The SMB cybersecurity myth: why “too small to target” is a dangerous belief

• Business email compromise (BEC) keeps hammering organizations of all sizes—including small local businesses, per an FBI 2024 PSA. The Bureau calls BEC “one of the most financially damaging online crimes” and “the $55 Billion Scam”.
• Credential abuse is the dominant way in. Verizon’s 2024 Data Breach Investigations Report (DBIR) shows that “use of stolen credentials” is the #1 type of web app attack (77%) and a recurring factor across breach patterns.
• Stolen logins are for sale within hours. Verizon’s DBIR team sampled credential markets and found 1,000+ credentials posted per day at about $10 each, with 65% listed less than a day after theft—fuel for rapid waves of credential-stuffing attacks.
• Breaches that start with compromised credentials take the longest to clean up—292 days on average to identify and contain, per IBM’s 2024 Cost of a Data Breach Report. 70% of organizations report significant or very significant business disruption post-breach.
• SMBs are common targets. According to Microsoft’s 2024 SMB research, found that one in three surveyed SMBs had experienced an attack, with an average cost of $254,445 per incident.

There’s a common theme here: These unrelenting attacks increasingly hinge on compromised digital identities to gain access. That’s why robust identity and access management (IAM) is essential to secure your organization.

• BEC (Business Email Compromise). Attackers phish or password-stuff their way into a real mailbox (or convincingly spoof it), then hijack vendor payments, payroll, or escrow transfers. The FBI’s 2024 PSA explicitly notes BEC targets small local businesses as well as large firms.
• Credential stuffing against cloud apps. With thousands of fresh logins posted daily for a few dollars each, criminals rapidly test email/password pairs against Microsoft 365, Google Workspace, and SaaS apps. Once in, they create inbox rules to hide fraud, mint OAuth tokens, or register their own MFA device during quiet hours. Verizon documents the tight coupling of web apps and stolen credentials in today’s breaches.
• Password stealer malware on unmanaged devices. Even if an SMB uses “long, complex passwords,” a compromised personal laptop used for work can leak cookies and creds, which are then sold almost immediately. The DBIR warns that this class of stealer malware often sits where defenders have “limited visibility.”
• The compounding cost of “slow to see, slow to stop.” IBM’s 2024 analysis shows credential-led breaches are slowest to detect (292 days), which extends attacker dwell time and ratchets up cost. That lag often converts a preventable incident into operational disruption, legal exposure, and reputational loss.

As an SMB facing significant risk of attack, your choice of outsourced IT consultant or managed services provider (MSP) is one of the most consequential security and business decisions you’ll make.

You’re not just buying “helpdesk hours”; you’re granting an external team privileged access to your systems, data, and the digital identities of your staff. If your IT services provider cuts corners, you inherit their risk.

Keep in mind that MSPs themselves are also a prime attack target, because compromising their toolset could yield one-to-many access to dozens of organizations, highly privileged accounts, software distribution channels, and help desk workflows vulnerable to social engineering. It’s essential to scrutinize not just what an MSP or IT consultant says they’ll offer your business—but to also learn how they are protecting themselves.

• Do they have references in your industry and size band?
• Can they articulate common attack paths for SMBs (BEC, credential stuffing, OAuth abuse) and how they block them in practice?
• Will they share playbooks for onboarding, incident response, and recovery?

• Are identity controls—like single sign-on (SSO) and phishing-resistant multifactor authentication (MFA), plus device trust for the most sensitive access—the default for every user and admin, not just an upsell?
• Do they practice least privilege, just-in-time access, and change control for any support action they perform for your business?
• How do they measure success: fewer tickets because baseline controls work, or happier metrics that ignore risk?

The tools and policies they sell you should be the ones they run themselves. Ask them to prove it:

• Identity & access: Do their technicians authenticate to their systems and your tenants with SSO and phishing-resistant MFA (not SMS/email codes)
• Segregation & audit: Are their admin accounts separated per customer tenant, fully audited, and time-bound?
• Endpoint hygiene: Are all MSP laptops used to access your systems managed, encrypted, patched, and blocked if they fall out of compliance?
• Passwordless where possible: Are they reducing or eliminating passwords internally for critical consoles and replacing them with more secure passwordless authentication methods? Can they do the same for you?

• Will they show screenshots or short demos of their internal security posture (redacted as needed)?
• Do they maintain third-party attestations (for example, SOC 2)?
• Can they provide copies of their incident response runbooks and an outline of communication timelines?