I’m Too Small to be a Cybersecurity Target

We hear this all the time. Why would hackers target a small or medium-sized business (SMB) like mine?  


Cyber attacks are often crimes of opportunity. That’s bad news for SMBs. Many are easy targets because they often lack the preventative and restorative measures of their enterprise counterparts. Bad actors often cast a wide net, looking for soft targets. If you haven’t patched your software, changed default configurations, or trained your employees to counter social engineering attacks, you’re precisely what the bad actors hope to findYou need to identify and address your cyber vulnerabilities and take remedial action to avoid getting caught in the net. Once the attacker identifies and exploits a vulnerability, it’s just a question of whether it’s worth their time to hold you for ransom, defraud, or simply vandalize you. 

laptop icon with lock icon on screen

#2. You Are Another Company’s Vulnerability

In more sophisticated attacks, criminals look for a path to penetrate larger players, using SMBs as stepping stones. We often see this in supply chain attacks, where a supplier is either deliberately or opportunistically targeted as a path to the larger organization. Seemingly innocent acts such as putting testimonials and client case studies into the public domain can help the bad guys identify your connection to the ultimate target. 

The 2013 Target breach is an older, but widely-publicized textbook example of leveraging a partner’s inferior security to gain access to a bigger target. 

This is also the reason why more and more organizations are demanding evidence of security practices from partners and vendors.

How Real Is The Threat?

This is an important question that should be evaluated in a formal risk assessment, but according to industry reports, cyber security attacks are only going up.  

  • In 2021, there were on average 270 attacks, per company over the year, an increase of 31% compared with 2020. 
  • Successful breaches to an organization through the supply chain have increased to 61% in 2021.  

More than half of all small businesses suffered a breach within the last year. 

What can you do?

Start with the basics. Ask your IT team or Managed Service Provider (MSP) about your security vulnerabilities and what you already have in place to combat threats. If your MSP lacks depth or can’t provide many details when it comes to security, you should explore other options. Take charge of your cybersecurity health.  

What Else Should SMBs Consider?

First, anticipate that more cyber security regulation is heading your way.  As mentioned above, it may be private regulation, as your larger clients implement their own Vender Vulnerability Management plans to ensure you don’t put them at risk. Have you seen cyber security questionnaires coming your way in RFPs or in the sales process? You will. 

Second, if you do business with the government, watch for the regulation to come faster and more formally. The best current example, beyond the familiar HIPAA regulations for healthcare, is the Cybersecurity Maturity Model Certification (CMMC) for defense contractors. This Department of Defense (DoD) security regulation is rolling out now to all DoD prime and subcontractors. With the recent successful breaches on federal agencies, such as the Treasury and Energy Department, regulations are likely to expand quickly beyond the DoD. States will not be far behind. Our guess is CMMC will be a key part of these broader regulations. 

Finally, consider a third-party security assessment. Choose a company that has a deep expertise in cyber security and provides full-scale security services. Choosing a company with regulation foresight will benefit you in the long run as you build your security roadmap.  

Stay safe out there. 


Mark Kirstein

Mark Kirstein

Mark, VP of sales for GMI Advisory Services, leads GMI's efforts to help clients plan and implement cyber security plans to protect their company and stakeholders. Mark has a unique combination of technical and business experience, backed up with BSEE and MBA degrees. He has held roles as CEO, sales & marketing, research and computer design for both corporate and startup-level companies. Mark is a Certified Information Systems Security Professional (CISSP).