A lot of small business owners still think hackers are mostly chasing hospitals, banks, government agencies, and Fortune 500 companies. Those targets do get attacked, but they are not the only ones.
Small businesses are attractive because the math works. They often have valuable data, online banking access, Microsoft 365 accounts, remote access tools, customer records, vendor relationships, and insurance policies. At the same time, many do not have full-time security staff, documented response plans, tested backups, or 24/7 monitoring.
That combination creates a simple business model for criminals: automate the attack, hit a lot of smaller targets, and collect from the ones that are unprepared.
The Numbers Are Bad Enough Without Exaggerating
One recent Guardz survey of 800 U.S.-based small and midsize business (SMB) owners found that 43% had already experienced a cyberattack, including 27% in the previous 12 months. The same report found that 52% of SMBs still rely on an untrained internal employee or the business owner to manage critical security functions, and only 34% have a formal incident response or continuity plan developed with a cybersecurity professional (Guardz via PR Newswire).
Other industry summaries put the SMB attack rate closer to 49% and estimate average breach losses around $254,000 (TotalAssure). The exact figure varies by survey, country, company size, and what counts as an “attack.” But the direction is consistent: this is not rare anymore.
There is also a widely repeated claim that 60% of small businesses close within six months of a cyberattack. That number is powerful, but it has sourcing problems. BankInfoSecurity traced the claim and reported that the National Cybersecurity Alliance said the original source could not be confirmed and recommended that media and policymakers stop using it as a hard fact (BankInfoSecurity).
That does not mean cyberattacks are harmless. It means business owners deserve honest numbers. The real risk is not that every cyber incident destroys a company. The real risk is that one preventable incident can create a pile of costs, downtime, lost trust, insurance problems, and emergency decisions all at once.
Why Criminals Like Small Targets
Attackers do not need every target to pay. They need enough targets to be easy.
Small businesses are often easier because they tend to have:
- Fewer dedicated IT and cybersecurity staff
- Less formal security documentation
- Older servers, firewalls, and line-of-business applications
- Remote access tools that were added quickly and never reviewed
- Employees who share roles and wear multiple hats
- Owners or managers approving financial transactions from email
- Backups that run, but are not regularly tested
- Cyber insurance applications that may not match the real environment
That is not a criticism of small business. It is the reality of running lean. A 30-person manufacturer, contractor, CPA firm, nonprofit, or professional office cannot staff security like a national bank.
Attackers know that. They also know that small businesses often have enough money, data, and operational urgency to make extortion worthwhile.
The Cost Is Not Just The Ransom
When people hear “ransomware,” they often think only about the ransom demand. That is too narrow.
The actual cost of a cyber incident can include:
- Emergency IT labor
- Forensic investigation
- Legal and compliance review
- Data restoration
- New hardware or software
- Lost productivity
- Missed orders or delayed jobs
- Customer notification
- Reputation damage
- Cyber insurance deductibles
- Higher insurance premiums at renewal
- Extra controls required after the incident
IBM's 2025 Cost of a Data Breach Report put the global average breach cost at $4.4 million across surveyed organizations. That number is not a small-business average, but it shows why breach recovery is a business problem, not just an IT cleanup task (IBM).
For a local business, the more practical question is smaller and more immediate: what would happen if email, accounting, quoting, scheduling, phones, files, or production systems were down for two business days?
That is where the math gets real.
The Attack Path Is Usually Boring
Most small business breaches do not start like a movie. They start with ordinary weaknesses.
A user clicks a convincing link. A password gets reused. A remote access tool is exposed. A firewall is behind on firmware. An old server is still running because one application depends on it. A vendor account has too much access. A backup has never been restored in a real test.
Verizon's 2026 Data Breach Investigations Report found that vulnerability exploitation became the top breach entry point, accounting for 31% of breaches, and that third-party involvement in breaches increased 60% to 48% of total breaches. Verizon also highlighted rising mobile social engineering and shadow Artificial Intelligence (AI) use as expanding business risks (Verizon).
For small businesses, that means the basics still matter:
- Patch the systems attackers can reach
- Enforce Multi-Factor Authentication (MFA)
- Remove unnecessary remote access
- Lock down administrator accounts
- Monitor endpoints
- Filter email and web threats
- Test backups
- Train users on current attack methods
- Review vendor access
- Have an incident response plan before something happens
These are not glamorous controls. They are the difference between a blocked attempt and a business interruption.
Managed Security Changes The Odds
Some industry summaries frame the resilience gap in dramatic terms, such as managed security improving survival rates from 35% to 89% or higher (TotalAssure). That should not be treated as a guarantee. No security provider can promise that a business will avoid every attack or survive every incident.
But the underlying point is valid: preparation changes outcomes.
The Guardz survey found that 80% of SMBs with a formal incident response plan avoided major damage during an attack. It also found that many SMBs are turning to Managed Service Providers (MSPs) because of fear of cyberattacks, responsibility to customers, compliance needs, insurance pressure, and the need for specialized expertise (Guardz via PR Newswire).
That is the honest value proposition. Managed security does not make a business invincible. It gives the business better visibility, faster response, stronger controls, cleaner documentation, and a much better chance of containing a problem before it becomes a crisis.
What A Practical Security Baseline Looks Like
A small business does not need an enterprise security department to be much harder to attack. It needs a baseline that is actually enforced.
A practical baseline should include:
- MFA everywhere important: email, remote access, administrator accounts, financial systems, and cloud platforms.
- Endpoint Detection and Response (EDR): not just antivirus, but monitored detection and isolation capability.
- Security Operations Center (SOC) monitoring: alerts reviewed by people who know what to do with them.
- Email protection: filtering, phishing protection, impersonation detection, and user reporting.
- Patch management: regular operating system, application, firewall, and firmware updates.
- Backups with restore testing: including protection against ransomware reaching the backup set.
- Least privilege access: users get what they need, not local admin rights by default.
- Vendor access review: third parties should use controlled, logged, and MFA-protected access.
- Incident response planning: roles, contacts, insurance information, escalation steps, and recovery priorities.
- Cyber insurance readiness: application answers should match the real environment.
This is not about buying every tool on the market. It is about closing the gaps attackers use most often.
The Math Favors Prepared Businesses
Hackers prefer small businesses because many are valuable enough to extort and underprepared enough to compromise. That is the math.
The good news is that the defensive math works too. A business with MFA, monitored endpoint protection, tested backups, documented response steps, and a competent security partner is much harder to profit from. The attack may still happen, but the outcome is often very different.
Collett Systems helps small businesses put those controls in place without turning security into a full-time job for the owner. If you want to know where your business stands, start with our managed IT and security services, or contact us to schedule a practical cybersecurity review.