Why no small business is too small for hackers – and 8 security best practices for SMBs

I have given hundreds of cybersecurity-related webcasts and presentations, written hundreds of cybersecurity-related articles, and been involved in hundreds of one-on-one cybersecurity-related meetings with clients.

Someone will always respond, comment, or protest that their business is too small for a hacker’s attention.

Small target illusion

But none of these folks understand the economics of a hack when it comes to small businesses. There isn’t a random guy out there who’s decided to target your business.

AT&T assistant vice president of technology, Senthil Ramakrishnan, called this issue a “small target illusion.” He told ZDNET: “Half or more of all cyberattacks target small and mid-market businesses, yet most SMBs still don’t have adequate cybersecurity measures in place. Historically, most SMBs have believed what I call a ‘small target illusion,’ or that they are too small of a target for cyberattacks. This illusion creates a false sense of security, leaving them exposed to hackers who see SMBs as easier entry points with weaker defenses.”

Also: These 10 weak passwords can leave you vulnerable to remote desktop attacks

When it comes to cybersecurity attacks against small businesses, it’s true it’s very rare that any given attack is specifically aimed at a particular small business. Targeting happens occasionally, particularly if the small business is a gateway to a larger opportunity. In 2013, hackers targeted Fazio Mechanical Services, a small East Coast HVAC contractor that provided services to Target, a $100bn-plus retailer. Once inside Target’s servers, hackers exfiltrated the personal and financial records of 110 million customers.

But, as I said, that sort of directed attack at a small business is fairly rare in the overall scheme of things. Instead, hacking small businesses is a numbers game, where each small business successfully hacked contributes a tiny bit to the overall take of a hack attack. Keep in mind that small dollar amounts can add up. The Coca-Cola Company doesn’t make huge amounts of money from each can of Coke sold, but the sales add up to an annual revenue stream of many billions of dollars.

Also: Hackers stole this engineer’s 1Password database. Could it happen to you?

Reaching small businesses to install malware, install a botnet node, or siphon off credit card or banking information does add up. Even if only one of 10,000 small businesses falls prey to hacking, when hackers can propagate this stuff to millions of potential targets for very little money, the cumulative profitability for any given cyberattacker can be measurable.

To be clear, the size of your business isn’t particularly relevant to bulk attacks. It’s merely the fact that you are one of many businesses that can be targeted through random IP number generation or email harvesting or some other process that makes it very, very cost-effective for a hacker to be able to deliver a piece of malware that opens up computers in your business for opportunistic activities.

Let’s focus on this “numbers game” idea. In the past, many businesses used direct mail as a marketing technique. It was fairly expensive to send out all those pieces of physical mail through the post office, but good marketers knew it would be well worth the expense if they could get 1% to 2% of the recipients to respond.

That 1% to 2% could make a mailing extremely profitable. I used those direct mail techniques to start my first software company. I managed to drive the company’s revenues (pre-internet) strictly due to that 1% to 2% direct mail response. I just had to find the right list. I visited the post office daily, picked up the envelopes containing checks and order forms, and sent out little floppy disks.

Also: How AI agents help hackers steal your confidential data – and what to do about it

Email doesn’t cost anywhere near the amount of a direct mail piece. A direct mail piece could cost 50 cents to a buck per target once printing cost, postage, and processing were factored in. Email, on the other hand, costs virtually nothing. As a result, you can email many more pieces, have a much lower response percentage, and still have a much greater chance of profit.

Many businesses still use email for direct marketing. The technique is still a perfectly viable and legitimate use of email. However, hackers also use email for direct distribution of malware. Remember, it’s a numbers game, not a case of individual targeting.

How hackers exploit small businesses

Malware can be distributed to your business in many ways that don’t involve targeting. For example, you could go to a compromised website. If your system’s virus protections aren’t up to speed, simply landing on that website could cause a drive-by malware download. To be clear, this could happen on any website. We’re constantly reporting on hackers targeting active web infrastructure, which results in compromise for site visitors.

You could be the victim of a phishing attack, where an email is sent to your email address or someone in your company. By clicking on the wrong link or the wrong attachment, the malware is downloaded to your network.

