Subscribe to the Non-Human & AI Identity Journal

Why do small businesses get targeted even when attackers can go after larger firms?

Because automation makes volume more profitable than precision. Attackers can scan thousands of organisations, exploit weak controls, and monetise the easiest wins through ransomware, fraud, or supply chain access. Smaller firms often have weaker monitoring and recovery, which increases the chance of successful extortion.

Why This Matters for Security Teams

Small businesses are not targeted because they are uniquely valuable; they are targeted because they are easier to compromise at scale. Automated attackers do not need a tailored campaign when a weak credential, exposed API key, or unmonitored service account can unlock immediate monetisation. That logic applies to ransomware, payment fraud, and supply chain abuse alike. The Ultimate Guide to NHIs — Why NHI Security Matters Now shows how often organisations underestimate non-human identity exposure, while CISA cyber threat advisories continue to reflect the same pattern: attackers prioritise reachable, poorly governed entry points over prestigious ones.

For smaller firms, the problem is not just limited budget. It is the combination of flatter control ownership, fewer security specialists, and faster business pressure to “just make it work.” That often leads to long-lived secrets in code, shared admin accounts, and gaps in offboarding. In practice, many security teams encounter compromise only after an invoice, mailbox, or backup job has already been abused, rather than through intentional detection.

How It Works in Practice

Attackers usually treat small businesses as part of a large automated harvest. They scan for exposed credentials, weak remote access, stale service accounts, and third-party integrations, then move quickly from initial access to monetisation. This is where non-human identities become the real prize. NHIs often outnumber human identities by orders of magnitude, and once a token, API key, or cloud role is captured, the attacker can act with machine speed.

That is why the operating model matters more than the organisation’s size. Static, role-based access often assumes a predictable user pattern, but an agent, script, or automated workflow may need access only for a specific task, in a specific context, and for a short duration. Current guidance suggests combining workload identity with just-in-time access so the system proves what it is before it receives anything powerful. Frameworks such as SPIFFE and policy engines like Open Policy Agent are commonly used to support that model, though there is no universal standard for all environments yet.

  • Use short-lived credentials instead of long-lived static secrets wherever possible.
  • Bind access to workload identity, not to a shared account or flat network trust.
  • Revoke or expire tokens automatically when the task ends.
  • Evaluate access at request time with current context, not only at provisioning time.

NHIMG research shows the stakes clearly: the 52 NHI Breaches Analysis and the Ultimate Guide to NHIs — Key Challenges and Risks both point to weak lifecycle control, excessive privilege, and poor visibility as recurring failure modes. These controls tend to break down when small teams rely on shared admin access and embedded secrets because there is no disciplined offboarding or rotation process.

Common Variations and Edge Cases

Tighter control over secrets and access often increases operational overhead, requiring organisations to balance security gains against delivery speed and staffing constraints. That tradeoff is real, especially where a small business depends on a handful of vendors, legacy applications, or one person who “owns” everything.

There is also a difference between opportunistic crime and targeted intrusion. In many cases, small businesses are not the primary objective at all; they are a stepping stone to a larger customer, supplier, or payment path. Current guidance suggests treating third-party access and machine-to-machine trust as first-class risk areas, because attackers frequently exploit the least protected link in a connected workflow. The Anthropic report on AI-orchestrated cyber espionage and MITRE ATLAS adversarial AI threat matrix both reinforce the speed and adaptation advantage that automation gives attackers.

For smaller organisations, the practical answer is not “be too small to matter.” It is to reduce the value of each credential, shorten its lifetime, and remove any assumption that a tool, script, or agent will behave predictably just because it is not human. Best practice is evolving, but the direction is clear: if access can be automated, so can abuse.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Covers secret rotation and lifecycle gaps common in small-business compromises.
NIST CSF 2.0 PR.AC-4 Least-privilege access is central when attackers target weak identities at scale.
NIST AI RMF GOVERN Autonomous and automated abuse requires clear accountability and oversight.

Assign ownership for machine identities and define who approves, monitors, and revokes access.