TL;DR: Scattered Spider’s shift from retail to insurance and aviation, alongside Microsoft’s finding that 80% to 90% of ransomware targets are SMBs, shows how smaller organisations are being selected for weaker resilience and faster pay decisions, according to GlobalSign and Microsoft. The control gap is not size but preparedness: access, recovery, and incident response discipline now matter more than brand scale.
At a glance
What this is: This article argues that SMBs are increasingly targeted because attackers see weaker recovery capacity, thinner security budgets, and lower preparation, while Microsoft data shows SMBs now make up most ransomware targets.
Why it matters: For IAM and security teams, the lesson is that resilience depends on identity controls, recovery planning, and governance maturity, not company size, especially where secrets, access, and third-party trust are involved.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read GlobalSign's analysis of why SMBs are increasingly targeted by cyberattacks
Context
Small and midsize businesses are attractive to attackers when they combine limited security staffing, weaker recovery options, and a higher likelihood of paying to restore operations. In practice, that means the real vulnerability is not business size but the maturity of access control, backup discipline, and incident readiness. The same pattern shows up in identity governance when organisations cannot see, rotate, or revoke credentials quickly enough.
The article also touches a genuine identity and NHI angle: phishing, account misuse, MFA, certificates, and API keys all sit inside the trust layer that attackers exploit before they reach data or ransomware impact. In smaller environments, human identity controls and non-human identity governance often fail together, which makes SMB resilience an IAM and PAM problem as much as a cyber hygiene problem.
Key questions
Q: What fails when SMBs rely on standard MFA without stronger identity governance?
A: MFA reduces password replay, but it does not solve over-privileged accounts, long-lived tokens, exposed certificates, or weak offboarding. In smaller organisations, attackers often pivot from one trusted login to broader access because recovery and review processes are underdeveloped. The control failure is not authentication alone, but lifecycle governance across the full identity estate.
Q: Why do ransomware groups target smaller organisations with weaker identity controls?
A: They target organisations where disruption creates outsized pressure to restore service quickly. When access reviews, rotation, and backup validation are immature, attackers can move faster and extract more leverage from a smaller team. Weak identity governance makes it easier to preserve access, repeat entry, and force payment or rushed recovery.
Q: How do organisations know if identity governance is actually reducing ransomware exposure?
A: The strongest indicator is not how many policies exist but how quickly teams can identify, certify, and revoke high-risk access across employees, partners, and non-human identities. If access reviews still take weeks and orphaned accounts remain active, the programme has visibility but not control. Effective governance shrinks reachable systems before an attack begins.
Q: Who is accountable when a stored credential is abused during a breach?
A: Accountability sits with the organisation that owns the credential lifecycle, not the user who happens to know the password. If the enterprise allows unmanaged sharing, poor offboarding, or weak recovery validation, the governance failure is structural and should be mapped to IAM, security operations, and application ownership.
Technical breakdown
Why SMBs are attractive targets for ransomware crews
Attackers do not need the largest enterprise to profit. They look for organisations where disruption is expensive, recovery is slow, and negotiation pressure is high. SMBs often have fewer backups, less segmentation, and less mature access governance, which shortens the path from initial access to operational impact. In identity terms, once an attacker can misuse a user account, token, or certificate, they often encounter little internal resistance before privilege expansion. The result is a low-friction target with high leverage.
Practical implication: map which user and service identities would let an attacker move fastest from login to business disruption.
How MFA, access controls, and certificates fit into SMB defence
Multi-factor authentication helps reduce credential replay, but it is not a complete control plane. Attackers still succeed when token lifetimes are long, privileged accounts are overexposed, certificates are manually maintained, or phishing bypasses poor recovery procedures. That is why the article’s mention of automated security features matters less as a product point and more as a governance signal: identity controls must be operational, not aspirational. For SMBs, certificate lifecycle management and secret handling are part of the same defence chain as human authentication.
Practical implication: treat certificates, API keys, and privileged accounts as one governed access estate, not separate teams’ problems.
Why recovery planning changes the attacker's economics
Ransomware succeeds when the victim cannot restore fast enough to avoid downtime, reputational damage, or regulatory exposure. Recovery planning therefore changes the economics of attack by reducing the leverage attackers expect. That includes incident response playbooks, tested backups, offboarding processes, and clear ownership for revoking access during containment. Where identity controls are weak, a breach becomes persistent because the attacker can return through the same account, secret, or third-party access path. Effective recovery planning closes that loop.
Practical implication: test whether compromised identities can be revoked and restored before the attacker’s access window closes.
Threat narrative
Attacker objective: The attacker’s objective is to convert a small organisation’s weaker recovery posture into fast financial payoff through extortion, data theft, or service disruption.
- Entry often begins with phishing, stolen credentials, or abused third-party access that gives the attacker a trusted foothold in a smaller environment. Escalation follows when privileged accounts, tokens, or weak recovery processes let the attacker expand access and suppress detection. Impact arrives as ransomware, data theft, or operational shutdown, with SMBs especially exposed because downtime pressure can force payment or hurried restoration.
NHI Mgmt Group analysis
SMB cyber resilience is fundamentally an identity governance problem. The article frames resilience as a budget issue, but the deeper issue is whether an organisation can see, control, and revoke the identities that attackers use first. MFA, certificate handling, and privileged access are part of the same control surface, and weak governance in any one area enlarges the blast radius. For practitioners, resilience starts with identity inventory and control ownership.
