Small business cyberattacks and weak access controls: what teams miss

TL;DR: Small businesses are heavily targeted: 46% of breaches affect firms with fewer than 1,000 employees, 61% of SMBs were targeted in 2021, and 80% of hacking incidents involve compromised credentials or passwords, according to StrongDM’s round-up of recent cybersecurity statistics. The security gap is not theoretical, because weak access controls and limited response capacity turn routine phishing and credential theft into existential risk.

NHIMG editorial — based on content published by StrongDM: 35 alarming small business cybersecurity statistics for 2026

By the numbers:

• 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
• 80% of all hacking incidents involve compromised credentials or passwords.
• 37% of companies hit by ransomware had fewer than 100 employees.

Questions worth separating out

Q: How should small businesses reduce the risk of credential theft?

A: Start by removing reusable passwords from high-value paths and enforcing MFA on email, VPN, remote desktop, and admin access.

Q: Why do phishing attacks succeed so often against small businesses?

A: Phishing works because it targets people directly and bypasses weak technical boundaries.

Q: What breaks when small businesses do not have cybersecurity protections?

A: When protections are absent, attackers can move from initial access to ransomware, data theft, and operational downtime with very little resistance.

Practitioner guidance

• Reduce credential reuse across remote access paths Inventory VPN, remote desktop, email, and admin logins, then remove shared or long-lived passwords where possible.
• Separate user access from recovery access Keep backup consoles, administrative credentials, and incident response accounts isolated from ordinary employee workflows.
• Build phishing resistance into identity controls Combine user training with detection rules, conditional access, and session monitoring so a successful phish does not automatically translate into broad application or data access.

What's in the full article

StrongDM's full blog covers the operational detail this post intentionally leaves for the source:

• The full statistics table behind SMB breach frequency, ransomware exposure, and preparedness gaps
• The article’s breakdown of common attack types, including phishing, malware, and ransomware
• The cost and recovery data that show how long SMBs can remain disrupted after an incident
• The vendor’s recommended security tools and why SMBs are adopting them in practice

👉 Read StrongDM's cybersecurity statistics for small businesses in 2026 →

Small business cyberattacks and weak access controls: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →