 employees, around $9M in annual revenue. They had a part-time IT consultant. No MFA on their email. Backups existed but had not been tested in over a year.

Monday morning, every file on the network was encrypted. Their accounting system, their customer database, their working files, their email, all gone behind a ransom note demanding $180,000 in Bitcoin.

Here’s what happened in the next week:

  • They couldn’t invoice anyone. AR ran zero for the entire week.
  • Their phones still worked, but they had no idea what customer had ordered what.
  • Their backups, when tested, didn’t restore cleanly. They had backups of the data but not the systems, and rebuilding the systems took eleven days.
  • Their cyber insurance had a sub-limit of $25,000 for ransomware. They had bought the policy thinking $1M was the coverage.
  • They paid $90,000 to a negotiator and got a working decryption key on day nine.
  • The total cost, including consultants, rebuild, downtime, and the partial ransom, was around $480,000.

They were too small to be in the news. They were not too small to be hit. Their entire year’s profit went to cleaning up a single Monday morning.

The mindset shift

The hardest part of all this isn’t the technical work. The hardest part is the mindset shift, especially for owners who’ve been running their business successfully for years and have never seen a serious incident. The mental model “we’re too small” feels like protective wisdom. It’s actually a kind of optimism.

Replace it with: “We’re an obvious target for automated attacks. The question is whether we’re a soft one.”

That’s the whole reframe. From there, everything else gets easier. Patches matter because they make you less soft. MFA matters because it makes you less soft. Training matters because it makes your people less soft. Backups (tested!) matter because they let you tell the attacker no.

You don’t have to be unattackable. You just have to be harder than the average SMB. And the average is, frankly, embarrassingly low.

Further reading