Why threat actors prefer growing businesses now.
Most CEOs of growing businesses operate under an assumption about cybersecurity that was true ten years ago and isn't true now.
The assumption is that their company is too small to be a target. That cybercrime is something that happens to banks, to hospital systems, to defense contractors, to the kind of organizations that have something a sophisticated attacker would invest months to acquire. That a fifty-person manufacturer in a regional market is below the threshold of interest.
That reasoning was correct when it was first formed. It is no longer correct. The economics of cybercrime have shifted in a way that flipped the targeting math, and most CEOs are still running on the old assumption while the new reality is already operating against them.
You're not being selected. You're being scanned.
That's the single sentence that captures what changed. The rest of this piece is the structural explanation of why, and what the math now requires.
What changed about being a small target
Three structural shifts moved the threat economy from selective targeting toward volume targeting. Each one happened over the last decade. Together they reshaped who gets attacked and why.
The first shift was the commoditization of stolen credentials. Tens of billions of username-password pairs are now circulating in dark-web markets, sold by the millions for prices that round to nothing. The credentials come from breaches at services everyone uses: social media, retail, productivity tools, payment platforms. When a person reuses a password across services, which most people still do, one breach somewhere becomes a credential that works against your business. Attackers don't have to phish your employees. They just buy a list.
The second shift was the automation of attack delivery. The work of trying credentials against a target, scanning for unpatched software, probing for misconfigurations, identifying the easy way in, used to require human time. It now runs at machine speed across tens of thousands of targets simultaneously. The same automation that lets a small SaaS startup serve a million customers lets a small criminal operation try a million targets. The attacker doesn't care which one of you they land on. They just need a hit rate.
The third shift was ransomware-as-a-service. The technical capability to encrypt a victim's environment and demand payment used to live with a small number of sophisticated groups. It is now sold as a kit. An operator with modest technical skill rents the infrastructure, takes a percentage of the ransom, and runs the same playbook against businesses with whatever credentials and access they happen to acquire. The bar for being an attacker dropped significantly. The volume of attempts went up correspondingly.
The result is a threat economy where the unit of work is no longer "attack a specific high-value target" but "attack ten thousand targets and convert the easiest two percent." That math favors the volume target. Your business is the volume target.
What this means for your business
You're not being selected. You're being scanned. The bot on the other end doesn't know who you are. It evaluates whether your defenses are sufficient to skip you in favor of the next target in the queue, or whether you're easier to land on than the one after.
Your real competition for not being a victim isn't an enterprise spending millions on a security program. It's the business at your scale, in your industry, in your region, that did slightly more security work than you did. The bot scans both of you. The bot picks the easier one. That's the entire decision.
This is uncomfortable to internalize because it removes most of the comfortable framing CEOs use about cybersecurity. You aren't safe because you're small. You aren't safe because your industry isn't interesting. You aren't safe because nothing has happened yet. None of those are defenses. They are the absence of an event, not the absence of risk.
The number of small and mid-sized businesses that experience a security incident in a given year is significantly higher than the number that report one. Most incidents don't make the news. Most don't even get disclosed to customers, because the disclosure requirements at small scale are narrower than at enterprise scale. The pattern you see in headlines is a small fraction of the pattern that actually exists.
The four controls that actually matter at your scale
A growing business does not need an enterprise security program. It needs four things, done seriously and run continuously. Most businesses I've watched have some version of one or two of these. Almost none have all four.
One. Identity-first defense. Credential theft is the primary vector now. Multi-factor authentication on every account, conditional access policies that limit where credentials can be used from, identity logging that catches anomalies, role-based access so a compromised account doesn't have keys to everything. Identity is the perimeter. The firewall stopped being the perimeter years ago, but most businesses still budget like it is.
Two. Patch cadence. Unpatched software vulnerabilities are the second primary vector. Automated patching across endpoints and servers, a clear monthly cycle, an exception process for the few systems that can't be patched on schedule, and reporting that shows when something is overdue. The bar isn't perfection. It's keeping the window between vulnerability disclosure and patch deployment short enough that the volume scanner finds easier targets.
Three. Monitoring with humans on the other end. Twenty-four-seven detection only matters if there is a human who confirms threats and responds. Alerts that go to a queue nobody reads are not security. The math on this is straightforward: attacks happen at three in the morning, on weekends, during holidays. If your security model assumes someone is watching at those times, you need someone watching at those times.
Four. Documentation that an auditor reads in an afternoon. This is the unglamorous one, and the one that disproportionately determines whether you can get cyber insurance at a reasonable premium and whether a claim gets paid when an incident happens. Insurance underwriters and compliance auditors don't evaluate your security based on what you have. They evaluate based on what you can show them. The documentation is the evidence.
What doesn't work, even though everyone does it
A short list of common postures that feel like security but don't deliver security at the scale that matters now.
"We have antivirus." Antivirus is necessary. It catches known threats. Modern attacks don't use known threats. They use stolen credentials, phishing, and living-off-the-land techniques that look like normal user behavior. Antivirus is the floor, not the ceiling.
"We're behind a firewall." Modern attacks don't come through the perimeter. They come through a user clicking something, a credential bought on the dark web, a misconfigured cloud service, or a software vulnerability in something you bought and haven't patched. The firewall protects against a category of threat that is no longer the dominant category.
"We have cyber insurance." Cyber insurance is useful, and it is not a substitute for the work. Insurance policies assume you have implemented the controls listed in the application. When an incident happens and the underwriter discovers you hadn't, claims get denied. The claim-denial rate at the SMB level is high, and it correlates almost perfectly with the controls the application asked about.
"Our IT person handles security." A part-time security function inside a generalist IT role is the most common SMB posture and the most common failure mode. Security at the scale the threat now operates is a discipline that requires dedicated attention and infrastructure that exceeds what any individual generalist can run alongside their other work. This isn't a critique of the IT person. It's a critique of the model.
The bar moved. The volume game is the only game now. The CEOs who recognize this make security investment decisions they can defend on the income statement and explain in a board meeting. The CEOs who don't will be on the wrong side of the math when the next round of incidents lands in their industry. The math doesn't care which side you're on. It just keeps running.