Myths · 5 min read

"We're too small to be a target" — why that's exactly backwards

It's the most common thing I hear from SME owners. It's also the single most dangerous assumption in cyber risk.

At first glance, it makes sense. Why would a criminal go after a company with 15 or 50 employees when there are multinationals with billions in revenue to exploit? The trouble is that this is not how modern cyber crime works. Attackers aren't hand-picking targets from a list of the Fortune 500 — they're running automated tools that scan thousands of systems at once, looking for one thing: an opening.

Automated attacks don't discriminate

An outdated server. An employee with a weak password. A firewall that hasn't been patched. To an automated scanner, a two-person accounting firm and a national bank look identical — both are just IP addresses with a door that may or may not be locked. If the system is open, the attacker walks through it. Your size never enters the equation; your vulnerability does.

Smaller firms are easier — and that's the point

Large enterprises spend millions on security teams, tooling and training. Most SMEs rely on a single IT provider or a staff member juggling three other roles. Attackers know this, and they specifically prefer SMEs because:

Defences are weaker and less frequently updated.
Employees are rarely trained to spot a convincing phishing email.
Breach detection takes far longer — intruders often sit undetected for weeks.

You may be the door to a bigger target

Many SMEs are part of a larger supply chain. A small manufacturer, consultant or IT provider often has trusted access to a much bigger company's systems. Breaching the SME is step one; moving laterally to its clients and partners is step two. That makes smaller firms not just vulnerable, but genuinely valuable to criminals.

And SMEs are more likely to pay

When a small business can't operate, the pressure to make the problem go away is enormous. Downtime of even a few days can mean missed payroll, lost contracts, or worse. Criminals understand this calculus — and it's a big part of why Canada now ranks as the second most-targeted country in the world for ransomware.

The takeaway

Being "too small to matter" isn't protection — it's an invitation. In the cyber landscape, size doesn't determine risk; vulnerability does. The businesses that come through an incident intact aren't the biggest ones. They're the ones that took two steps early: they hardened the basics (MFA, backups, training), and they made sure their insurance would actually respond when something slipped through.

See where you actually stand

Take the free 8-question Cyber Risk Scorecard, or book a no-pressure coverage review with a Certified Cyber Insurance Specialist.

Take the scorecard Book a free review

By J.R. Genua, CCIS — Certified Cyber Insurance Specialist. Adapted from the free guide Cyber Risk & Canadian SMEs: What Every Business Owner Needs to Know.