Here is a thought that has stayed with me for years: the businesses most likely to be devastated by a cyberattack are the ones least prepared to survive one.
According to Verizon’s 2023 Data Breach Investigations Report, 46 percent of all reported data breaches involved small and medium-sized businesses. Nearly half. And yet, when I talk to SMB owners across Texas — healthcare practices, law firms, financial advisors, municipal contractors — most of them still operate under the belief that they are too small to be worth targeting. “Who would want to hack us?” is a question I have heard more times than I can count.
The answer, increasingly, is everyone. The threat actor ecosystem has professionalized and scaled. Ransomware-as-a-Service platforms have commoditized attack execution to the point where advanced technical skill is no longer a prerequisite for launching a sophisticated campaign. When even so-called script kiddies can purchase exploit kits for a few hundred dollars and run automated credential-stuffing attacks against thousands of targets simultaneously, the question of “who would bother” becomes irrelevant. Scale is the strategy. SMBs are not targets despite their size – they are targets because of it.
The Supply Chain Realization Nobody Wants to Have
The narrative shift I want the security community to absorb is this: small businesses are no longer incidental victims. They are the deliberate entry point.
Over the past several years, threat actors have recognized that enterprise organizations have invested heavily in perimeter defense, endpoint detection, SOC operations, and compliance frameworks. Breaking through the front door of a well-resourced enterprise is harder and more expensive than it used to be. So attackers went around the building.
The 2020 SolarWinds breach demonstrated at a geopolitical scale what criminal actors already understood at a tactical one: third-party vendors and service providers represent a trusted, lower-resistance path into larger networks. In the SMB context, this plays out every day in less dramatic but equally destructive ways. A regional accounting firm with fifteen employees holds financial credentials for dozens of mid-size corporate clients. A small IT reseller maintains administrative access to dozens of customer environments. A boutique legal practice stores sensitive discovery documents for enterprises involved in active litigation. These organizations sit at the intersection of trust and vulnerability — and sophisticated threat actors know it.
The data backs this up. The Ponemon Institute has reported in multiple studies that roughly half of organizations say they have experienced a data breach caused by a third-party vendor. Many of those vendors are SMBs.
When I work through an incident with a small business client, I am almost never just thinking about that company’s loss. I am thinking about every organization that trusted them with access, credentials, or data.
The Three Real Gaps — And Why “No Budget” Is a Lazy Explanation
I want to push back on the security industry’s tendency to reduce SMB vulnerability to a budget problem. Budget is real, but it is a symptom of something deeper. The organizations I have seen suffer the most damaging incidents were not the ones with the smallest security spend. They were the ones with the widest gaps in people, process, and technology fundamentals.
People — and the absence of security culture. In most SMBs, security is nobody’s job. It is assumed to belong to whoever handles IT, which is often a part-time contractor or a non-technical office manager. There are no security awareness programs, no phishing simulations, no culture of skepticism around unexpected email attachments or login prompts. The IBM Cost of a Data Breach Report 2024 found that the global average cost of a data breach has climbed to $4.88 million, a 10% increase from the previous year and the largest jump since the pandemic. For a 20-person business, a breach of even a fraction of that scale can be financially devastating – potentially even company-ending. Yet the cultural foundation that turns employees into a defensive asset rather than a liability is rarely in place.
Process — specifically, the missing incident response plan. Most SMBs, especially those in non-regulated industries, do not have one. Not an outdated one – none. When an incident happens, the decisions about who to call, what to shut down, whether to pay a ransom, how to notify affected parties, and when to involve law enforcement are made in real time, under duress, by people who have never thought through these scenarios. I have watched otherwise capable business owners completely freeze in the first hours of a ransomware event because there was no framework for what to do next. A documented, tested incident response plan does not require a large budget. It requires discipline and intent — two things that are in shorter supply than money at most organizations.
Technology – the compounding debt of legacy systems and deferred maintenance. Patch management is not a glamorous topic, but unpatched vulnerabilities remain one of the most reliable attack vectors in existence. SMBs frequently run systems years past their end-of-support dates, not
out of operational malice but out of inertia. The accounting software that works fine, the medical imaging system that nobody wants to touch, the decade-old firewall that nobody knows how to replace — these are not hypotheticals. These are the environments I work in regularly. Each deferred update is a known vulnerability that an attacker can reliably exploit, often with publicly documented techniques.
The Compliance Illusion
The security framework that has done the most psychological damage to SMB security posture may be compliance itself.
