← All insights
Threats

How Attackers Break Into Small Businesses

Part of our guide: Ransomware & incident response

Hollywood makes hacking look like genius keyboard work. Reality is far more boring — and that’s good news, because “boring” is predictable, and predictable is defendable. The overwhelming majority of small-business breaches start through one of a handful of well-worn doors. Here’s each one, and how to close it.

And to be clear up front: small businesses are not too small to target. Most attacks aren’t personal — they’re automated, hitting thousands of businesses at once and breaking in wherever a door is open. Being small just often means fewer defences, which makes you easier, not safer. (More on that myth in is your business too small to be a target?.)

1. Phishing and stolen credentials

By far the most common entry point. An employee gets a convincing email, enters their password on a fake login page, and the attacker walks in through the front door with valid credentials. No malware required. These attacks are now polished by AI, so “watch for typos” is obsolete advice.

Shut it down: multi-factor authentication (so a stolen password isn’t enough), email filtering, and training that teaches people to verify, not just to spot bad grammar — see phishing is still number one.

2. Reused and weak passwords

When a password gets leaked in someone else’s breach, attackers try that same email-and-password combo against everything — your email, VPN, banking. If your team reuses passwords, one unrelated leak hands over your business.

Shut it down: a password manager so every login is unique and strong, plus MFA as a backstop.

3. Unpatched and exposed systems

Attackers constantly scan the internet for known-vulnerable software — an unpatched VPN, an exposed remote-desktop (RDP) port, an out-of-date firewall. Find one, and they’re in without needing a person to click anything.

Shut it down: turn on automatic updates, never expose RDP directly to the internet, and run vulnerability management so you find the holes before attackers do.

4. Missing or bypassed MFA

Attackers specifically hunt for accounts and systems where MFA isn’t enforced — old protocols, service accounts, that one admin login nobody got around to. A single gap can undo an otherwise solid setup.

Shut it down: enforce MFA everywhere, including legacy logins, and block the old authentication methods that skip it.

5. Your vendors and supply chain

Sometimes the break-in isn’t through you at all — it’s through your IT provider, a software update, or a partner with access to your systems. Their weakness becomes yours.

Shut it down: know who has access to your data, apply least privilege, and vet your high-risk vendors — see third-party risk.

6. Malicious attachments and downloads

The classic: an invoice or résumé attachment that quietly installs malware, or a “free” download laced with it. Still effective, especially against busy people.

Shut it down: modern endpoint protection (beyond basic antivirus), attachment scanning, and least-privilege accounts so malware can’t easily spread.

How the doors connect

Real breaches rarely use just one of these — they chain several together. A typical small-business ransomware incident looks like this: a phishing email steals an employee’s password (door 1); because that password was reused, it also unlocks other systems (door 2); MFA wasn’t enforced on the VPN, so the attacker logs straight in (door 4); once inside, they move to a server still running unpatched software (door 3), steal data, and deploy ransomware over the weekend.

The encouraging flip side: because the doors chain, closing any one of them often breaks the whole attack. MFA alone would have stopped that example cold. You don’t have to be perfect everywhere — you have to remove enough links that the chain can’t complete.

The pattern worth noticing

Look at the fixes and the same names keep coming up: MFA, unique passwords, patching, least privilege, monitoring. That’s not a coincidence — these are the baseline controls precisely because they block the doors attackers actually use. You don’t need exotic defences; you need the fundamentals, applied consistently, and someone watching for the attempts that slip through.

A quick door-check for your business

Run through these and mark any “no” or “not sure”:

  • Is MFA enforced on email, VPN, and admin accounts — with no legacy logins skipping it?
  • Does everyone use a password manager, so no passwords are reused?
  • Is RDP closed to the open internet, and are systems patched automatically?
  • Do staff accounts run with least privilege, not local admin?
  • Do you know which vendors have access to your data?
  • Would anyone notice an intruder active at 2 a.m.?

Any “no” is an open door worth closing first.

That last question — the watching — is the piece small teams can’t do alone at 2 a.m. If you’d like an honest look at which of these doors are open in your business, get in touch.

Keep reading

Related insights

Threats

Bank Impersonator Scams: How to Spot a Fake Call From Your Bank

Fraudsters posing as your bank pressure you into handing over codes and access. Here's how bank impersonator scams work and how to stop them.

Read article
Threats

AI-Powered Scams: Deepfake Voice and Email Attacks on Canadian Businesses

Attackers now use AI to clone voices and write flawless phishing emails. Here's how AI-powered scams target Canadian businesses and how to defend against them.

Read article
Threats

Dark Web Monitoring: Does Your Business Actually Need It?

Dark web monitoring promises to alert you when your data leaks. Here's what it really does, its limits, and whether it's worth it for a small business.

Read article

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us