The Risk That Grows With You

Sixty percent of small business owners believe their business is too small to be targeted by cybercriminals. It is one of the most consistent findings in SMB cybersecurity research, and one of the most consequential.

KPMG's 2024 survey of Canadian SMB leaders found that 72 percent reported being attacked by cybercriminals in the past year, up from 63 percent the year before. IBM reports that the average cost of a data breach in Canada reached CA$6.98 million in 2025. A global Mastercard survey of small and medium-sized enterprises found that nearly one in five businesses that suffered a cyberattack then filed for bankruptcy or closed.

These are not enterprise numbers describing enterprise problems. They are SMB numbers describing the businesses that believe they are below the threshold of interest. The gap between that belief and the data it contradicts is where most of the exposure lives.

This article is not a technical guide to cybersecurity implementation. It is a leadership guide to understanding what the risk actually looks like, how it changes as the business grows, and what the accidental tech boss is genuinely responsible for — separate from what belongs to technical specialists.

Why the "Too Small to Target" Assumption Is Wrong

The assumption that small means invisible is built on a misunderstanding of how most cybercrime works.

Enterprise-level attacks are often targeted — a sophisticated actor researches a specific organization, identifies its vulnerabilities, and executes a deliberate campaign. That kind of attack does tend to favor larger, higher-value targets. But the majority of attacks on small businesses do not work that way. They are automated, opportunistic, and scale-agnostic. They probe for accessible systems, unpatched software, reused credentials, and employees who do not recognize a phishing attempt. The size of the business is not the variable. The accessibility of the vulnerability is.

Small businesses are often the most accessible targets precisely because they have invested least in protection. A sole proprietor running their business from a personal laptop with no multi-factor authentication and reused passwords is not below the threshold of interest. They are an easy entry point.

As one security practitioner summarized it: you are never too small to get hit. You are just too small to make the news.

How the Risk Grows With the Business

Cybersecurity risk does not arrive at a fixed level and stay there. It scales with every phase of business growth, and it scales faster than most businesses recognize.

In the earliest stages of a small business, the attack surface is genuinely limited. One or two people, a handful of accounts, minimal customer data. A successful attack would be damaging, but the scope of what the business holds is narrow enough to constrain the damage.

As the business grows and adds team members, tools, and customers, the picture changes fundamentally. The Scrappy-to-Leading framework describes a phase many growing SMBs move through called Tool Soup: a stage characterized by multiple disconnected platforms adopted in response to individual operational needs, without anyone holding the full picture of how they connect.

By the time a business reaches Tool Soup, it typically has multiple team members with access to multiple systems, customer data accumulated across years of growth distributed across platforms that were never designed to work together, and no formal inventory of what the business holds or who can reach it. The business has grown. The attack surface has grown with it. The security posture, in most cases, has not kept pace with either.

This combination is what makes the Tool Soup phase particularly dangerous from a cyber risk perspective. The business now holds enough data to be worth targeting. It lacks the structural clarity to know where its vulnerabilities are. And it often has an informal assumption — rather than a formal assessment — that IT is handled.

The risk does not wait for the business to feel ready. It grows alongside every new team member, every new tool, and every new piece of customer data the business accumulates.

The Human Factor Is a Leadership Problem

Verizon's 2024 Data Breach Investigations Report found that the human element was involved in 68 percent of breaches. That figure has remained consistent across years of research, and it points directly to a question about ownership that most SMB leaders have not answered.

Phishing attacks succeed because someone clicks. Ransomware gets installed because someone opens an attachment. Credentials get compromised when someone reuses a password across platforms or responds to a convincing impersonation of a known contact. The firewall and the antivirus software cannot protect against a team member who does not know what a threat looks like or what to do when they encounter one.

An IT provider can configure controls, monitor systems, and respond to incidents. They cannot make the team understand what the business is risking. That responsibility remains with leadership, whether anyone has named it or not.

The gap between the threat and the team's awareness of it is significant. Research from the Insurance Bureau of Canada found that 25 percent of employees do not feel they have the tools and training needed to identify potential threats at work, and 40 percent have noticed an increase in scam attempts over the last twelve months. The threat is visible to the people inside the business. The organizational response to it often is not.

This is a leadership problem, not a technology problem. The technical controls reduce exposure to the portion of threats that do not involve human judgment. The rest requires that someone in leadership has taken responsibility for whether the team knows what it is looking for.

