“We’re Too Small to Be a Target” — Why That Idea Persists

There is a phrase that comes up again and again in conversations with small organisations, usually delivered calmly, often reasonably, and rarely with any sense of denial or bravado.

“We’re too small to be a target.”

It might be said during a discussion about training, while reviewing budgets, or when someone raises a question about cyber risk that feels slightly out of proportion to day-to-day pressures. In those moments, the phrase is not dismissive. More often, it sounds like a sensible boundary being drawn between what feels realistic and what feels excessive.

For many small organisations, that belief feels grounded in experience. They have not suffered a serious breach. They do not hold vast amounts of sensitive data. They do not see themselves as particularly visible or interesting to anyone outside their immediate world. From that perspective, the idea that cybercriminals would deliberately single them out can feel implausible.

This belief persists not because people are careless or indifferent, but because it fits neatly with how most of us understand risk.

The difficulty is that cyber risk does not behave in the way many people expect it to.

How “being a target” is usually understood

When people think about being targeted, they are usually drawing on how the human brain has evolved to understand threat.

For most of human history, danger was personal, visible, and intentional. Threats came from identifiable sources: another person, a rival group, a predator, or a known adversary. Survival depended on recognising intent, judging proximity, and deciding whether something or someone posed a direct risk.

That way of thinking still shapes how we assess danger today.

When someone says, “We’re too small to be a target,” they are often unconsciously asking a very human question: why would anyone choose us? They are looking for motive, attention, and intent, because those are the signals our brains are wired to respond to.

This is why large, headline-grabbing cyber incidents feel more real than everyday risk. A named organisation, a clear attacker, and a dramatic outcome fit the mental pattern of threat far better than abstract ideas like automation or scale. The brain understands villains and victims more easily than systems and probabilities.

As a result, risk that does not involve clear intent is often downgraded or ignored.

In psychological terms, people tend to assess danger based on salience rather than likelihood. Events that are vivid, personal, or emotionally charged feel more threatening than those that are statistically more common but less visible. A targeted attack on a large organisation is easy to picture. A system quietly scanning thousands of organisations for weaknesses is not.

This creates a mismatch between how cyber risk actually works and how it is perceived.

Most cyber incidents affecting small organisations do not begin with someone deciding they are worth attacking. They begin because a system responds when probed, or because a person reacts in a moment of pressure. From a human perspective, that does not feel like being targeted at all. It feels random, technical, or accidental.

Because it does not align with our instinctive model of threat, it is often discounted.

This is one of the main reasons the idea of being “too small to be a target” feels convincing. It is not rooted in denial, but in how people naturally interpret danger based on intent, visibility, and narrative.

Cyber risk challenges that instinct. It operates without personal attention, without recognition, and without the kinds of warning signals we are used to relying on. Until that difference is made explicit, many organisations will continue to assess cyber risk using a mental model that simply does not fit the environment they are operating in.

decision. Someone choosing an organisation for a specific reason, investing time and effort into learning how it operates, and then deliberately attempting to compromise it.

That mental model comes from how we understand most physical and financial threats. Burglary, fraud, vandalism, and theft all tend to involve some degree of selection. Targets are chosen because they look valuable, vulnerable, or accessible in a particular way.

It makes sense, then, that organisations apply the same logic to cyber risk. If no one would reasonably choose them, the threat feels distant.

What is rarely made clear is that most cyber incidents affecting small organisations do not begin with that kind of intent.

In many cases, there is no individual deciding whether a business is “worth it” at all.

Automation changes the nature of risk

A large proportion of cyber activity today is automated. This is one of the most important differences between cyber risk and the kinds of threats people are used to dealing with, and it is also one of the least intuitive.

Automation means that many attacks are not carried out by someone sitting at a screen, deciding who to go after. Instead, software continuously scans large parts of the internet looking for anything that responds in a particular way. It does not know who an organisation is, what it does, or whether it is large or small. It only knows whether something answers back.

For example, an automated system might be scanning for email accounts that allow password guessing without being locked out. Every account it encounters is treated the same way. If an account responds in a way that suggests weak protection, it becomes part of the process. There is no decision about whether the organisation is worth the effort. The response alone is enough.

Another common example involves exposed services. Many small organisations use remote access tools, cloud platforms, or shared systems that are set up quickly so people can work from anywhere. If one of these services is accidentally left exposed or misconfigured, automated tools can find it within minutes or hours. The system is not looking for a particular business. It is looking for anything that answers a specific request.

Email-based attacks work in a similar way. Automated phishing campaigns send large volumes of messages that are slightly adapted each time. They are not written for a specific organisation. Instead, they rely on probability. If enough messages are sent, someone somewhere will be dealing with an urgent task, a distraction, or a moment of uncertainty and will respond. The automation does not care who that person is. It only needs a small percentage of responses to make the process worthwhile.

There are also examples that never reach a person at all. Automated systems regularly test lists of stolen usernames and passwords against multiple platforms, on the assumption that people reuse credentials. When a match is found, access is gained without anyone having actively targeted that organisation. From the outside, it can look as though an account was simply “logged into,” rather than attacked.

What all of these examples have in common is indifference. Automation removes judgement, curiosity, and intent from the process. The organisation is not being selected. It is being encountered.

This is why size offers very little protection. Automated systems do not get bored, do not weigh up effort versus reward, and do not move on because something seems insignificant. They operate continuously and at scale, reacting only to what works.

Understanding this shift is often the moment when the idea of being “too small to be a target” begins to lose its grip. Risk is no longer about standing out. It is about being reachable in an environment where systems are always listening.

Size and exposure are not the same thing

It is easy to assume that smaller organisations are naturally less exposed because they have fewer people, fewer systems, and simpler structures. In reality, exposure is shaped far more by how work happens day to day than by how large an organisation is.

Small teams often rely on informal processes to stay efficient. Access is shared so that work does not stall. Decisions are made quickly because there is no time for layers of approval. People step in for one another because there is no one else to hand things over to.

These choices are practical, not careless. They are often the only way a small organisation can function.

Consider a small business where two or three people share responsibility for finance. There may be a single shared inbox used to receive invoices, payment queries, and supplier messages. More than one person has access because payments still need to be made if someone is off, and there is no dedicated finance team to fall back on.

From an operational point of view, this makes sense.

From a risk point of view, it means that an urgent-looking payment request sent to that inbox does not arrive in front of a single named individual with a clearly defined role. It arrives in a shared space, at a busy moment, and is handled by whoever is available. The risk is not that someone is careless. It is that context, ownership, and decision-making are distributed.

The same pattern appears with account access. A small team may share login details for a platform because it is quicker than managing individual accounts, or because the platform charges per user. Over time, passwords are reused, saved in browsers, or passed on informally when roles change. Again, this is not unusual or irresponsible. It is a response to limited time, limited budget, and the need to keep work moving.

None of this would look like a vulnerability when viewed through the lens of organisational size. The business is small, the systems are few, and everyone knows one another. Yet exposure has increased, not because of growth, but because of how work is structured.

This is why size can be misleading. A large organisation may have many systems but also clear ownership, separation of duties, and formal reporting routes. A small organisation may have far fewer systems but rely heavily on trust, shared access, and informal decision-making.

Exposure does not come from scale alone. It comes from how much pressure is placed on people to make quick decisions without friction, and how easily that pressure can be exploited by something that does not understand or respect context.

Experience reinforces belief

Beliefs about risk are not formed by policy documents or awareness campaigns. They are formed through experience, particularly repeated experience that appears to confirm an existing view.

From a psychological point of view, people tend to judge danger based on outcomes rather than processes. If nothing visibly bad happens, the system that produced that outcome is assumed to be safe, even if it came close to failing. This is not irrational; it is how humans learn to navigate complex environments without becoming overwhelmed.

