Why Every Small Business is a Ransomware Target (and What to Actually Do About It)

April 10, 2026

There’s a comforting lie that business owners tell themselves: “We’re too small for hackers to care about us.” It made sense five years ago. Today it’s exactly backwards.

The business of ransomware has industrialised. The same criminal ecosystem that used to target Fortune 500 companies has built automation to hit thousands of small businesses at once. You’re not being specifically targeted — you’re being swept up by bots that scan the internet looking for any business with weak defenses and enough money to pay.

Why SMBs Are the Sweet Spot for Attackers

1. Enterprises got hard to attack

After years of high-profile breaches, large enterprises now spend millions on security: SOCs, red teams, advanced endpoint detection, zero-trust architectures. Attacking them is possible but expensive and slow. The ROI on attacking a Fortune 1000 company dropped.

2. SMBs have real money

A 50-person accounting firm or a regional retailer might pay a $200,000 ransom without blinking if the alternative is going out of business. Attackers learned quickly that many SMBs also carry cyber insurance that will pay out.

3. SMBs often have weak defenses

The average 30-person company still runs on consumer-grade antivirus, no multi-factor authentication on email, a part-time IT contractor who responds in 48 hours, and backups that haven’t been tested in two years. You don’t need to outrun the bear — you just need to have weaker defenses than the business next door.

How Modern Ransomware Actually Works

The Hollywood version — a hacker furiously typing green code — is nonsense. Here’s what actually happens, in order:

  1. Initial access (70% of cases). An employee clicks a phishing link and enters their password into a fake login page, opens an Excel file with a malicious macro, or reuses a password leaked in an unrelated breach.
  2. Persistence. The attacker installs a remote access tool — a way back in even if the password is changed.
  3. Lateral movement. They poke around the network for weeks, looking for admin accounts, file shares, backup servers, and sensitive data.
  4. Data exfiltration. Before encrypting anything, they copy out valuable data — client lists, financials, HR records. This is the leverage.
  5. Backup destruction. They delete or encrypt your backups so you can’t restore.
  6. Encryption. Only now, after everything is set up, do they trigger the ransomware — usually on a Friday evening or the start of a long weekend.
  7. Double extortion. Pay to decrypt, or pay to stop your data being leaked publicly. Many victims pay twice.

What Actually Stops This — Ranked by Impact

A short list of unglamorous controls prevents the vast majority of attacks. In rough order of bang-for-buck:

1. Multi-factor authentication (MFA) on EVERYTHING

Email. VPN. Remote desktop. Cloud admin portals. Anything exposed to the internet. MFA alone blocks over 99% of account-takeover attacks. If you do nothing else from this list, do this.

2. Endpoint Detection and Response (EDR)

Replace consumer antivirus with a real EDR product (SentinelOne, CrowdStrike, Microsoft Defender for Business). These watch for suspicious behaviour, like a Word document spawning PowerShell.

3. Patch management

Many attacks exploit vulnerabilities that had patches available for months. Automated patching of operating systems, browsers, and major apps closes that window.

4. Immutable, tested backups

Follow the 3-2-1-1-0 rule: 3 copies of data, on 2 media types, 1 off-site, 1 immutable (can’t be deleted), 0 errors on the last restore test. The immutable and tested parts are what stop ransomware from wiping your safety net.

5. Email security filtering

Modern email gateways (Proofpoint, Barracuda, Mimecast, Microsoft Defender for Office 365) catch phishing before it reaches inboxes.

6. Principle of least privilege

Does your receptionist need admin rights? Does everyone in finance need every HR file share? Ransomware spreads faster where everyone has access to everything.

7. Security awareness training

Humans are the primary entry point. Quarterly phishing simulations and short training modules drive click rates down dramatically over time.

The Uncomfortable Truth About Cyber Insurance

Insurers have tightened underwriting dramatically. Applications now require proof of MFA, EDR, tested backups, and employee training — or the policy won’t be issued. Insurance without these controls isn’t insurance; it’s false comfort.

Prevention Is Cheaper Than Recovery — Always

A hardened small business can be secured for $20–$50 per user per month. An actual ransomware event costs most SMBs $150,000–$500,000 once you add ransom, downtime, forensics, legal fees, customer notifications, and deductibles.

You don’t need enterprise security. You need deliberate security — most of these controls are standard features of Microsoft 365 and Google Workspace that simply need to be turned on, configured, and monitored. If you want an honest assessment of where you stand, we run free 30-minute security reviews for businesses across Surrey, Vancouver, and Canada.