There’s a Real Cost to “We’re Too Small to be Attacked”

Small and mid-sized companies, especially government contractors, still cling to one comforting belief: “We’re too small to be worth attacking.” But that’s a myth with a very steep price tag, and reality tells a VERY different story.

In the latest episode of Trust Issues, Brandon and Bruno Lecoq get together for a deep dive into the critical security and compliance gaps plaguing the SMB ecosystem and the easy (but profound) fixes they can adopt!

Listen now:

• Spotify

• Apple Podcasts

Here are the takeaways from this episode:

Table of Contents

• The Attack Volume No One Talks About

• The MFA Problem You Can No Longer Ignore

• The Real Risk of Doing Nothing

• FAQs  

The Attack Volume Nobody Talks About

Across hundreds of small and mid-sized organizations we help secure, one trend is impossible to ignore: Company size has almost no correlation with attack volume. The only thing that does is security hygiene. As Brandon and Bruno share, across their customer base of nearly 500 SMBs, roughly half are targeted by attackers every single year.

This stark number points to one equally stark fact - attackers don’t research companies one by one. Instead, they run automated tools that scan millions of environments simultaneously, looking for the easiest entry point. So, if your defenses are weak, you aren’t ignored. You’re prioritized.

Oops! Hackers Don’t Need to Try Very Hard

When we analyze real attack patterns across SMB environments, two tactics dominate:

• Password spraying and brute-force login attempts
• Phishing campaigns are designed to steal credentials

When organizations run phishing simulations for the first time, an average of 42% of employees click the malicious link. Remember, for attackers, this is a numbers game. Send enough automated phishing emails and password guesses, and eventually someone opens the door.

The MFA Problem You Can No Longer Ignore

If the statistics so far have shocked you, consider this one from a Microsoft security researcher:

Over 40% of Microsoft 365 global admin accounts still don’t use MFA.

Global admin accounts hold the keys to the entire organization. If compromised, attackers can access email, files, users, devices, and data in minutes. From an attacker’s perspective, this is the equivalent of finding a neighborhood where half the homes leave their front doors unlocked - a jackpot!

Security Is Now a Visibility Problem

Brandon and Bruno reveal that one of the most dangerous phrases we hear from SMB leaders is: “We’ve never been attacked.” The truth, however, is simpler and more uncomfortable:

Most organizations lack the visibility to know whether they’ve been attacked.

We’ve seen real incidents where employees unknowingly approved malicious login prompts. From the system’s perspective, everything looked normal until the attacker began accessing data they had never accessed before.

Only advanced detection tools caught the unusual behavior in time. Without them, the breach would have gone unnoticed. Security isn’t just about preventing attacks anymore; it’s about detecting when prevention fails.

Why Attackers Move On (And Why That Matters)

Here’s the good news: most attackers aren’t determined to break into your company specifically. They’re just looking for the easiest target. The fix? Enough security to become a harder target than the next company.

Basic protections like MFA, device management, phishing protection, and monitoring stop the vast majority of automated attacks. When attackers encounter resistance, they move on.

The Real Risk of Doing Nothing

The biggest misconception about SMB cybersecurity isn’t that attacks don’t happen. It’s that breaches require sophisticated adversaries. In reality, most successful breaches start with:

• A guessed password
• A clicked phishing link
• An approved MFA prompt

And with AI now accelerating phishing and impersonation attacks (including deepfake video scams capable of convincing employees to wire millions of dollars), the barrier to entry for cybercrime is only getting lower. The threat landscape has officially been democratized.

The New Definition of “Secure Enough”

For SMBs, cybersecurity isn’t about becoming unhackable. It’s about becoming unappealing to hackers. Because in today’s automated threat landscape, being “slightly harder to breach” than your peers can make all the difference. And the organizations that still believe they’re too small to be targeted?

They’re often the easiest doors to open. Don’t be them.

Frequently Asked Questions:

1. Are small businesses really targeted by cyberattacks?

Yes, small and medium sized businesses are frequently targeted by cyberattacks. In fact, many attackers specifically focus on SMBs because they often have fewer security resources and weaker defenses compared to large enterprises. Most attacks today are automated, scanning thousands or even millions of companies at once for common vulnerabilities like weak passwords or misconfigured systems. This means any business connected to the internet is a potential target. Assuming your company is too small to be attacked can create a false sense of security and leave critical gaps unaddressed.

2. Is multi factor authentication enough to stop cyberattacks?

Multi factor authentication is one of the most effective ways to prevent unauthorized access, but it is not enough on its own to stop all cyberattacks. While MFA significantly reduces the risk of account compromise, attackers continue to evolve their tactics, including phishing campaigns that attempt to bypass MFA. To build a strong security posture, organizations must combine MFA with additional controls such as continuous monitoring, employee security awareness training, endpoint protection, and proper device management. A layered security approach is essential for reducing overall risk.

3. If we have never experienced a data breach, does that mean we are secure?

Not necessarily. The absence of a known breach does not mean your organization is secure. Many companies lack the visibility and monitoring capabilities needed to detect suspicious activity or attempted intrusions. Cyber threats can go unnoticed for long periods of time, especially without proper logging and alerting in place. In today’s threat landscape, it is critical to take a proactive approach to cybersecurity rather than relying on past experience. Being prepared and implementing preventative measures is far more effective than reacting after a breach occurs.

4. What is the most common way cyber attackers gain access?

Phishing and password related attacks remain the most common entry points for cybercriminals. Phishing emails are designed to trick users into clicking malicious links, downloading harmful files, or providing login credentials. Once attackers obtain valid credentials, they can access systems without triggering traditional security alerts. Weak or reused passwords also make it easier for attackers to gain entry through automated guessing attacks. Strengthening identity security through user education, strong password policies, and multi factor authentication is critical to reducing these risks.

5. Do small businesses need enterprise level cybersecurity tools?

Small businesses do not necessarily need the complexity of enterprise level cybersecurity tools, but they do need modern, effective security solutions. The goal is not to replicate large enterprise environments, but to implement the right level of protection based on risk. Today’s cloud based and automated security tools are designed to be scalable and accessible for SMBs, providing strong protection without excessive overhead. Investing in the right tools, properly configured and managed, can significantly improve security without overwhelming internal teams.

6. What is the fastest way to reduce cyber risk for a small business?

The fastest way to reduce cyber risk is to focus on a few high impact security controls that address the most common attack vectors. This includes enforcing multi factor authentication across all users, implementing phishing protection and user training, securing and managing devices through endpoint management solutions, and enabling continuous monitoring to detect suspicious activity. These foundational steps provide immediate risk reduction and create a strong baseline for building a more mature cybersecurity program over time.