When a small organisation experiences a suspicious email that is deleted, a payment that is double-checked, or an account that locks and is reset, the absence of harm becomes the defining feature of the event. The fact that something almost went wrong is rarely foregrounded. What matters is that it didn’t.

Over time, these near-misses quietly reinforce the belief that the organisation’s existing judgement is sound.

This process is strengthened by familiarity. When similar events happen repeatedly and resolve without consequence, they stop registering as signals at all. They become background noise — part of the normal friction of digital work. The brain learns that these interruptions do not require escalation, reflection, or change.

There is also a tendency to attribute successful outcomes to skill rather than luck. If a fraudulent invoice is spotted, it feels like evidence that the team is vigilant. If a phishing email is ignored, it feels like proof that awareness is already sufficient. The system appears to be working, even if it is relying heavily on individuals noticing problems at the right moment.

Psychologically, this creates a sense of control. People feel that they are managing risk effectively, which reduces the motivation to look more closely at how fragile that success might be.

Another factor is emotional distance. Incidents that are caught early do not trigger the same emotional response as incidents that cause harm. Without stress, disruption, or visible impact, there is little reason for the brain to re-evaluate its assumptions. The experience is filed away as “normal” rather than “warning”.

As a result, experience does not just fail to challenge the belief that the organisation is unlikely to be targeted. It actively strengthens it.

The longer an organisation operates without a visible incident, the more confident it becomes in its assessment of risk, even if that assessment is based on incomplete information. Near-misses become evidence that the belief is correct, rather than prompts to ask whether the system has simply been fortunate so far.

This is one of the reasons cyber risk can be difficult to address through awareness alone. People are not ignoring warnings. They are relying on what experience has taught them, and experience, in the absence of consequences, is a powerful teacher.

The problem with “nothing important here”

hen small organisations say they have “nothing important” worth taking, they are usually thinking in terms of obvious assets. Large databases. Intellectual property. High volumes of customer records. Significant sums of money.

If none of those seem to apply, the conclusion feels reasonable.

What this overlooks is that importance is not always tied to ownership or value in the way people expect. In many cyber incidents, what matters is not what an organisation has, but what it can reach or vouch for.

Consider a small professional services firm that works closely with a handful of long-standing clients. It does not store large datasets. It does not process payments directly. Most of its work is done through email, shared documents, and a couple of online platforms.

From the firm’s point of view, there is very little there to steal.

However, its email domain is trusted. Messages sent from it are expected, opened quickly, and rarely questioned. If that email account is compromised, it can be used to send believable messages that appear to come from a known contact, at the right time, using the right language. The value lies not in the data held, but in the trust already established.

In this situation, the firm is not the ultimate target. It is the conduit.

The same pattern appears with access to platforms. A small organisation might have login credentials for shared systems used by clients, suppliers, or partners. Those credentials may feel unimportant internally, particularly if they are rarely used. Yet from an external perspective, they represent a shortcut into an environment where trust has already been granted.

Even disruption itself can be the objective. For a small organisation, temporary loss of access to email, documents, or scheduling systems can have an outsized impact. Work stops. Clients are delayed. Confidence is shaken. None of this requires sensitive data to be stolen, only for normal operations to be interrupted.

The assumption that “nothing important here” often comes from viewing importance in isolation. In reality, digital work is interconnected. What feels minor in one context can become significant in another.

This is why the idea persists. People are assessing value based on what they personally would want to steal, rather than how systems, relationships, and trust are used in practice.

Understanding this difference does not mean treating every system as critical. It means recognising that importance is situational, and that usefulness often matters more than ownership.

Interconnection, distance, and why warnings don’t land

Most organisations do not experience cyber risk as a single, direct event. They experience it through connections to other people, systems, and organisations. This matters, because risk that travels indirectly is much harder to recognise as risk at all.

Even very small organisations are deeply interconnected. They exchange documents with clients, access shared platforms, rely on third-party services, and operate within informal networks of trust. These connections are essential to how work gets done, but they also mean that the consequences of a cyber incident often unfold somewhere else first.