Certificate lifecycle and secrets handling are now SMB risk multipliers. The article notes that certificate renewal and manual processes can become unsustainable, which is exactly where NHI exposure grows. Service accounts, API keys, and TLS certificates are non-human identities, and when they are not rotated or offboarded cleanly, attackers inherit durable access. For practitioners, lifecycle management must cover machine credentials as explicitly as employee accounts.
Preparedness matters more than size because attackers optimise for recovery pressure. Smaller organisations are attractive when incident response is immature and downtime tolerance is low. That means ransomware is not only a malware problem but a governance problem about backup validation, privilege containment, and decision speed. For practitioners, incident planning should be measured by how quickly access can be cut off and business functions restored.
Trust workflows need to be designed for third parties, not just employees. The article points to ecosystems, partners, and cloud providers, which is where SMBs often inherit access without equal governance. Every external integration can become a credential dependency if ownership, expiry, and revocation are unclear. For practitioners, third-party access must be included in IAM and PAM review cycles, not treated as a procurement afterthought.
Identity visibility is the named concept that separates manageable SMB risk from hidden compromise. When organisations cannot see service accounts, certificates, and privileged access paths, they cannot contain what they cannot locate. That visibility gap is the reason even modest attacks can become persistent. For practitioners, a complete identity inventory is the first resilience control, not a reporting luxury.
What this signals
Identity visibility is becoming a resilience metric for SMBs. If an organisation cannot account for service accounts, certificates, and partner access, it cannot contain a compromise quickly enough to blunt ransomware leverage. The practical benchmark is not just detection time but the speed of revocation and restoration across both human and non-human identities.
Service account governance will increasingly decide whether SMB incidents stay local or become business-ending. The moment attacker movement depends on unattended credentials, blast-radius control becomes the real resilience measure. For teams building out zero-trust controls, the immediate priority is mapping which identities can still operate after the primary user is disabled.
SMBs should expect more identity-led intrusions, not fewer, because attackers keep favouring the shortest path to disruption. That means recovery exercises need to include secrets, certificates, and privileged access, not only endpoint and backup validation.
For practitioners
- Implement identity inventory for all accounts and secrets Map human accounts, service accounts, API keys, certificates, and partner access into one control register so you can revoke, rotate, and review them together. Prioritise identities that can reach finance, backups, or customer data.
- Test recovery against identity compromise Run tabletop and technical exercises that assume the attacker already has a valid account, token, or certificate. Validate how fast you can isolate access, rotate credentials, and restore services without relying on manual guesswork.
- Shorten the lifetime of privileged access Replace standing privileged access with time-bound elevation for admin tasks, especially on backup systems, cloud consoles, and remote support channels. Ensure offboarding includes immediate revocation of elevated paths, not just user disablement.
- Operationalise certificate and secret rotation Move away from manual certificate renewal and spreadsheet-based secret tracking. Use owner-bound rotation schedules, alerting for expiring credentials, and tested rollback procedures for systems that depend on them.
- Include third-party access in incident plans Document which partners, MSPs, and cloud integrations can be disabled first if compromise is suspected. Make sure contract owners and technical owners both know how to cut access before data exfiltration or ransomware execution completes.
Key takeaways
- SMB cyber resilience now depends on identity control, recovery speed, and operational ownership, not organisation size.
- Attackers prefer smaller targets because weak access governance and slow restoration increase the odds of payment or disruption.
- The controls that matter most are identity inventory, rapid revocation, rotation discipline, and tested incident recovery.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity access control is central to reducing ransomware entry paths. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers secrets, certificates, and credential lifecycle. |
| CIS Controls v8 | CIS-5 , Account Management | Account governance is the main lever for limiting abuse of SMB identities. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0004 , Privilege Escalation | The article's threat path depends on stolen credentials and expanded access. |
| NIST Zero Trust (SP 800-207) | Zero trust helps SMBs reduce implicit trust in accounts and partners. |
Map likely phishing and credential-theft paths to credential access and privilege escalation monitoring.
Key terms
- Non-Human Identity: A non-human identity is any digital identity used by software, services, workloads, or automation rather than a person. It includes service accounts, API keys, tokens, certificates, and AI agents. These identities can authenticate, access data, and move across systems, which makes their governance a core security requirement.
- Identity Lifecycle Governance: Identity lifecycle governance is the control of creation, approval, use, rotation, review, and revocation across all identities. In practice, it ensures that access does not persist longer than necessary and that every identity has an owner, an expiry, and a defined offboarding path. It is central to both human and non-human access security.
- Credential Revocation: Credential revocation is the process of disabling a secret, token, or key so it can no longer authenticate or authorize action. It is the operational half of detection, because exposed credentials remain dangerous until they are invalidated and replaced across every dependent system.
- Recovery Pressure: Recovery pressure is the operational and financial stress that appears when an organisation cannot restore services quickly after an attack. Attackers exploit it by timing disruption to maximise urgency and increase the likelihood of payment or rushed decisions. It is shaped by backups, incident response maturity, and the organisation’s access governance.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- How GlobalSign frames security partnerships and preconfigured controls for smaller organisations that need to reduce manual effort.
- The article's discussion of AI use in SMB security, including where caution is needed before deploying it in live workflows.
- The article's advice on incident response, data recovery, and communication planning for organisations with limited resources.
- The source's commentary on certificate lifecycle pressure and why manual maintenance becomes harder as certificate lifetimes shorten.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management for practitioners who need to control access risk across modern environments. It is designed for security teams that need a practical identity foundation for governance, operations, and incident readiness.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org