Corporate business people working in busy marketing office space, planning strategy in books and reading email on laptop at work. Businessman, businesswoman and workers at startup advertising company.

Why “we’re too small to be a target” is exactly the problem

“We’re too small to be a target” is a common assumption in small professional firms. For many small firms, this assumption shapes how small business cyber risk is understood — and often underestimated.

Not because people are careless — but because, for a long time, it felt reasonable. Systems were the main target, and suspicious messages were usually obvious enough to spot. If something got through, it looked wrong.

People have become the primary route in

What’s changed isn’t that every attack is now sophisticated. It’s that access increasingly comes through people, regardless of how basic or advanced the activity itself is.

There’s still plenty of low-effort activity: generic phishing attempts, poorly written emails, messages that are easy to dismiss. But alongside that are quieter, more convincing messages that blend into normal work. In some ways, the obvious attempts make the convincing ones more effective — because they don’t look like what people expect a threat to look like.

Why normal work creates false reassurance

Two beliefs often sit quietly in the background of many organisations:

  • The system is secure, so anything that reaches me is probably safe; and
  • If something is malicious, it will be obvious

Together, they create a gap.

When people trust that systems will catch anything serious, judgement becomes more passive. And when malicious activity is expected to look suspicious, messages that appear routine — a reply in an existing thread, a supplier request, a payment follow-up — pass without friction.

Once an attacker has access to an email account or Microsoft 365 login, the system matters less than behaviour. They can see how invoices are sent, who approves payments, and when conversations usually happen. From there, timing and context do most of the work.

That doesn’t mean staff are “the problem”. It means they’re human — making sensible decisions under time pressure, based on incomplete information.

And size doesn’t change the impact.

Size doesn’t reduce responsibility

Regulators, insurers, and clients don’t assess incidents by headcount. They look at whether risks were understood, whether reasonable steps were taken, and whether someone was clearly responsible for managing them.

This is why regulators and insurers increasingly judge small business cyber risk on preparation and management, not size or intent.

The reality for small firms is this: you don’t need enterprise IT teams, but you do need enterprise-level management. Monitoring, protection, backup, and training that work together — and are actively looked after. The good news is, they are now accessible in a way they simply weren’t a few years ago.

The real risk isn’t being small.
It’s assuming that what you have is “probably enough”, without visibility into how it’s actually being used.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *