Small business, big risk: The message MSPs must share

The myth of “too small to target”

“The belief that small businesses are not worth attacking is outdated. Modern attacks are automated and opportunistic. Hackers are not choosing targets based on size. They are looking for exposed access, weak controls, and environments that are easy to compromise,” says Matthew Hightower, CEO of UKON, a cyber‑specialist wholesaler built for the agent and MSP ecosystem.

Hightower stresses that MSPs play a critical role in shifting this mindset.

“MSPs are in the best position to change that outcome. They see the real security posture day-to-day. But protection does not stop with tools alone. It requires coordination. When MSPs work directly with insurance agents early, security controls, policy language, and incident response expectations stay aligned,” Hightower explains.

That alignment, he says, is what keeps small businesses standing after an incident. Not optimism or assumptions, but preparation that holds up when it matters.

Why small businesses are prime targets

According to Joseph Steinberg, a cybersecurity lecturer at Columbia University, small businesses often lack the formal cybersecurity training, automated controls, and fraud‑prevention processes common in larger organizations. This makes them especially vulnerable to social engineering attacks like CEO fraud.

Steinberg also notes that small businesses frequently act as stepping stones to bigger targets.

“Hackers, for example, are believed to have carried out the massive Target breach of 2013 by first breaching a small HVAC contractor doing work for the giant retailer and exploiting that breach to gain entry into Target’s systems,” he says.

He adds that small business owners often feel they have no choice but to pay ransoms, since a ransomware attack can be catastrophic for a small operation.

“Unless they receive relevant information from an MSP, small businesses often lack even basic external threat intelligence and are less likely than their larger counterparts to participate in peer groups in which relevant information is shared,” Steinberg explains.

A reality check

Steinberg emphasizes a key point: small businesses hold valuable data. Even modest‑sized companies store enough financial and personal information to make them worthwhile targets.

“Would‑be criminals know that they are less likely to get themselves arrested and prosecuted if they attack small businesses than if they attack large businesses. Small businesses are simply less likely to get the same level of attention from law enforcement in the event of a breach.”

In addition, small business owners are far less likely to have personal connections in law enforcement or know who to contact during a cyber incident. “Many small business owners would not even know who to call other than their local police department and would find the only way to communicate directly with the FBI to be by filling out an online form,” Steinberg notes.

Compounding the issue, small businesses often lack adequate defenses and rarely have full‑time cybersecurity personnel.

No organization is off‑limits to automated threats

Michel Chamberland, founder of pentesting firm IntegSec, tells SmarterMSP.com that even something as simple as a server banner can put an organization in the crosshairs of attackers scanning the internet for specific vulnerabilities.

“They will scan the whole internet looking for it. Some attackers only care about marketable resources: CPUs, storage, memory, bandwidth, accounts, and other sensitive information. That is why organizations of all sizes can be a target and are useful to attackers,” Chamberland says.

The bottom line

For MSPs, conversations about why “small” doesn’t mean safe are more important than ever. Whether you’re prospecting for new clients or advising existing ones, helping small businesses understand their true risk profile is essential to protecting them.

Photo: Natali _ Mis / Shutterstock