There's a comforting fiction that persists in cybersecurity: small and medium-sized businesses aren't worth attacking. The reasoning seems logical. Why would sophisticated threat actors waste time on a 50-person company when Fortune 500 enterprises offer bigger payouts?
The 2025 Verizon Data Breach Investigations Report demolished this assumption. SMBs are now targeted nearly four times more frequently than large organizations. Ransomware appeared in 88% of SMB breaches, compared to 39% for larger companies. And the median ransom payment hit $115,000, a number that would be uncomfortable for a large enterprise but potentially business-ending for a company with 100 employees.
The shift didn't happen by accident. Large enterprises invested heavily in layered defenses, segmentation, and incident response capabilities. They increasingly refuse ransom payments; 64% of victims now decline to pay, up from 50% just two years ago. Attackers adapted. They moved downstream to targets with fewer resources and greater desperation.
The Supply Chain Multiplier
The targeting of SMBs isn't just about easier paydays. It's strategic.
The same Verizon report found a 43% surge in incidents where threat actors accessed larger organizations through their smaller business partners. Your 30-person marketing agency becomes the vector for breaching your Fortune 100 client. Your regional logistics provider becomes the entry point to a global supply chain.
This connects to a pattern I've been tracking in my work on third-party data sharing risks: the attack surface isn't your perimeter anymore. It's everyone you're connected to. When Verizon reports that 30% of breaches now involve third parties (doubled from the previous year), that statistic includes thousands of SMBs who never imagined they'd be stepping stones to larger targets.
The economics are brutal but rational. Why spend months probing an enterprise's hardened defenses when you can compromise their accounting firm in days?
Three Layers of Defense That Actually Matter
The typical advice for SMBs, enable two-factor authentication, implement access controls, use a password manager, isn't wrong. But it's incomplete. These are table stakes, the minimum viable security posture. Meeting the current threat landscape requires understanding why these controls matter and where they fail.
Identity verification beyond passwords. Two-factor authentication raises the barrier for unauthorized access, but the implementation details matter more than the checkbox. SMS-based 2FA is better than nothing but vulnerable to SIM swapping. Hardware security keys are stronger but face adoption challenges. The real question isn't whether you have 2FA but whether your implementation actually stops the attacks you're likely to face.
For most SMBs, the credential theft risk is more mundane than sophisticated. Recent analysis found that infostealers harvested 1.8 billion credentials from 5.8 million devices in just the first half of 2025, representing an 800% increase. As I discussed in my recent post on the 149 million exposed credentials, these stolen logins flow into automated attack infrastructure that tests them against every accessible service. MFA breaks that automated pipeline, even if it doesn't stop a determined, targeted attacker.
Access based on necessity, not convenience. The principle of least privilege sounds obvious until you try to implement it. Most SMBs operate with flat permission structures where everyone has access to everything because setting up granular controls was too complicated when the company had five people. That decision compounds badly at scale.
The access control challenge gets harder with modern work patterns. Employees use personal devices. Contractors need temporary access. Business applications integrate with each other through OAuth tokens that persist indefinitely. The attack surface isn't just who has access today; it's everyone who ever had access through every application that ever integrated with your systems.
Credential hygiene as organizational discipline. Password managers solve the mechanical problem of generating and storing unique credentials. But they don't solve the behavioral problem. The employee who pastes customer data into ChatGPT (93% of employees have used unauthorized AI tools according to recent research) is the same employee who reuses passwords or stores them in browser autofill.
The Verizon data shows 33% of SMB breaches involved stolen credentials. This isn't sophisticated hacking. It's credential reuse meeting automated brute forcing. Password managers help, but only if adoption is mandatory rather than optional.
The Hard Truth About SMB Security
The companies most at risk are the ones caught in the middle: too large to ignore security entirely, too small to build the kind of defensive depth that large enterprises deploy. They have enough valuable data and enough upstream connections to be worth attacking, but not enough resources to implement enterprise-grade protection.
This is the structural challenge I see repeatedly. The attacks hitting SMBs aren't more sophisticated than those targeting enterprises. They're the same attacks, applied to targets with fewer defenses. Ransomware-as-a-service platforms democratized offensive capability. A $200 monthly subscription gets you malware that bypasses endpoint detection 66% of the time. The barrier to entry for attackers dropped faster than the barrier for defenders.
The path forward isn't finding magical new defenses. It's rigorous execution of fundamentals: identity verification, access control, credential management. But rigorous execution means treating security as an operational priority rather than an IT afterthought. It means budget allocation, employee training, and leadership attention.
The question for SMB leadership isn't whether they'll be targeted. The data makes that clear. The question is whether they'll still be in business after the attack.
