KC
Kapacyber
Threat Alert5 min read

Can a 5-Person Company Really Get Hacked?

The short answer is yes — and small companies are now attacked more often than enterprises. Here's why attackers prefer SMBs, what they actually steal, and what minimum-viable defence looks like.

Kapacyber

Security Research Team

The myth that hackers only target large enterprises is one of the most expensive misconceptions in small business today. The data has been steady for over a decade: SMBs absorb a disproportionate share of cyber attacks because they're easier, faster, and still profitable.

Industry estimates consistently put the percentage of cyberattacks that target SMBs at over 40%, with some research firms placing the number closer to 60% when you include automated attacks. The FBI's Internet Crime Complaint Center records billions in SMB-specific losses every year, primarily from business email compromise, ransomware, and wire fraud.

Why Attackers Actually Prefer SMBs

Five structural reasons make small businesses higher-value targets, per dollar of attacker effort, than most enterprises:

Weaker defences

Most small businesses run default M365/Workspace settings, no EDR, no monitoring, and one shared password vault. Attackers find this faster to compromise than a hardened enterprise.

Higher payout-per-effort

An enterprise breach takes months and rarely converts. An SMB ransomware infection converts in days at $50k–$500k average payment. Better ROI for the attacker.

Time-sensitive operations

Many SMBs can't tolerate even 48 hours of downtime — they'll pay to recover fast. Attackers know this and price ransoms accordingly.

Trusted access to others

Compromising a small accounting firm gives access to their clients. Compromising an MSP gives access to dozens of businesses. SMBs are increasingly attacked as stepping stones.

Less visible to law enforcement

A multimillion-dollar enterprise breach gets FBI attention. A $40,000 SMB ransom rarely does. Attackers operate at small scale precisely to stay below the radar.

You're Not Being Singled Out — You're Being Processed

The most important thing to understand about SMB cyber risk is that it isn't personal. Attackers don't research your business and decide to come after you. They run automated infrastructure that:

  • Tests stolen credentials against millions of business domains
  • Scans the public internet for exposed services (RDP, VPN, file shares)
  • Sends phishing emails to addresses harvested from LinkedIn, web pages, and breaches
  • Probes Microsoft 365 sign-in pages for weak MFA configurations
  • Operates ransomware-as-a-service kits that just need a foothold to deploy

When you get hit, it's usually because your environment presented a familiar weakness — a reused password, a missing patch, an MFA bypass — that the automation found. You weren't chosen. You were just first in line.

Real Scenarios — How SMBs Actually Lose

The following are illustrative incident patterns common in our industry and reported across FBI IC3 and DBIR data. Specific figures are illustrative composites of real events:

Wire fraud via vendor impersonation

$84,000 wired to a fake bank account after attackers compromised the controller's email and inserted themselves into a real conversation with a vendor.

Ransomware via stolen password

20 endpoints encrypted, M365 OneDrive contents encrypted, $35,000 ransom paid, 11 days fully offline. Initial access via reused password leaked in a 2019 breach.

Customer data exfiltration

3,800 customer records (names, emails, drivers' licences) stolen from a small dealership F&I system. State AG fine, customer notification costs, class action filed.

Payroll diversion

Three employees' direct-deposit accounts changed by attackers who compromised the HR manager's email and waited for the right moment to act.

What Minimum-Viable Defence Looks Like

You don't need an enterprise security budget to dramatically reduce your risk. Five controls move the needle further than anything else:

  1. MFA on every account. Microsoft reports MFA blocks 99% of automated account attacks. Free with M365 / Workspace.
  2. EDR on every device. Behavioural detection catches modern attacks; signature-based AV doesn't.
  3. Backups that survive ransomware. Offsite, immutable, tested quarterly. The 3-2-1 rule.
  4. Quarterly phishing training. Click rates drop from 25–35% to under 5% within a year of consistent training.
  5. An incident response plan. Documented, with names, phone numbers, insurance carrier, and runbook.

These five controls — for a typical SMB — close roughly 80% of the attack paths attackers actually use. The remaining 20% is where managed security operations earn their fee: detection of attacks that get past prevention, response that contains them, recovery that restores fast.

The Bottom Line

Yes, a 5-person company can absolutely be hacked. The relevant question isn't whether you're a target — you are — but whether you've done the minimum work to make yourself a hardertarget than the millions of others on the attacker's list. Most SMBs haven't. The ones that have rarely make the news, precisely because the attacks don't succeed.

Related reading: why SMBs are the #1 ransomware target, the complete SMB cybersecurity checklist, and the BEC guide.

Frequently Asked Questions

Aren't hackers only interested in big companies?

Industry data consistently disagrees. Verizon's Data Breach Investigations Report shows SMBs receiving roughly half of all breach activity. The FBI's IC3 reports billions in SMB-targeted business email compromise losses annually. Attackers favour SMBs precisely because the defences are weaker and the payout, while smaller per victim, is faster and easier.

What do attackers actually want from a small company?

Money first — via ransomware, wire fraud, or fraudulent invoicing. Then data they can resell: customer info, employee records, payment card data, anything that can be monetised on dark-web markets. A 10-person business handling customer credit cards is just as valuable a target as a 200-person one.

How do attackers find small businesses to target?

They don't pick you personally — they automate. Mass phishing campaigns hit millions of inboxes; scanners crawl the internet for exposed services; credential databases get tested against every business domain. You're not being singled out; you're being processed through an industrial pipeline.

What's the average loss from a small-business breach?

Direct costs run around $200,000 per incident according to FBI IC3 medians; broader figures including downtime, legal, and recovery often reach the millions. Roughly 60% of small businesses that suffer a serious breach close within six months.

What's the minimum I should do to lower my risk?

Five things: enforce MFA on every account, run modern EDR on every device, use a real backup with offsite immutable storage, train your people quarterly on phishing, and document an incident response plan. That sequence eliminates the most common attack paths used against SMBs.

Check Your Posture — Free

Free 30-minute assessment. We'll map your environment against the 5 minimum-viable controls and tell you where the gaps sit.

Get Free Assessment
← Back to Security Insights