Small Businesses Get Hit by Hackers Three Times More Often Than Large Ones

Your reception opens at 9am, the phones start, and somewhere on a server in Eastern Europe a script is quietly testing the login page of a small professional services business. Not a bank. Not a hospital. A business exactly like yours. Researchers at Barracuda Networks analysed millions of emails across thousands of organisations and found that employees at businesses with fewer than 100 staff face 350% more social engineering attacks than those at large companies. The assumption that small businesses fly under the radar turns out to be wrong.

The reason is straightforward. Hackers are running a numbers game. A large corporate has a dedicated security team, layered defences, and incident response procedures. A small business often has an antivirus subscription and good intentions. That gap is exactly what attackers are looking for. They can breach more small businesses with less effort, and the payoff adds up. Every business holds data worth stealing - client records, payment details, employee information, login credentials. That information sells on criminal markets regardless of whether it came from a 10-person practice or a 1,000-person company.

There is also a less obvious risk. Many small professional services businesses are digitally connected to larger clients - sharing portals, accessing systems, exchanging files. A breach at your end can become a stepping stone into a client's network. That makes you a target not just for your own data, but for what your access enables elsewhere. It is not a theoretical risk. Supply chain attacks through smaller vendors are now one of the more common ways large organisations get compromised.

The other consistent weakness is people. Phishing - emails designed to trick staff into clicking a link or opening a file - is behind more than 80% of data breaches. A convincing email lands in an inbox, someone clicks without thinking, and the attacker is in. No amount of technical protection fully compensates for staff who have not been shown how to spot these attempts. Ongoing security awareness training is not optional extra spending. It is a basic layer of defence, the same way locking the front door is not optional.

What good looks like is not complicated, but it does require someone to actually set it up and maintain it. It means having more than one layer of security - not just antivirus, but proper controls on who can access what, multi-factor authentication on all accounts, monitored backups that are actually tested, and staff who know what a phishing email looks like. When these things are in place, your practice does not become invulnerable, but it stops being the easy target. Attackers move on to something that requires less effort.

The practical step is to get an honest picture of where your business currently sits. Most small practices have gaps they are not aware of - not because anyone has been careless, but because IT security has never been properly reviewed. A managed IT provider who works with professional services businesses can go through this with you and tell you what actually needs fixing, in plain terms.

ITstuffed works with small professional services businesses across Canterbury on exactly this. You can find out more about how we approach cybersecurity for NZ businesses, or book a 15-minute IT Fit Check at itstuffed.co.nz/booking to get a clear picture of where your business stands.