The Three Assumptions That Create the Most Exposure

In businesses that experience a serious breach without having prepared for one, the same beliefs tend to appear in the aftermath.

The size assumption is the belief that being small means being below the threshold of interest. As the data makes clear, this conflates targeting preference with attack mechanics. Automated attacks probe for accessible vulnerabilities. Small businesses with minimal protection are accessible. The revenue of the business is not the relevant variable.

The delegation assumption is the belief that having an IT provider or an internal IT person means cybersecurity is handled. IT providers can implement controls, monitor systems, and respond to incidents. They cannot make the business responsible for understanding its own exposure. An accidental tech boss who cannot describe what data the business holds, who currently has access to it, and what would happen if it were lost or compromised has not delegated cybersecurity. They have abdicated it. The distinction matters enormously when something goes wrong.

The insurance assumption is the belief that a cyber insurance policy means the business is covered. Insurance may transfer some financial consequences of a breach. It does not transfer the operational disruption, the client trust erosion, the regulatory scrutiny, or the leadership accountability that follows. It does not prevent the kind of cascading business disruption that leads nearly one in five attacked SMEs to file for bankruptcy or close. Insurance is a component of a risk strategy. It is not a substitute for one.

What the Accidental Tech Boss Is Actually Responsible For

This is not a technical checklist. The implementation of cybersecurity controls belongs to specialists with the expertise to configure, monitor, and update them. What belongs to leadership is the set of questions that makes those controls coherent — and the accountability for asking them.

The questions are not complicated. Where does the business hold data, and whose data is it? Who currently has access to the core systems, and when was that access last reviewed? What would happen operationally if the business lost access to its systems for a week? Does the business have an incident response plan, and has anyone on the team actually read it?

The answer to those questions determines whether the business is approaching cyber risk as a managed exposure or an ignored one. The Insurance Bureau of Canada found that 69 percent of small-business employers do not consider cybersecurity a financial priority. KPMG found that 66 percent of Canadian SMB leaders say they do not have a plan to address a potential ransomware attack. Those two findings, read together, describe a large portion of the SMB market that has accepted significant operational risk without making a deliberate decision to do so.

Accepting a risk is sometimes the right leadership call. Accepting it without knowing you have done so is not a strategy. It is an assumption, and in cybersecurity, assumptions are reliably the point of entry.

The Risk-Based Approach

A risk-based approach to cybersecurity does not require enterprise-level investment or a dedicated security team. It requires an honest assessment of what the business holds, what the consequences of losing it would be, and what minimum controls would address the most significant exposures.

That assessment has three components that belong at the leadership level before any technical conversation begins.

The first is an inventory of exposure: what data does the business hold, where does it live, and who can access it? For most SMBs, the honest answer to this question involves more uncertainty than leaders expect. Customer records, employee information, financial data, and communications are often distributed across systems with no single owner of the complete picture.

The second is a consequence assessment: what would actually happen if the business lost access to its core systems for a week, or if client data were compromised and disclosed publicly? The operational, financial, and reputational consequences of that scenario should inform how much protection is warranted.

The third is an accountability assignment: who in the business is responsible for the cybersecurity posture, and what does that responsibility actually include? Not who manages the technical infrastructure, but who is accountable for understanding whether the business's exposure is acceptable and whether the controls in place are adequate to address it.

With those three components established, the conversation with technical specialists becomes coherent. The controls can be evaluated against an actual risk picture rather than a generic checklist.

Where Operating Maturity and Cyber Risk Intersect

The Scrappy-to-Leading framework maps five phases of SMB operating maturity. Cybersecurity risk is not separate from that progression. It is embedded in it.

Businesses in the early phases face real but narrow risk — limited data, limited access, limited consequences. Businesses in the middle phases face growing risk without the structure to manage it. Businesses in the later phases that have built genuine operating discipline are typically the ones that have also made intentional decisions about their security posture, either because they were required to by clients or regulators, or because a scare somewhere along the way made the risk concrete.

Understanding where your business sits in that progression is the starting point for knowing which cyber risk questions matter most right now. Our assessment takes less than 10 minutes and produces a specific read on your current operating phase and the decisions most likely to move you forward.

The cyber risk conversation belongs in that context — not as a standalone technology project, but as part of understanding what the business is building and what it is worth protecting. Our tool will tell you exactly where you stand.