When it Comes to Picking Targets, Hackers Don’t Care About Size

hackers, small business cybersecurity

As a small business, it’s easy to think that malicious cyber actors only want to target the largest companies. After all, those are the ones who have the most data and sensitive assets. At the same time, those companies also have the highest security budget, making attacks against them time-consuming and resource-intensive. Meanwhile, attacks against small businesses are not only easier – they can be just as profitable.

In mid-May, Illinois’ Lincoln College announced that it was closing its doors because a ransomware attack from December 2021 exacerbated the financial issues arising from lowered enrollment caused by the pandemic. From a broader perspective, this story is increasingly common: according to a recent report, small businesses are 350% more likely to be targeted by cyber actors than large organizations. Furthermore, 61% of all small-to-medium-sized businesses (SMBs) experienced a cyberattack between 2020 and 2021, according to a Ponemon Institute report.

With the news cycle constantly reporting large cyberattacks against Fortune 500 organizations, SMBs can feel a false sense of security. The reality is that cyber actors are equal opportunists who will take advantage of any organization – no matter its size.

What do Cyber Actors Want?

Most cyber actors have predictable objectives that can fall into a few basic categories. Typically, they’re motivated either by money or politics. Depending on your business’s industry vertical, you present a valuable target under one or both of those categories.


The quickest way to profit from a cyberattack is a ransomware payment. All businesses have money, and thanks to Ransomware-as-a-Service (RaaS), cyber actors don’t need to be sophisticated to deploy an attack. With ransomware frequency surging, everyone is threatened.

Personally Identifiable Information (PII)

Cyber actors target PII either as part of a double-extortion ransomware attack or to sell on the dark web. In a normal ransomware attack, they force victims to pay a ransom in order to decrypt their files; in a double extortion attack, they also pressure victims to pay an additional fee to avoid making stolen PII public. In either case, all small businesses store PII on their customers, employees, and clients which makes them an attack target.

Credentials and Access

Attackers will often target one organization in order to access another. Most businesses work with other businesses and vendors and may possess information, credentials, software, or networked connections that cyber actors can use to move between targets. This is the mechanism behind software supply chain attacks like the SolarWinds hack.

Intellectual Property (IP) and Trade Secrets

Competitors often target IP and trade secrets as a way to get ahead without doing the work themselves. Whether you’re a small business or not, if your IP gives you a competitive edge, foreign companies will know and cyber actors will target you to make a profit in their own country.

Classified Information

Disrupting critical infrastructure and gaining access to classified information is high on the priority list for nation-state actors engaging in espionage and terrorism. Small government contractors may have valuable contract information that falls under a controlled unclassified information (CUI) designation, while cleared organizations may have classified information.

An Easy Target

Many attackers prefer to target small businesses because they lack the resources that larger companies have. Research notes that 47% of businesses with 50 employees or less do not have a dedicated cybersecurity budget. Further, not every business has a dedicated cyber security staff due to the shortage, cost, and high turnover of cybersecurity talent.

Adding to these challenges, many SMBs also struggle with legacy technologies. Purchasing new hardware is expensive, and many companies lack the budget to pay for the newest, most up-to-date IT infrastructure. Further, the move to remote work coupled with the increased adoption of cloud technologies complicates things further. Remote employees who may lack the needed cybersecurity awareness are often vulnerable to phishing attacks.

If you’re looking at it from a cost-benefit analysis, cyber actors need to expend less effort to get as much, if not more, information and money from multiple small businesses than one large organization.

How to Harden Your Small Business

The good news is that even as a small business, there are many ways to insulate yourself against cyberattacks and find cybersecurity experts to help you guard your sensitive assets.

Cyber training

According to Deloitte, more than 90% of all cyberattacks begin with a phishing email. The first step to protecting yourself is providing your employees with cyber awareness training so that they can recognize phishing and social engineering attacks. This will go a long way to protect your organization.

Incident response/Disaster Continuity plan

Alexander Graham Bell once said, “before anything else, preparation is the key to success.” Knowing what you plan to do before an attack occurs will reduce the impact if you experience one. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.

Protection of Perimeter

Nearly every company has Internet of Things (IoT) networked devices, and many are vulnerable. From printers to sensors, these devices enable work but create new cybersecurity risks. To protect the perimeter, you should:

      • Adopt a zero-trust policy
      • Place air gaps between devices
      • Move away from open-source protocols
      • Continually update operating systems, software, and firmware

Choose a Cybersecurity Partner

You don’t have to do everything alone. Hiring in-house talent is cost-prohibitive, but with the right outsourced partner you can achieve your security goals and protect your business. Providers, like Securicon, who can provide risk management, and compliance solutions prepare your company for the worst while offering continuous support at a more affordable cost than in-house talent.


Small businesses have a lot of things to worry about, and few have the cyber expertise of a large enterprise. This means many are unable to create the robust security program that they need to survive the current risk landscape. But as cyber actors become more advanced, good cybersecurity can mean the difference between survival and bankruptcy. Fortunately, you don’t have to go it alone.

At Securicon, our seasoned cybersecurity experts work to find vulnerabilities in your IT infrastructure, providing solutions and long-term support. Contact us today for a rapid assessment and learn how we can help your business survive in the midst of an evolving threat landscape.