I work across multiple regulated sectors — HIPAA for healthcare, PCI-DSS for businesses that handle card data, FTC Safeguard for Auto Dealerships, state-level data protection requirements for legal and financial clients. In each of these environments, I encounter the same fundamental misunderstanding: passing an audit, whether for compliance or insurance purposes, is not the same as being secure. Compliance frameworks are designed around minimum standards and documentation requirements. They are, by nature, backward-looking — designed to verify that certain controls existed at the time of assessment, not that those controls will hold under real-world attack conditions.
A medical practice that completes its annual HIPAA risk assessment and checks every required box has technically satisfied a regulatory obligation. It has not necessarily implemented multi-factor authentication everywhere it is needed, segmented its network to protect sensitive patient data, or trained its staff to recognize phishing attempts targeting healthcare credentials. These gaps are not uncommon — and the false confidence that compliance provides can actively discourage further security investment. “We passed our audit” is a statement I have heard delivered with genuine relief by organizations that I know, from technical assessment, are fundamentally vulnerable.
The compliance checkbox is not security. And the industry needs to say that more clearly, more often, and with more conviction than it currently does.
The Talent Gap and the Insurance Paradox
Two structural forces are converging to make the SMB security problem significantly worse, and neither is receiving adequate attention.
The first is talent. The cybersecurity workforce gap is not a new story—ISC2’s 2024 Cybersecurity Workforce Study estimates that the global economy needs nearly five million additional cybersecurity professionals to adequately secure organizations. What gets less attention is how that shortage is distributed. Enterprise organizations with competitive compensation packages, defined career paths, and established security teams can attract and retain capable professionals. SMBs cannot compete on any of those dimensions. The result is not just that SMBs have fewer security resources — it is that the market has structurally excluded them from accessing the expertise they need to defend themselves. This is an industry failure, not a business failure, and it will require new service and delivery models to correct.
The second force is cyber insurance. In recent years, the insurance market has responded to escalating claims with premium increases and underwriting requirements that were virtually nonexistent five years ago. Carriers now routinely require multi-factor authentication, endpoint detection and response capabilities, backup segregation, and documented security policies as conditions of coverage. These are reasonable requirements. The problem is that many SMBs cannot currently meet them without significant financial investment in both hardware upgrades and the expertise required to implement them. As a result, they are being denied coverage or priced out of the market at precisely the moment their risk exposure is highest. The organizations that most need a financial safety net are the ones least able to qualify for one.
What Needs to Change
Let’s be honest: the SMB security problem will not be solved by telling individual business owners to “do better.” Most are already doing what they can within real operational and financial constraints. What they need is help. The structural change has to come from the security industry itself.
Security vendors need to stop designing products and pricing models for enterprise buyers and then offering SMB editions as an afterthought. The operational realities and budgets of a 30-person organization are fundamentally different from those of a 3,000-person enterprise, and solutions built for one rarely translate effectively to the other—either in function or cost.
Industry groups, ISACs, and professional associations need to invest in SMB-accessible resources with the same seriousness they bring to enterprise programs. Threat intelligence sharing, incident response frameworks, and security awareness materials should not require enterprise membership fees to access.
And the business community itself — chambers of commerce, industry associations, business development organizations — needs to make cybersecurity literacy a standing priority. The conversation about SMB cybersecurity cannot remain confined to security publications. It needs to reach the rooms where business decisions are actually made.
The SMB sector represents the backbone of the American economy. Roughly 99 percent of all U.S. businesses are classified as small or medium-sized. Accepting that they will remain structurally under-protected — and continue to function as the soft underbelly of our digital infrastructure — is not a tenable position for an industry that claims to take security seriously.
I have been across the table from business owners in the hours after a breach, helping them piece together what happened and why, while they face costs and consequences that could have been mitigated with the right preparation. Those experiences have not made me cynical – they have made me certain that the gap is real, the stakes are high, and that our industry has both the capability and the responsibility to do better.
About the Author
Daniel Vega is the CEO of Evolution Technologies, a managed IT services and cybersecurity provider with a focus on the SMB market based in San Antonio, Texas. With over two decades of experience securing regulated businesses across healthcare, legal, financial, and government sectors, he works at the intersection of operational IT and cybersecurity strategy for growing organizations.
Daniel can be reached online at [email protected] website: https://ev0-tech.com or LinkedIn: https://www.linkedin.com/in/dan-vega-17847613/
