If you run a small or midsize business, you’re not “too small to hack.” In fact, you’re more likely to be targeted precisely because attackers expect you to have fewer defenses, leaner IT teams, and tighter budgets. Recent industry data shows small organizations bear a disproportionate share of ransomware and extortion-style attacks—because criminals go where defenses are thin and payouts are fast. Infosecurity Magazine

The threat has professionalised

Cybercrime isn’t a lone hacker in a hoodie. It’s an industry. Ransomware gangs run playbooks, help desks, and “affiliate programs.” Verizon’s 2024 Data Breach Investigations Report highlights the shift toward extortion tactics (including ransomware) in nearly a third of breaches—and a typical median loss of about $46,000 per financially motivated incident leveraging ransomware/extortion. For an SME, that single hit can wipe out a quarter or more of annual profits. Verizon

At the same time, the overall cost and complexity of recovery keeps rising. IBM’s 2024 study pegs the average breach cost at $4.88M across all org sizes (higher in finance), reflecting not just ransoms or downtime but legal, incident response, customer notification, and lost sales. Even if your SME’s numbers are smaller, the cost curve is going the wrong way—and the fallout can be existential. IBM+1

“Why would anyone target us?”

Three reasons:

1. Automation: Attackers use bots to mass-scan the internet for weakly configured services, unpatched software, or exposed credentials. UK telecom telemetry shows a torrent of automated probing—criminals don’t need to “pick” you; you’re surfaced by a scan. The Guardian
2. Low friction: SMEs often lack multi-factor authentication, email security controls, or routine patching—so initial access is cheap. GOV.UK+1
3. Leverage: Even a modest ransom (or threat to leak data) can coerce payment because downtime is brutal for a small team.

Your real risk isn’t just “getting hacked”

For UK businesses, a serious incident can trigger data protection obligations and, in bad cases, fines. The UK ICO’s upper limit is £17.5m or 4% of global turnover—whichever is higher (reserved for the worst failures, but a clear reminder that compliance matters). ICO+1

And costs aren’t hypothetical. Insurance and market reports show ransomware claims remain financially devastating even as some firms reduce the number of paid claims. In several sectors, ransomware now accounts for the overwhelming majority of incurred cyber losses. Axios

What attackers actually do

• Phish first: Lure staff to enter credentials or run malware.
• Exploit known flaws: Unpatched VPNs, CMS plugins, or servers.
• Move & monetize: Steal data, encrypt systems, threaten to leak, demand payment.

Why SMEs struggle (and how to turn the tide)

• Limited in-house skills → Use outside help for vulnerability scanning, basic hardening, and incident readiness. NCSC+1
• No continuous visibility → Schedule monthly/quarterly vulnerability scans and basic logging/alerting.
• Ad-hoc processes → Adopt baseline frameworks like Cyber Essentials to standardise controls (MFA, patching, backups). NCSC

The bottom line

SMEs are targeted because attackers love easy wins. The fastest way to stop being “easy” is to implement a few high-impact controls (see Post #2), run a vulnerability scan, and fix the top risks. It’s not about perfection—it’s about making your business expensive to attack. NCSC+1