Over the past few years, something has shifted in the cybersecurity world that a lot of small and mid-sized businesses haven’t fully realized yet. The threats that used to be aimed squarely at large enterprises are now showing up every day in organizations with 20, 50, 100, or 300 users. In 2019, attackers stopped caring about the size of the company and started focusing on the softest target with the highest likelihood of paying a ransom.
That means the average regional bank, manufacturing plant, city government office, or healthcare operation is now on the same playing field as the Fortune 500 — but without the same budget, staffing, or tools to defend themselves.
Why attackers changed their tactics
The biggest change came when cybercriminals realized two things:
- Small organizations rely heavily on technology but rarely have advanced security.
A surprisingly high number of businesses are still running outdated antivirus tools, weak passwords, unpatched servers, and exposed remote access. - Ransomware pays — and SMBs are more likely to pay quickly.
When operations stop, smaller organizations don’t have the luxury of long outage windows or internal recovery teams. They feel the pain immediately.
Attackers don’t need to work harder — they just need to work smarter. And that’s exactly what they’ve done.
What attacks look like now
We're seeing more targeted attacks instead of “spray-and-pray.”
Examples include:
- Credential stuffing and password spraying campaigns hitting Microsoft 365 and legacy Exchange.
- RDP brute-force attacks on exposed servers.
- Phishing emails that look identical to internal requests.
- Ransomware families like Ryuk, Dharma, and Sodinokibi using multi-stage infiltration techniques.
- Lateral movement once they get inside — sometimes for weeks — before deploying ransomware.
These attacks are patient, automated, and persistent.
Why traditional tools aren’t stopping these threats
Legacy antivirus is built around a simple idea: detect something bad by comparing it to a known list and block it.
The problem?
Modern threats don’t always use files anymore. They use:
- built-in system tools
- memory-resident scripts
- credential theft
- remote command execution
- PowerShell and WMI
If nothing “malicious” lands on the system, traditional antivirus never fires.
This is why so many organizations believe they’re protected… right up until they aren’t.
What businesses should be doing
Organizations need to start thinking more strategically about security instead of treating it as a checkbox. You don’t need enterprise budgets, but you do need enterprise thinking.
Here’s what’s now considered essential:
- Multi-Factor Authentication (MFA) everywhere
If you only do one thing in 2019, do this.
Most successful breaches we see begin with a stolen password. - Replace antivirus with EDR
Endpoint Detection and Response tools look for suspicious behavior — not just known bad files. - 24/7 monitoring
Attackers don’t wait for business hours.
Someone needs eyes on your environment around the clock. - User awareness training
Most attacks still come through email.
People need to know how to spot a well-crafted phish. - Regular patching and vulnerability remediation
Too many compromises still come from missing a simple update.
What this means moving forward
Small and mid-sized organizations aren’t “too small to target” anymore. They’re targets because they’re easier to compromise. The good news is that the same protections used by enterprises are now accessible and affordable for SMBs — as long as they make security a priority.
Now is the time that every organization, regardless of size, needs to start treating cybersecurity as a strategic business function, not an afterthought.