TL;DR: Automated scanning, ransomware-as-a-service, and supply chain abuse have erased the old assumption that small and medium-sized businesses are too small to target, according to Senserva. The real security shift is from obscurity and perimeter thinking to assume-breach operations that can withstand industrialised attacks.
At a glance
What this is: This article argues that automation has made size irrelevant in modern cyber targeting and that assume-breach security is now the baseline.
Why it matters: For IAM and security teams, the message is that identity, access, monitoring, and response controls must be designed for continuous attack pressure, not organisational size.
By the numbers:
- Over 40% of cyberattacks now target small businesses.
👉 Read Senserva's analysis of why every organisation is now a cyber target
Context
The old idea that a small organisation can stay safe by staying unnoticed no longer holds. Automated scanning, ransomware-as-a-service, and supply chain abuse have turned cyber targeting into a scale problem, not a size problem, and that changes how identity, access, and response programmes should be built.
For IAM leaders, the practical consequence is that security cannot be justified only by headcount or organisational profile. Continuous monitoring, least privilege, incident readiness, and security awareness now need to cover the same attack pressure that larger enterprises face, because attackers no longer ration effort by target size.
Key questions
Q: How should small organisations respond to automated cyberattacks?
A: They should stop treating size as a security control and instead reduce exposure, harden identity paths, and monitor continuously. Automated attacks do not care how many employees you have. The priority is to make public services, privileged accounts, and third-party connections harder to enumerate and faster to contain when something goes wrong.
Q: Why do small businesses get targeted even when attackers can go after larger firms?
A: Because automation makes volume more profitable than precision. Attackers can scan thousands of organisations, exploit weak controls, and monetise the easiest wins through ransomware, fraud, or supply chain access. Smaller firms often have weaker monitoring and recovery, which increases the chance of successful extortion.
Q: What do security teams get wrong about security through obscurity?
A: They confuse being less visible with being less exposed. Internet-facing systems, credentials, and third-party links are discoverable at scale, so obscurity does not stop automated probing. Real protection comes from reducing the attack surface and validating that exposed controls work under pressure.
Q: Who is accountable when a supplier connection is abused in an attack?
A: Both parties are accountable for their own control scope. The supplier must govern the access it holds, and the customer must review what trust it has delegated. If offboarding, revocation, and monitoring are not explicit, the identity relationship itself becomes part of the attack path.
Technical breakdown
Why automated scanning changes the threat model
Automated scanning turns target selection into a machine process. Instead of an attacker choosing one organisation and crafting a bespoke path, internet-wide scanners probe for exposed services, weak credentials, and misconfigurations continuously. That means attack volume scales independently of organisational size. Once a weakness is present, the organisation is effectively in the queue. This is why traditional obscurity-based assumptions fail: being small, niche, or less visible does not materially reduce exposure when adversaries can enumerate the public attack surface at scale.
Practical implication: reduce exposed services and validate internet-facing identity and access controls continuously, not on an annual review cycle.
How ransomware-as-a-service industrialises compromise
Ransomware-as-a-service lowers the barrier to entry by separating malware development from operational deployment. Affiliates can rent tooling, infrastructure, and extortion workflows, which expands the pool of active attackers and standardises attack methods. The result is a repeatable business model rather than a one-off intrusion. For defenders, that means access abuse, privilege misuse, and recovery disruption are not rare events reserved for large enterprises. They are predictable outcomes when controls are weak enough to be rentable at scale.
Practical implication: treat privileged access, backup recovery, and incident isolation as core control planes rather than optional resilience extras.
Why supply chain compromise makes every smaller vendor strategic
Smaller organisations are often easier to breach and can provide access to larger customers, shared platforms, or trusted integrations. In that model, the target is not only the small organisation itself, but its identity links into other environments. Supply chain compromise therefore converts vendor trust into an attack path. The security issue is not just direct exposure. It is delegated access, shared credentials, and trusted connectivity that outlive the security posture of the smaller party.
Practical implication: inventory third-party access, limit delegated trust, and review offboarding and token revocation as part of supplier risk management.
Threat narrative
Attacker objective: The attacker aims to monetise weak controls through ransomware, data theft, or supply chain reach into larger environments.
- Entry occurs through automated internet-wide scanning, ransomware affiliate tooling, or trusted third-party access that reaches a small organisation without requiring it to be individually selected.
- Escalation follows when weak identity controls, exposed services, or insufficient monitoring let attackers move from initial access to privilege abuse, data theft, or ransomware deployment.
- Impact is business disruption, data loss, extortion pressure, and in some cases downstream compromise of larger partners connected through the smaller organisation.
Breaches seen in the wild
- LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Every organisation is a target because cybercrime is now industrialised, not bespoke. The article is right to reject the comforting idea that smaller businesses are below an attacker’s radar. Automated scanning and ransomware-as-a-service mean that exposure, not enterprise size, determines whether an organisation gets hit. For identity and security teams, that means governance must assume continuous hostile discovery rather than selective targeting.
Assume-breach thinking is now an operational requirement, not a maturity slogan. The security posture described here only works if every control is designed to fail safely, because the attacker does not need to defeat the whole environment at once. Continuous monitoring, rapid response, and validated recovery are the disciplines that matter when compromise is a normal operating assumption. Practitioners should treat this as a baseline design rule, not an aspirational strategy.
Supply chain trust has become an identity problem as much as a vendor risk problem. Smaller organisations often sit inside larger ecosystems through delegated access, integrations, and shared credentials. That creates identity blast radius: a weak or under-governed third party can become an entry point into stronger environments. The practitioner takeaway is to govern external access as part of identity architecture, not as a separate procurement checkbox.
Security through obscurity has failed because attackers no longer need to care who you are. The article captures a broader market shift that identity programmes must absorb. Visibility, privilege control, and recovery readiness now matter more than organisational profile, which means SMBs need the same control logic as enterprises even if they cannot match enterprise budgets. The programme implication is to prioritise controls by blast radius, not by company size.
From our research:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- For a broader governance lens, Ultimate Guide to NHIs , Key Challenges and Risks shows why exposure, rotation, and offboarding remain persistent control failures.
What this signals
Identity blast radius is the right way to think about this shift. When automated attackers can scan continuously, the question is no longer whether a small business is visible enough to matter, but how far compromise can travel once it lands. That is why delegated access, privileged sessions, and third-party tokens must be governed as a single exposure surface.
A small organisation’s security programme now needs enterprise-grade visibility even if the budget is not enterprise-grade. The practical signal for practitioners is whether they can detect exposed access paths, isolate a compromised identity, and revoke trust quickly enough to limit business interruption. Controls that are only tested on paper will not survive industrialised attack pressure.
The programme implication is simple: prioritise the identity relationships that extend your attack surface, then test whether you can close them under pressure. The most dangerous gap is not lack of policy. It is the false belief that obscurity still buys time.
For practitioners
- Inventory exposed identity and access paths Identify every externally reachable system, remote access path, and third-party integration, then confirm which credentials or tokens can touch them. Focus on what an attacker can enumerate from the public internet rather than what your internal diagrams show.
- Build assume-breach response into access design Make monitoring, alerting, and isolation part of the access model so that privileged sessions, admin accounts, and recovery channels can be contained quickly when compromise occurs. A control that cannot be monitored in real time is not ready for industrialised attacks.
- Review third-party trust as identity scope Map vendor accounts, API keys, SSO links, and shared administrative paths, then confirm revocation works when a supplier relationship changes. Offboarding, token invalidation, and delegated access review should be tested like any other high-risk identity process.
- Stress-test recovery and containment paths Run exercises that measure how quickly you can isolate a compromised tenant, rotate credentials, and restore service without relying on manual heroics. The goal is to reduce the attacker’s business value before extortion or disruption can scale.
Key takeaways
- Automation has made organisation size a poor predictor of risk, because attackers now probe the whole internet continuously.
- Supply chain access and delegated trust turn smaller firms into strategic entry points, not just isolated targets.
- Security programmes must be built around exposure reduction, continuous monitoring, and tested containment rather than obscurity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.IP-4 | Continuous assessments fit the article's shift from reactive to proactive security. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Assume-breach and continuous verification align with zero-trust access decisions. |
| NIST SP 800-63 | Identity assurance matters where human accounts and remote access are part of the attack surface. |
Build recurring validation into security operations and treat control drift as a routine risk signal.
Key terms
- Assume-breach model: An operating approach that designs security as if compromise may already exist somewhere in the environment. It shifts attention from preventing every intrusion to limiting blast radius, detecting abnormal access, and preserving response capability when controls fail.
- Attack surface: The total set of reachable systems, identities, and trust relationships an attacker can discover and target. In practice, it includes exposed services, credentials, tokens, vendor connections, and recovery paths that can be enumerated or abused from outside the organisation.
- Identity blast radius: The amount of damage that can spread once an identity path is compromised. It is shaped by privilege, delegation, trust chaining, and offboarding quality, and it is often the best measure of whether access governance is actually limiting risk.
- Security drift: A gradual departure between intended security settings and what is actually deployed. Drift matters because controls that were once correct can become weak through misconfiguration, exception creep, or unreviewed changes, leaving organisations exposed without obvious warning.
What's in the full article
Senserva's full article covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of how Drift Manager searches for configuration drift across deployed security products.
- Details on how user-defined rules can be applied across specific tenants for ongoing validation.
- Examples of ticketing-system integration that automate remediation tracking from discovery to closure.
- The mechanics of automatic ticket closure after remediation validation, useful for operational teams.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-09-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org