When an organisation is compromised and the immediate impact is felt by a client, a supplier, or a partner, the original organisation may not experience the incident as a failure of its own systems. It may appear instead as a problem that “came from outside,” or as an issue that affected someone else more than it affected them.

This creates psychological distance.

From a human perspective, risk feels most real when cause and effect are closely linked. If an action leads directly to a visible outcome, the brain updates its understanding quickly. When consequences are delayed, distributed, or experienced by others, they are far less likely to reshape belief.

This is one reason warnings about cyber risk often fail to change perception. Many messages focus on extreme outcomes — breaches, ransomware, and major disruption — but those outcomes rarely map neatly onto people’s lived experience. When organisations do not see those consequences playing out in their own environment, the warnings feel theoretical rather than relevant.

There is also a tendency to treat cyber incidents as isolated events rather than systemic ones. If a supplier experiences a breach, it is seen as their problem. If a client reports suspicious activity, it is often framed as an external issue. The possibility that the organisation itself might have played a role is rarely considered unless the link is obvious and immediate.

This reinforces the belief that cyber risk exists elsewhere.

Interconnection complicates accountability in a way that humans are not particularly well equipped to handle. When responsibility is shared, blurred, or indirect, it becomes easier to assume that safeguards exist somewhere else in the system. Someone else must be checking. Someone else must be responsible.

As a result, organisations can operate for long periods without feeling exposed, even when they are regularly encountering the early stages of cyber incidents. The lack of immediate, personal impact allows existing beliefs to remain intact.

This is not because people are ignoring warnings. It is because those warnings do not align with how risk is being experienced. Cyber risk often manifests as inconvenience, confusion, or disruption elsewhere, rather than as a clear signal at the point of origin.

Until that gap between cause and consequence is understood, many organisations will continue to underestimate their relevance within the wider digital environment. Not because they are unconcerned, but because the feedback they receive does not match the stories they have been told about what cyber risk is supposed to look like.

Proportion, reassurance, and a better way to frame the question

Small organisations are constantly making trade-offs. Time, money, and attention are limited, and every additional concern has to justify the space it takes up. In that context, the idea that an organisation is “too small to be a target” provides reassurance.

It offers a sense of proportion.

By placing cyber risk outside the immediate frame, leaders can focus on what feels more pressing: delivering work, supporting staff, maintaining relationships, and keeping the organisation viable. Cybersecurity, when framed as a distant or unlikely threat, becomes something that can be addressed later, once things are calmer or more established.

From a psychological point of view, this is not avoidance. It is a coping strategy. Humans simplify complex environments by narrowing their focus to what appears most controllable. When a risk feels abstract, technical, or unpredictable, it is often pushed aside in favour of problems that have clearer boundaries and more visible solutions.

The difficulty is that cyber risk does not wait for the right moment to be considered. It develops quietly alongside everyday work, shaped by the same pressures that make proportion feel necessary in the first place.

This is where the framing matters.

Rather than asking whether an organisation is too small to be a target, a more useful question is often where unnecessary exposure might exist. This shifts the conversation away from attackers, intent, and scale, and towards operations, decisions, and context.

It allows organisations to think about cyber risk in terms of how work actually happens. Where access is shared. Where decisions are rushed. Where assumptions are made because there is no time to check. These are not failures. They are normal features of small teams working under pressure.

Framing the issue this way preserves a sense of proportion. It does not demand perfection or constant vigilance. It does not require organisations to imagine worst-case scenarios or defend against every possible threat.

Instead, it invites a quieter form of attention. One that recognises that risk is created through everyday processes, and that small, thoughtful adjustments can reduce exposure without adding unnecessary burden.

This reframing also supports better decision-making. When cyber risk is understood as part of operational reality rather than an external threat, it becomes easier to integrate into existing conversations about workload, resilience, and sustainability.

Proportion is not lost by asking better questions. It is strengthened.

