Nothing bad has happened, so they're doing okay. That's what most small business owners think. I hear some version of it every week.

That's not security. That's luck. And luck has an expiration date.

The targeting myth

People imagine attackers the way movies show them - someone at a keyboard, picking a victim, choosing their moment. That's not how most attacks work. Automated tools scan millions of IP addresses every single day looking for open doors: unpatched software, weak passwords, misconfigured systems. They're not looking for your business specifically. They're looking for whoever left something unlocked.

"We're too small to matter" is the most expensive thing I hear in this job.

Small businesses get hit constantly. Not because attackers specifically want them, but because they're easier. Fewer controls, less monitoring, less training. A ten-person accounting firm is a softer target than the enterprise next door, and the automated tools don't know the difference.

What actually happened

I've worked with businesses after a breach. The story is almost always the same. They had antivirus. They thought that covered it. What they didn't have was anyone watching, anything catching the quiet activity before it became a crisis, or any real path to recovery that didn't start from scratch.

The breach that makes the news isn't usually the one that hurts small businesses. It's the quiet ones. Credentials stolen and sold months before anyone notices. A mailbox compromised and forwarding everything to someone it shouldn't. Ransomware sitting dormant, waiting for the right moment.

The difference between secure and lucky

Security isn't one tool. It's layers - endpoint protection, email filtering, identity controls, tested backups, someone watching for behavior that doesn't look right. Most small businesses I see have one or two of those. Usually antivirus and a prayer.

The gap between what most small businesses have and what would actually protect them isn't as expensive to close as people think. It's just not something that happens on its own. It has to be set up, maintained, and watched.

The audit is cheaper than the incident. That's the whole point.