23 June 2026
Why the small business is a target, and what almost no one takes seriously
It is precisely the small business that is a target for hackers. We filter out the scaremongering and name the three things that really get left undone.
Why the small business is a target, and what almost no one takes seriously
This article is loosely based on 60 Small Business Cybersecurity Statistics to Know in 2026 (Spacelift).
There is a persistent idea that hackers only go after big companies. A small business, a practice run from home, an association with a simple website: who would be interested in that? The uncomfortable answer is that the very lack of attention to security is what makes it attractive. Not despite, but because of the assumption that you are too small.
First, clearing away the scaremongering
A great many large numbers circulate about cybersecurity, and not all of them are correct. A well-known example is the claim that sixty percent of small businesses go under within half a year of an attack. That one, as Spacelift notes, has been officially debunked by the organisation it was usually attributed to. We therefore treat such figures with caution, because exaggeration does not help you. What remains is alarming enough without embellishment.
What the serious sources do show
The Verizon Data Breach Investigations Report shows that smaller organisations experience a confirmed breach about four times as often as large ones. And the nature of the attacks differs: among small and medium-sized businesses in 2025, roughly 88 percent of breaches involved ransomware, against about 39 percent at large organisations. That is a big difference, and it says something about who the easy prey is.
The cause is often surprisingly simple. According to figures gathered by StrongDM, about 80 percent of all hacks begin with a stolen or weak password. And one of the simplest defences goes unused: multi-factor authentication, logging in with an extra step alongside your password, blocks nearly all automated login attacks. Yet an estimated 65 percent of small and medium-sized businesses do not use that extra step.
The three things that keep getting left undone
If you filter out the noise, a few sober matters remain that keep coming back. The first is the password: too simple, reused too often, too rarely replaced by an extra login step. The second is the human being: most breaches do not begin with a brilliant technical trick, but with a fake email that someone trusts at the wrong moment. The third is the idea that it will be fine, that you are too small to be of interest. That last one is not a technical problem but a thinking error, and that error is precisely the opening.
An honest note
Security is not a one-off purchase but a habit. And it does not have to be expensive or complicated to begin: an extra login step, a password manager, a backup that is genuinely separate from your system. That is no guarantee, but the difference between an open and a closed door is often exactly that small.
What PVwebsites does with this
Security is one of the four things we look at when we analyse your website. We do not run a penetration test and we do not fix your security for you, but we make visible whether the basics seem in order: whether your connection is properly secured and whether the first signals add up. Stated honestly, so you know what the conversation with your web manager should be about.
The PVwebsites tool is an accessible and affordable way to look at the current state of your website from several angles. The Vision Document that comes out of it can bring you new insights and ideas, for just €9.95. A subscription will follow soon, letting you track over time how changes to your website keep producing different results. More insight, at an affordable price.