Contents
Introduction
There’s a comforting narrative circulating in boardrooms and break rooms alike: cyberattacks are a problem for the big players. The household names. The Fortune 500s. If you’re running a small accounting firm or a regional manufacturer, surely you’re flying under the radar, right?
Sadly, this isn’t correct, and here’s the harsh truth. Hackers aren’t just targeting big businesses.
This dangerous misconception is putting countless organisations at risk. And recent high-profile attacks on companies like Jaguar Land Rover and Collins Aerospace are paradoxically making the problem worse by reinforcing this false sense of security among smaller businesses.
The Visibility Trap
When we read about ransomware attacks hitting major corporations, there’s an understandable psychological response: “Well, that’s not us. We’re not important enough to be a target.”
But here’s what most people misunderstand about the threat landscape. Groups like APT29 (often called “AP Team” in cyber circles) represent only the visible tip of the iceberg. These attackers want to be seen. They’re after clout, recognition, and the publicity that comes from taking down a big name. The disruption they cause makes headlines precisely because that’s part of their strategy.
However, for every teenage hacker group seeking notoriety, there are potentially hundreds of professional attackers operating in the shadows. These aren’t attention-seekers. They’re professionals harvesting data, maintaining access, and extracting value from compromised systems for days, weeks, months, or even years without detection.
And they don’t care about your company size. They care about opportunity.
The Real Target: Vulnerability, Not Visibility
Professional attackers aren’t selecting targets based on prestige. They’re looking for vulnerabilities. A small business with outdated software, minimal security protocols, and no penetration testing regime represents an easy payday with minimal risk of detection.
Consider this: while Jaguar Land Rover was conducting extensive internal penetration testing, they were ultimately compromised through their supply chain. Specifically, through their outsourced IT service provider. The attackers didn’t need to breach JLR’s hardened defences directly; they simply found a softer target with access to JLR’s systems.
This cascading vulnerability affects businesses of all sizes. If you’re a supplier to a larger organisation, you’re not just risking your own data; you’re potentially the weak link that provides access to your clients’ systems. And if you rely on third-party services yourself, you’re trusting that those providers have adequate security measures in place.
The Outsourcing Illusion
Over the past decade, businesses have frantically outsourced services to SaaS platforms and consultancy organisations. The thinking goes: “We’ll outsource the service and, in doing so, outsource the risk.”
It should be crystal clear by now that you cannot outsource risk.
When a third-party service provider fails to secure their systems adequately, it’s not their business that suffers the reputational damage, regulatory penalties, and operational disruption. It’s yours. Your data. Your customers. Your reputation.
Take the legal sector as an example. Many law firms have case management systems provided by third-party vendors. When asked if they’ve had these systems penetration tested, the typical response is: “No, the platform itself has been pen tested by the vendor.”
That’s not good enough. If that vendor’s security is compromised, your cases get leaked. Your privileged communications become public. Your practice is destroyed. And saying “but they told us it was secure” won’t save you.
The Supply Chain Domino Effect
The recent Jaguar Land Rover incident illustrates another critical point: when a major organisation is hit, the impact rolls downhill to smaller suppliers.
We’re now seeing news reports about government intervention being necessary to save companies in JLR’s supply chain. Workers are being laid off. Businesses are on the brink of collapse. All because of a cyberattack they had no direct involvement in.
If you supply goods or services to larger organisations, you’re not insulated from cyber risk; you’re potentially more exposed to it. A security incident at your client can become your existential threat, even if your own systems were never breached.
What Small Businesses Need to Know
The harsh reality is that smaller businesses often make more attractive targets than their larger counterparts:
Lower defences: Many SMEs lack dedicated IT security teams, use outdated software, and have minimal incident response capabilities.
Less scrutiny: Breaches at small businesses rarely make headlines, reducing the reputational risk for attackers.
Supply chain access: Compromising a small supplier can provide a backdoor into larger, more valuable targets.
Compliance blindness: Many small businesses focus on ticking compliance boxes without understanding the actual security implications.
Beyond Compliance Theatre
It’s worth noting that many organisations are falling into the “compliance trap.” They conduct annual penetration tests because regulations require it, receive a report full of findings, and then… do nothing about the vulnerabilities identified.
Having a pen test done doesn’t make you secure. Fixing the issues it uncovers makes you secure. And conducting the same limited-scope test year after year while ignoring large swathes of your IT estate doesn’t provide meaningful protection.
Hackers don’t just attack the systems you tested last year. They look for the easiest entry point, which is often the infrastructure you’ve left unexamined.
The Path Forward
If you’re a small or medium-sized business, here’s what you need to understand:
You are a target. Your size doesn’t protect you; it may actually make you more vulnerable.
Third-party risk is your risk. Any service provider with access to your systems or data represents a potential compromise vector. Conduct proper due diligence.
Outsourcing doesn’t mean offloading. You can outsource services, but you cannot outsource responsibility for your data security.
Compliance isn’t security. Meeting minimum regulatory requirements doesn’t mean you’re adequately protected.
Testing must be strategic. A well-planned, multi-year penetration testing strategy that systematically covers your entire IT estate is far more valuable than repeatedly testing the same limited scope.
The organisations that survive in this landscape won’t be the biggest or the most prominent. They’ll be the ones who recognised that invisibility is not a defence strategy, who took ownership of their security posture, and who understood that cyber resilience requires constant vigilance; not false comfort in being “too small to matter.”
Because to a professional attacker, you’re never too small. You’re either too secure to be worth the effort, or you’re not.
Which would you rather be?