It comes up in nearly every conversation about cybersecurity with a small business owner or nonprofit director.

“We don’t have anything worth stealing.”

“Hackers go after big companies.”

“Why would anyone bother with us?”

These are reasonable assumptions. They are also wrong. And the organizations that hold them are more likely to get hit, not less.

What the Numbers Actually Say

Forty-three percent of all cyberattacks target small businesses. Not large enterprises. Not government agencies. Small businesses.

Small businesses experience roughly four times as many confirmed breaches per employee as large organizations. That number is not because small businesses are uniquely careless. It is because attackers deliberately choose targets where defenses are weaker and the likelihood of success is higher.

Eighty percent of small businesses reported at least one cyberattack in 2025.

Among small business owners with no security measures in place, 59 percent believe they are too small to be targeted. That belief is not incidental. It is the opening attackers count on.

How Attackers Actually Think

Attackers are not making ethical judgments about who deserves to be targeted. They are running operations that maximize return on effort.

A large corporation has a security operations center, an incident response team, endpoint detection tools, and legal resources. Breaching that organization takes significant time and expertise. The payout may be high, but the effort and risk are high too.

A small business or nonprofit often has none of those things. The same attack that fails three times against an enterprise succeeds on the first attempt against an organization with no MFA, default passwords, and no one monitoring for suspicious logins.

Attackers run automated tools that scan the internet for exposed systems around the clock. They are not sitting at a keyboard choosing targets one by one. They identify every organization with a specific vulnerability and launch the same attack across all of them simultaneously.

Being small does not make you invisible. It makes you easier.

The Revenue Math

The assumption behind “we’re too small to be targeted” is that attackers are looking for a single large payday. Some are. But most ransomware operations and credential theft rings operate at scale.

A ransomware group that demands $15,000 from each victim and successfully hits 200 small businesses in a month generates $3 million. That model works precisely because small organizations are unlikely to have offsite backups, unlikely to have cyber insurance, and more likely to pay quickly to restore operations.

A nonprofit that processes $500,000 in annual donations does not look like a high-value target from the outside. From an attacker’s perspective, it looks like an organization with donor payment data, a staff that trusts email, and a finance team that has never dealt with a wire fraud attempt.

What This Myth Costs Organizations

The belief that size provides protection leads directly to under-investment in the controls that would actually provide protection.

No multi-factor authentication because “we don’t need it.”

No staff training because “it won’t happen to us.”

No incident response plan because “if it ever did happen, we’d figure it out.”

When a breach does occur, those organizations face it without preparation, without a plan, and often without insurance coverage that requires security controls they never implemented.

The average data breach costs a nonprofit $200,000. For many nonprofits, that is a year or more of operational budget.

The Actual Baseline

Small organizations do not need enterprise-grade security. They need the basics, done consistently.

Multi-factor authentication on every account that accesses email, financial systems, or donor data. Strong, unique passwords managed through a password manager. Regular backups stored somewhere other than the primary network. Staff training that covers how phishing works and what to do when something looks wrong.

These steps do not require a security team. They require leadership that has accepted the actual level of risk and made a decision to address it.

The “too small to be targeted” myth is comfortable. It removes the obligation to act. But it is built on a premise that attackers disproved years ago.

Nigel Roberts, CISSP, is the founder of NexSecure Solutions LLC. He helps small businesses and nonprofits build security programs that match their actual risk. To talk through where your organization stands, schedule a free discovery call at nexsecuresolutions.com.