As cyberattacks grow more sophisticated, small businesses are increasingly becoming attractive targets for hackers, scammers, and fraudsters. Yet many entrepreneurs still assume they’re too small to be noticed.
During CO—’s 2026 Small Business Day, Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance, dispelled this myth and explored some of the biggest cyber risks facing small businesses today. In a conversation with Matthew J. Eggers, Vice President of Cybersecurity Policy in the U.S. Chamber of Commerce’s Cyber, Space, and National Security Policy Division, Plaggemier shared practical steps owners can take to better protect themselves and build stronger habits around digital security.
Why small businesses are increasingly attractive targets for cybercriminals
Plaggemier explained that while major ransomware attacks and large corporate breaches dominate headlines, small businesses are compromised far more often than many owners realize. One of the biggest misconceptions Plaggemier encounters is the belief that a small company has nothing valuable to steal.
“They are looking for data, cash, and things they can turn into cash,” she said. “You have assets in your business … that are absolutely of value to a bad guy.”
Cybercriminals often assume smaller organizations lack the resources to combat phishing emails, scam text messages, and increasingly realistic deepfake phone calls and video meetings.
“They're going to assume that you're not training your employees on what to look for and what to do in those situations quite as much as the large organization,” said Plaggemier. “Most cybercriminals … think you're a softer target than the big corporations.”
[Read more: Why Cybersecurity Improves Trust and Business Performance]
Basic cybersecurity habits can dramatically reduce risk
Effective small business cybersecurity often comes down to consistently following a few foundational practices. Among the most important, said Plaggemier, are:
- Using unique passwords.
- Enabling multi-factor authentication (MFA).
- Limiting employee access to only the systems they need.
- Removing access for former employees after they leave the company.
She also encouraged small businesses to use password managers and biometric login tools like facial recognition, which are often safer and more convenient than traditional passwords alone.
Importantly, Plaggemier stressed that cybersecurity is not solely an IT issue. Business owners still need enough understanding to evaluate vendors, ask informed questions, and manage cybersecurity risk the same way they would manage finances or legal compliance.
[Read more: Cybersecurity Tips for Growing Small Businesses]
Cybercriminals are using AI to pull off more sophisticated attacks
While AI is helping businesses improve productivity and automate tasks, it is simultaneously making cyberattacks more convincing and scalable.
Plaggemier said deepfake technology has become especially concerning, as it allows scammers to convincingly imitate executives, coworkers, or trusted contacts over phone calls and video meetings. In one example she shared, an employee only realized a supposed video call from their CEO was fake after texting the real executive separately for confirmation.
“You need to have … a healthy skepticism,” she added.
Free cybersecurity resources are available for small businesses
To help small businesses improve their cybersecurity posture, Plaggemier pointed attendees to the National Cybersecurity Alliance’s free educational resources available through StaySafeOnline.org, including webinars, articles, and its “CyberSecure My Business” training course.
The organization also recently launched a printable workbook designed to help older adults better recognize and avoid online scams — an effort Plaggemier said was inspired in part by helping her own mother navigate increasingly sophisticated fraud attempts.
Ultimately, Plaggemier’s message to small business owners was clear: Cybersecurity does not have to be overly technical or prohibitively expensive, but it does require attention, awareness, and consistent action.
“Don’t feel like this is somebody else’s job,” she said. “Even if you have delegated it to somebody else in your business, you need to know enough about it to manage it.”
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.