Back to Blog

"We're Too Small to Be a Target" — Why Firm Size Has Nothing to Do With It

Daniel ChangFounder of SafeGuardGRC

I've heard it in conversations with firm owners across the country. "We're a 15-person firm. We're too small to be on anyone's radar." The logic feels right, doesn't it? Bigger targets, more data, bigger payoff for the bad guys. You'd think a mid-market accounting firm would be safer than a Fortune 500 company.

The data tells a different story. Small businesses are not lower on the hit list. They're at the top of it. According to StrongDM research, businesses under 100 employees are 2.5 times more likely to be targeted by cyberattacks than larger organizations. And it gets worse: 88% of ransomware incidents target small and medium-sized businesses. If your firm has fewer than 50 people, you're not flying under the radar. You're exactly what attackers are looking for.

Why Attackers Don't Care About Your Size

Here's what's changed in the past decade. Cyberattacks aren't like bank robberies, where a criminal picks a target, plans a heist, and walks away with a briefcase. Today's attacks are industrial-scale and almost entirely automated. Attackers run software that probes millions of businesses per hour, testing for weak spots. They're not discriminating. They're indiscriminate.

Take credential stuffing as an example. When a breach happens at a retail site, a hotel, or a social media platform, hackers buy those stolen usernames and passwords on the dark web. Then they plug them into accounting software, email systems, and banking portals automatically. They're betting that someone at your firm reused the same password from their personal Gmail account. And the statistics suggest they bet right: 22% of breaches start with stolen credentials. Size has nothing to do with it. Your team's password habits do.

Add social engineering to the mix, and the picture becomes even clearer. Small companies receive 350% more social engineering attacks than large organizations. Why? Because they're perceived as having fewer security layers and less sophisticated defenses. A phishing email that might sail past a Fortune 500 security operation lands in the inbox of a 20-person firm and feels plausible. The attacker isn't trying to impress anyone. They're working with automation and volume. They call a hundred firms in a week, and a few of them will click.

Real Firms, Real Consequences

The financial stakes are real. Last year, Wojeski & Company, a CPA firm in New York, settled with the New York Attorney General for $60,000 after a ransomware attack exposed client data. The firm had failed to implement basic security measures. That wasn't a one-time mistake. It was a pattern that left client information exposed.

The stories multiply when you dig into industry reports. A two-location accounting firm was hit twice in the same year with ransomware demands totaling $300,000. They recovered from the first attack, tightened their defenses, and thought they were safe. Six months later, a different attack vector brought down both offices. The second time, they weren't sure they could survive it.

Then there's the firm that closed its doors within twelve months of a tax season ransomware attack. Not because they couldn't pay the ransom or rebuild their systems. They closed because their reputation was damaged, clients left, and the operational chaos of recovering during the busiest season of the year proved unmanageable. Recovery costs for small businesses range from $120,000 to $1.24 million, depending on the scope of the breach. For a 15-person firm running on thin margins, that's an existential threat.

Your IT Team Is Part of the Solution, Not All of It

Before I go further, I want to be clear: your IT provider or MSP isn't inadequate. Firewalls matter. Multi-factor authentication matters. Keeping systems patched and up-to-date matters. These are the table stakes. If your IT team isn't handling them, you need to have a conversation.

But here's where many firm owners get stuck in their thinking: they assume that if their IT infrastructure is solid, they're protected. They're not. A good firewall stops a lot of attacks from the outside. But when an employee logs into your tax software using a password stolen from a personal data breach, the firewall has no idea anything is wrong. The employee looks legitimate because they're supposed to be there. This is where governance comes in. You need to know who has access to what. You need to verify that credentials haven't been compromised. You need policies that actually reflect how your firm operates. IT and governance work together. Neither one alone is enough.

What You Can Do Today

You don't need to become a cybersecurity expert or overhaul your entire operation overnight. Here's what you can do this week:

  1. Check for compromised credentials. Go to Have I Been Pwned and check your email address and the email addresses of your team. If anyone's credentials have been exposed in a known breach, change those passwords immediately and enable multi-factor authentication on that account.

  2. Verify multi-factor authentication on everything that matters. Start with email. Then tax software. Then your accounting platform. If you haven't turned it on, turn it on today. If you have it on, make sure it's enabled for everyone, not just a few people.

  3. Review access and permissions. Who has administrative access to your tax software? Who can access client bank information? Who can initiate wire transfers? Write it down. If access has drifted beyond what each person actually needs, clean it up.

  4. Have a security conversation with your team. Tell them what's happening. Tell them that small firms are targeted heavily. Show them a phishing email if you have one. Make it real. Most people want to help protect the firm. They just need to know what's at stake and what to watch for.

  5. Document what you've done. Write down the steps you took this week. Note when MFA was enabled, when passwords were changed, what access was reviewed. This documentation is useful when you talk to your IT provider and it's valuable evidence if a regulator ever asks what security measures you had in place.

The Bottom Line

Size is irrelevant. Readiness is what matters. The firm that gets hit isn't the one the attackers personally selected. It's the one they found first when they were running their automated scans and testing passwords. The difference between a firm that survives an attack and one that doesn't is usually not luck. It's preparation.

You're bound by the FTC Safeguards Rule regardless of your size. If you handle client data, you're a target. That's not meant to scare you. It's meant to focus you. The good news is that most attacks are preventable with straightforward actions. Compromised credentials, weak passwords, unmanaged access, and social engineering work because they exploit human habit, not sophisticated technical wizardry.

Talk to your IT provider. Implement multi-factor authentication. Clean up access permissions. Brief your team. If you want help building the governance program that ties all of this together, SafeGuardGRC was built for firms exactly like yours. But even without us, the checklist above is something you can start this week.

Your firm size has never protected you. Your readiness will.

Ready to Get Compliant?

Plans starting at $99/mo for firms of every size

See Plans & Pricing

Starting at $99/mo · Billed annually

30-day money-back guarantee
Cancel anytime

Core compliance modules in every plan · Professional adds IRP, tasks & more →

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy