If you’re a proprietor of an SMB or small-sized business (SMB) then you’re in no way “too tiny to be hacked.” Actually you’re more attractive than you think. According in Verizon’s 2025 Data Breach Investigations Report (DBIR), SMBs are targeted around 4 times than large companies.
The business model of the attacker The reason why you’re in crosshairs
Cybercrime is a game of numbers. Attackers automatize what works (phishing kits and credential stuffing, as well as checking for devices with no patches) and then target the most diverse set of victims, with weak defenses, often SMBs.
-
Affordable entry points that are scalable and cheap. In 2024-2025, exploiting software and device weaknesses grew to 20 percent of access vectors that were initially used (up 34% YoY) mostly through edge devices and VPN vulnerabilities–systems that are used by many small businesses haven’t been fully secured. The average time required to fix the edge vulnerabilities to fix those vulnerabilities was thirty-two days.
-
Third-party and human elements. The “human element” is involved in approximately 60 percent of breaches. Meanwhile the percentage of incidents that involve third-party involvement grew from 15 percent to 30 percent and makes smaller providers an appealing way to progress to bigger goals.
-
Credentials all over the place. Info-stealer malware logs indicate that 46 percent of the systems compromised that had passwords for corporate accounts were unmanaged systems (BYOD overflow). This allows criminals to gain access without the need to reset your controls.
-
Economic impact of ransomware. Ransomware appeared in 44 percent of all breaches, and disproportionately affects SMBs: 88% of SMB breaches that were analyzed contained the ransomware component. Although median ransom payments are declining ( $115k) but the frequency is still a snare.
The bottom line is that attackers aren’t required to “pick on someone’s size” as automated patching, weak patching and reused credentials leave the doors open.
Common ways that attackers gain access (and the evidence)
-
Passwords that were stolen or guessable. In basic web-app attacks, ~88% of attacks included the theft of credentials. MFA techniques to bypass (e.g., MFA prompt bombing is seen in 14 of 14 percent of social engineering incidents) are a risk for password-only defenses.
-
Phishing BEC (Business E-mail Compromise). BEC continues to grow as the FBI reported $16 billion in cybercrime-related loss in 2024, with the most frequent complaint being spoofing/phishing and BEC is a key cause of the dollar loss.
Federal Bureau of Investigation
-
Edge/VPN devices that are not patched. Rapid exploitation of devices that are in the perimeter and zero-days has increased the vulnerability exploit to the top of the first access vector.
-
Partners and vendors. Third-party involvement increased to 30 percent–compromising the smaller vendor is usually the fastest way to join a larger ecosystem.
-
Social engineering that is AI scaled. DBIR partners observed fake text in malicious emails double in two years. Think polished Phish and convincing pretexts at size.
Cost of “we’ll be able to secure in the future”
Breach costs are high even if you’re not big. IBM’s Cost of a Data Breach pegs the average worldwide at $4.44M while the U.S. average of $10.22M–and businesses that do not employ security AI or automation see an average cost of approximately $5.52M in comparison to $3.62M for those who do. However, ransomware/extortion incidents are among the most costly when attackers reveal the security breach.
The macro trend doesn’t favor you The FBI’s most recent Internet Crime Report shows losses have surpassed $16 billion by 2024. That’s which is up 33 percent from year to year.
Federal Bureau of Investigation
The reason why SMBs are selected (plain and easy)
-
Low security maturity: fewer staff, processes, and tools when compared to large enterprises.
-
Supply chain advantage: one small vendor can open a complete customer database (third-party breach rates of 30 percent and increasing).
-
Credential reuse and BYOD the sprawl non-managed devices plus reused passwords means permanency access.
-
Gaps in patching: Edge/VPN vulnerabilities remain visible long enough for farmers to use to gain accessibility ( 20% of the vectors that were initially created).
-
R.I.P. of Ransomware: large disruptions, quick payouts, even if a lot of people do not pay. SMBs are hardest hit.
You can make yourself more difficult to target by utilizing the SMB the security program 80/20
These are powerful controls you can quickly implement (mapped into CIS Controls version 8 “IG1” fundamentals) with the help of CISA.
-
Make MFA available all over the world (really).
-
Force MFA for VPN, email administration panels, payroll and cloud-based applications.
-
Use phishing-resistant techniques (FIDO2/passkeys) as well as number-matching as well as blocking MFA fatigue (rate-limit prompts).
-
-
Patches what is facing the internet for the first time.
-
Monitor external assets; patch or mitigate devices on the edge and VPN with in 7 days as soon as possible. Monitor the vendor’s advisories. (Vuln exploitation is 20 percent of access at first; the median repair for edge vulns was about 32 days–aim to beat the record of.)
-
-
Backups which actually restore.
-
Follow the 3-2-1 procedure (3 copies two media, one offline/immutable). Test restores quarterly; isolate backup credentials.
-
-
Identity protection and email.
-
Install modern email security and block domains that look similar to yours and install a password management system. Staff training is conducted quarterly using short, role-based courses (focus on BEC/invoice scams as well as MFA tiredness).
Federal Bureau of Investigation
-
-
Tame devices (including BYOD).
-
You must install MDM on all devices that are accessing corporate data; enable full-disk encryption and install EDR. (Remember: 46% of the compromised logins were from devices that were not managed.)
-
-
Secrets with the least privilege hygiene.
-
Take away standing admin rights change service credentials check repos for leaks secrets and impose SSO when feasible. (DBIR warns of leaks that last for for a period of 94 days..)
-
-
Vendor risk through teeth.
-
Before you grant access, consult vendors for information on MFA patches, SLAs logs, MFA, and incident reports; limit the scope of their tokens/scopes, and also check OAuth connections. (Third-party engagement 30 percent.)
-
-
Incident response you can run in your sleep.
-
One-page contact tree with isolation steps, legal/insurance contacts and how to make a report to the IC3. Tabletop once a year.
Federal Bureau of Investigation
-
-
Automate your work (carefully).
-
The most basic security automation can cut the costs of breaches (avg $3.62M with extensive use against $5.52M without). If you are using GenAI, make sure you have security controls and access controls to stop data leakage.
-
30/60/90-day quick plan
-
Next 30 days:
-
Implement MFA on the cloud admin/email/VPN/cloud administrator • Inventory external assets offline backup and restore test; allow device encryption using MDM; and then publish a single-page IR plan.
-
-
Next 60 days:
-
Replace or patch edge devices that are risky and roll out an account manager for passwords quarterly training on phishing and lock down access to vendors and require SSO for HR/Finance applications.
-
-
Next 90 days:
-
Install EDR and implement least privilege (remove local administrator) as well as secrets checking on repos create an ransomware tabletop, and then review the cyber-insurance requirements.
-
Check out these free, trustworthy sources
-
CISA Cyber Guidelines to Small Businesses (step-by-step step-by-step action guideline) as well as the StopRansomware guide (prevention and Response checklists).
-
Verizon DBI 2025 (SMB Snapshot) for the latest attacks on businesses similar to yours.
-
FBI IC3 to identify incidents and retrieve funds quicker.
Federal Bureau of Investigation
The takeaway
Attackers seek the most straightforward wins on a scale–and currently, small companies are winning easily. Fill in the obvious holes (MFA patches, MFA backups, device security control for vendors) and practice your defense, and draw on the guidance of CISA. Follow these steps carefully and you’ll be much less attractive to criminals.
