There’s a comforting myth among small business owners: attackers go after the big fish. Why would a Russian ransomware crew bother with a 14-person dental practice in Ohio? The honest answer is that they don’t have to choose. Modern attacks are largely automated, opportunistic, and cheap to scale. Small companies aren’t ignored โ they’re the bulk of the volume, precisely because they have the weakest defenses and the most asymmetric pressure to pay.
The same dynamic applies to lawsuits, supplier squeezes, and regulatory exposure. Being small isn’t camouflage. It’s a target profile.
Automation flipped the threat model
A decade ago, a hacker had to choose targets. Today, scanning tools probe every IP on the internet continuously, looking for unpatched servers, exposed remote desktop, weak credentials, and known vulnerabilities. When something pops, the attacker either exploits it themselves or sells access to whoever wants it. A 20-person company running an unpatched firewall is found within hours of going online. There’s no obscurity discount. Worse, small companies often lack the in-house expertise to even know they’ve been compromised โ meaning attackers can dwell, exfiltrate data, and time their ransomware deployment for maximum leverage, often during payroll week or before a major project deadline.
Legal and supplier asymmetries
Cyber isn’t the only front. Larger companies routinely use legal pressure as a negotiation tool against smaller ones, knowing the smaller firm can’t afford a protracted fight. A nuisance lawsuit that would be a footnote at a Fortune 500 can sink a 30-person business through legal fees alone. Suppliers play similar games โ payment terms stretching from 30 to 90 days, contract clauses that only matter when invoked, MOQ changes that force inventory commitments. None of this is unique to small business, but small businesses lack the bench depth to push back. Every fight pulls the owner away from the actual work, which is itself a tax larger competitors don’t pay.
What actually helps
Pretending you’re invisible doesn’t work. The cheapest meaningful defenses against the cyber piece are unglamorous: enforced multi-factor authentication everywhere, current backups stored offline, a managed endpoint product, and a written incident plan. None of that is exotic, but most small firms still don’t have all four. On the legal side, a relationship with a competent business attorney before you need one is worth more than any insurance product. On suppliers, written contracts with explicit terms beat handshake deals every time, even with people you trust. The pattern across all three: small firms underinvest in defensive infrastructure because the threats feel hypothetical until they aren’t.
The bottom line
Small businesses run on owner attention and thin margins, which is exactly why they’re attractive targets โ and exactly why they can’t afford to be complacent. The bad actors, whether criminal, corporate, or institutional, have done the math on you even if you haven’t done it on them. The remedy isn’t paranoia. It’s accepting that being small offers no protection, and budgeting modestly but seriously for the defenses that close the easiest doors.
Leave a Reply