Skip to content
resources · cybersecurity

The Three Cyberattacks That Actually Hit Small Businesses

Adam Gleason

Adam Gleason

March 3, 2026 ·2 min read

Small businesses don't get hit by nation-state APTs. They get hit by three specific attacks that have been working since the late 2000s, and basic discipline stops most of them.

1. Credential stuffing

Someone's password leaks in a third-party breach (LinkedIn, Adobe, MyFitnessPal — the list is long). Attackers try the same email/password combo on your Microsoft 365, QuickBooks, banking, and business apps. If anyone on your team reuses passwords, this works.

Defense: Multi-factor authentication on every account that supports it. Email and accounting first. Hardware security keys (YubiKey or similar) for executives and admins. Password manager so reuse isn't tempting.

2. Phishing into wire fraud

The attacker registers a domain that looks like a vendor's, impersonates an executive, or hijacks a real email account. They send a request to change banking details for an upcoming payment. The accounts team complies because the message looks routine.

Defense: A written verbal-confirmation policy for any banking change above a threshold. Email filtering that flags newly-registered look-alike domains. Training that gives employees explicit permission to slow down and verify.

3. Lost or stolen device with unprotected data

Laptop in an Uber, phone at the airport, an ex-employee who walked out with their equipment. If the drive isn't encrypted and the device isn't enrolled in remote-wipe, customer data is now public.

Defense: Full-disk encryption everywhere (BitLocker on Windows, FileVault on Mac — both free, both off by default). Mobile device management (Microsoft Intune, Jamf, or similar) so you can wipe a device remotely. Strong passwords or biometric on lock screens.

What we don't recommend

A full Security Operations Center, dedicated SIEM, or expensive XDR tooling. These are excellent — and overkill for businesses under about 50 employees. You'd be paying for capability you can't operate.

The 10-minute audit

When we run a cybersecurity assessment for an SMB, we usually find one of the three issues above open within the first ten minutes. The defenses aren't expensive or technically complex. The work is making sure they're actually in place and not silently broken — that's what ongoing managed IT is for. That's what we do.