Here’s the uncomfortable truth: most small businesses that get hacked believed they were safe. Not because they were careless — because they were working from information that quietly stopped being true.
Modern cyberattacks are automated. There’s no hacker choosing your company by name. There are tools scanning millions of systems simultaneously, looking for the easiest door. They don’t check your company size first.
Below are the seven myths we hear most from small businesses — and one free fix for each.
of attacked SMBs close within 6 months
of all data breaches target small businesses
average cost of an SMB cyberattack
Jump to myth
“We’re too small to be targeted.”
Every breach in the news involves a bank or hospital. It’s logical to assume hackers only go after big names. If you’re a 10-person firm, why would anyone bother?
The reality
Attack tools scan millions of systems automatically, looking for the easiest entry — not the biggest target. Small businesses are chosen because they tend to have weaker defences.
350% more social engineering than enterprises
Check your business email at haveibeenpwned.com. Takes 60 seconds and shows whether your credentials are already on the dark web.
“We have antivirus, so we’re protected.”
Antivirus was the answer for 20 years. It still matters — but it’s now one layer in a much larger puzzle, not the whole picture.
The reality
Most successful attacks today contain no malware at all. Phishing steals your login credentials through a fake page. Business email compromise tricks your team into transferring money. Antivirus never sees these coming — they bypass technology and go through people instead.
MFA blocks 99.9% of automated account takeovers
Turn on multi-factor authentication (MFA) on your email. Go to Settings → Security → Two-step verification. The single most effective thing you can do right now.
“Cybersecurity is too expensive for a business like ours.”
Search for security solutions and you’re met with enterprise pricing and long contracts. It looks like a six-figure problem. So many businesses do nothing — which turns out to be far more expensive.
The reality
The five things that prevent most SMB breaches cost almost nothing: MFA (free), a password manager (~£3/user/month), automatic updates (free), phishing awareness (free), and tested backups (free tier on most cloud services). The basics cost less than one month’s broadband bill.
MFA: £0
Password manager (10 users): ~£30/month
Download Bitwarden — free for small teams. Set it up in an hour. Everyone stops reusing passwords immediately.
“We don’t have anything worth stealing.”
Common among service businesses — a hairdresser, a solicitor, a local retailer. “We’re not a bank.” Fair point. But that’s the wrong question.
The reality
Every business holds customer email addresses (sold in bulk on dark web markets), bank credentials, payroll data, or supplier contacts used for invoice fraud. Ransomware doesn’t care whether your data is sensitive — it encrypts everything and demands payment. Your invoices don’t need to be valuable to be held hostage.
Customer emails sell for $0.10–$10 each
Write down every type of data your business holds — even boring stuff like supplier emails. This simple “data inventory” changes how you think about what you’re actually protecting.
“We back up our data, so ransomware can’t hurt us.”
Backups are the classic ransomware defence. In principle, correct. In practice, most SMB backups are untested, stored on the same network, or destroyed by attackers before ransomware even triggers.
The reality
Modern ransomware gangs spend weeks inside your network before doing anything visible — mapping your systems and destroying backups first. A backup on the same network is just a second copy of what they’ll encrypt. The standard is the 3-2-1 rule: 3 copies, 2 storage types, 1 completely offline.
Only 57% of SMBs test their backups regularly
Pick one important file and try to restore it from your backup right now. If it takes more than 10 minutes, your backup plan isn’t working. Most businesses find this out during a crisis — not before.
“Our staff would never fall for a phishing email.”
People still picture phishing as clunky “Nigerian Prince” scams. Nobody falls for those. The problem is that’s not what phishing looks like in 2026.
The reality
AI-generated phishing emails now achieve a 54% click-through rate — versus 12% for traditional phishing. These emails are grammatically perfect, personalised to your team, and visually identical to legitimate messages. This isn’t a stupidity problem. It’s a professionally engineered deception — and 60% of recipients, including IT professionals, click.
39% of all breaches caused by human error
Quarterly drills cut credential theft by 63%
Run Google’s free phishing quiz at phishingquiz.withgoogle.com in your next team meeting. 10 minutes, no blame, starts the right conversation.
“We passed our compliance audit — we’re secure.”
A compliance certificate — Cyber Essentials, ISO 27001, GDPR — feels like a security seal of approval. You paid for it, passed it, put it on the website. Job done.
The reality
A compliance certificate means your security met a baseline on the day the auditor visited. New vulnerabilities are published every single day. A system secure in January can be critically exposed by March. Think of it like an MOT — it proved your car was roadworthy on one day. That doesn’t mean you skip oil changes for two years.
Compliance = a baseline, not ongoing protection
Set a recurring calendar reminder every month: check automatic updates are on for every device your team uses. This one habit patches the vulnerabilities ransomware most commonly exploits.
You don’t need to fix everything. Fix one thing — this week.
None of the fixes above require an IT team or a big budget. They require an hour of your time and the willingness to stop assuming “it won’t happen to us.”
The 80/20 rule applies: MFA, a password manager, tested backups, automatic updates, and basic phishing awareness prevent the vast majority of attacks targeting businesses your size. Start there.
Pick the myth you recognised most in your own business. Do that one fix today. Then come back for the next one.