Understanding risk without fear

Much of the conversation around cybersecurity relies on fear, whether deliberately or by accident. Dramatic language, extreme scenarios, and urgent warnings are often used to create a sense of importance, on the assumption that concern leads to action.

In practice, fear rarely produces good security decisions.

When people feel threatened or overwhelmed, they tend to narrow their focus. Attention shifts towards immediate reassurance rather than long-term understanding. Complex information is simplified, nuance is lost, and decisions are made to reduce discomfort rather than risk.

This is one of the reasons fear-based messaging can be counterproductive. It may prompt short-term compliance, but it does little to build judgement, confidence, or resilience. Once the sense of urgency fades, behaviour usually returns to normal.

Understanding risk requires a different approach.

Cyber risk is not a constant emergency. It is an ongoing condition shaped by how people work, communicate, and make decisions under pressure. Treating it as a series of dramatic events makes it harder to understand and harder to manage.

A calmer framing allows organisations to engage with risk in a more realistic way. When cyber risk is presented as part of everyday operations rather than as an external threat, it becomes easier to talk about openly. People are more willing to ask questions, admit uncertainty, and report concerns when they do not feel they are being judged or alarmed.

This matters because most cyber incidents do not begin with malicious intent or obvious warning signs. They begin with ordinary actions taken in good faith: responding to an email, sharing a document, approving a request, or trying to keep work moving.

Fear-based narratives encourage people to look for villains and dramatic failures. A human-centred understanding encourages them to look at context, pressure, and systems.

Removing fear from the conversation does not mean downplaying risk. It means acknowledging it honestly and proportionately. It recognises that security is not achieved by perfect behaviour, but by creating environments where people can make better decisions more consistently.

This approach also supports learning. When mistakes are treated as opportunities to understand how systems and processes interact with human judgement, organisations gain insight rather than blame. Over time, this builds capability instead of anxiety.

Understanding risk without fear is not about optimism. It is about accuracy.

By focusing on how risk actually forms, rather than how it is marketed, organisations can respond in ways that are measured, sustainable, and aligned with how work really happens. That is where meaningful improvement comes from, not from heightened alertness, but from clearer thinking.

Moving beyond the myth

The belief that small organisations are too small to be targets persists because it is grounded in reasonable assumptions, reinforced by experience, and supported by how cyber risk is often described. Letting go of that belief does not require a dramatic shift in mindset. It requires a more accurate understanding of how risk actually develops.

Cyber risk is not primarily about being chosen or singled out. It is about exposure created through everyday work, shaped by time pressure, trust, and the systems people rely on to get things done. Once this is understood, the question stops being whether an organisation is important enough to attract attention, and becomes whether its ways of working unintentionally make certain outcomes more likely.

This shift matters because it changes how organisations respond.

When cyber risk is framed as something external and threatening, the natural response is to look for protective measures that promise certainty or control. When it is understood as something that emerges from normal decisions, the focus moves towards judgement, awareness, and shared understanding.

This is where training can play a meaningful role, when it is approached in the right way.

Training that focuses on fear or compliance tends to reinforce the idea that cybersecurity is a specialised concern, separate from day-to-day work. It can make people feel that risk is something to avoid thinking about, rather than something to understand. In contrast, training that helps people recognise patterns, context, and pressure supports better decisions without demanding constant vigilance.

The aim is not to turn everyone into a security expert. It is to help people notice when a situation does not quite fit, to feel confident asking questions, and to understand how their actions connect to the wider environment they are working in.

In that sense, moving beyond the myth is less about changing beliefs and more about strengthening capability. It is about creating shared language and expectations so that risk can be discussed calmly, reported early, and addressed proportionately.

Small organisations do not need to abandon common sense or become hyper-vigilant. They need space to think clearly about how work actually happens, and support that helps people make better decisions under real conditions.

When that foundation is in place, the idea of being “too small to be a target” quietly loses its relevance. Not because the organisation has become more fearful, but because it has become more aware.