Also: How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers

Or a piece of software you download might contain malware through no fault of your own but because the software developer you downloaded it from was compromised. Therefore, from that point onward, everything that they distributed contained malware.

So, as you can see, many of these methods have nothing to do with any direct attack on you. But there are many ways you can be caught in the net.

Attackers — who could be affiliated with organized crime groups, individual hackers, or even teams funded by nation-states — often use pre-built hacking tools they can deploy without a tremendous amount of research and development. For hackers, this tactic is roughly the equivalent of downloading an app from an app store, although the hacking tools are usually purchased or downloaded from hacker-oriented websites and hidden forums (what some folks call “the dark web”).

Attackers can also rent time on a botnet to propagate the malware that then potentially scoops up valuable information. This practice is malware-as-a-service.

Also: How AI will transform cybersecurity in 2025 – and supercharge cybercrime

Fundamentally, we’re not looking at a “one bad guy against one small business” situation. Instead, opportunistic bad actors are casting a wide net. If you happen to swim into that net, you get caught.

That’s why you need to ensure you follow good computer security hygiene. Make sure you’re not caught in that net, along with thousands or hundreds of thousands of other little fish, such as individuals and businesses who are online.

How to protect your small business

So what do you do about the threat? AT&T’s Ramakrishnan said one big challenge facing SMBs is knowing where to start. 

“Many SMB owners assume cybersecurity is too costly or too complex and think they don’t have the IT knowledge or resources to set up reliable security. Few realize that they could set up security in a half hour. Moreover, the lack of dedicated cyber staff further complicates the situation for SMBs, making it even more daunting to implement and manage effective security measures.”

As it turns out, there are best practices to lower your vulnerability to malware. Here’s a lightning round of eight such practices:

• Keep your systems updated: Software vendors regularly patch their systems to reduce vulnerabilities, but hackers are counting on the old vulnerabilities that are still out there.
• Ensure your email service uses malware filtering: Most big services, like Office and Google Workspace, have active malware filtering. But if you’re running a server, ensure anti-malware extensions are installed.
• Limit admin privileges: It’s often easiest to make every computer user an admin of their computer, but that’s essentially letting all the players be in god mode. Instead, reduce privileges so that users can’t accidentally install something bad.
• Use endpoint security and firewalls: This is part of what the AT&T expert is pitching. Use firewalls and routers with intrusion mitigation tools to help block malware.
• Limit downloads and software installations: You can set policies on some networks to limit employees’ ability to download software. Ensure your users are careful and avoid doing things that set their Spidey senses tingling.
• Use that Spidey sense: When online, keep your situational awareness high. You won’t get texts from major software vendors asking you to click and log in to your admin account. Remember that you shouldn’t open attachments, don’t click links from unknown senders, and always inspect the URLs for anything suspicious. Be aware and take care.
• Back up regularly: One of the best ways to protect yourself from ransomware is to have up-to-date and recoverable backups. Make sure you have a good backup regimen and test it regularly to ensure it works properly.
• Use multi-factor authentication or passkeys: Hackers can easily get through a simple username and password combination. Make sure you add a third factor (something you are or something you have) that can help prevent remote access. Also, consider moving to passkeys, which can increase security measurably.

What about anti-malware software? There was a time when antivirus software was a must-buy for all computer users. But according to Ed Bott, ZDNET’s guru on all things PC, antivirus software is so 1999. Today, the operating systems and major app stores we use do a fairly good job of malware protection. That’s why doing your updates is so important.

Ed advises to avoid buying third-party antivirus software. Last June, the US Commerce Department announced a ban on Kaspersky, one of the most popular antivirus tools ever deployed.

I’ll leave you with another thought by AT&T’s cybersecurity expert Ramakrishnan: “Don’t rely on cyber insurance as your only plan. We see many businesses trying to solve security gaps by buying insurance, but insurance doesn’t prevent an attack. If you don’t know your risk posture, you won’t know how to defend against threats effectively.”

What do you think? Have you ever considered whether your small business might be a target for hackers? Have you taken any cybersecurity measures to protect your company? Do you feel overwhelmed by the process? Have you, or has someone you know, ever been impacted by a cyberattack? What steps are most important for small businesses to take to reduce risk? Let us know in the comments below.

You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.