why small firms are cyber targets image

Why Small Firms Still Think They’re Not Cyber Targets — And Why That Needs to Change

Matt Kinsey — Cyber Risk, Compliance & AI Governance for Law & CPA FirmsGeneral, Security

Far too many professional-services firms still believe they’re “too small” to be worth a cybercriminal’s attention. I hear it all the time: “Matt, we’re not a big law firm or a national CPA practice. Why would anyone come after us?”
Well, here’s the uncomfortable truth: cybercriminals don’t size-check their victims. They don’t care how many employees you have or whether your office manager doubles as your HR department. They care about one thing—can they make money off you? And if the answer is even remotely yes, you’re on their list.

At IT Fusion, we’ve seen this play out with firms of every size. A boutique real estate law practice. A 15-person CPA firm in Broward County. A small manufacturer in Southern California who lost over $50,000 to wire fraud before they even knew what “business email compromise” meant. Every one of them thought they were operating below the threat radar. Every one of them found out the hard way that the radar is automated, global, and firing continuously.

Here’s the part most people overlook: 91% of cyber incidents start with email. Not with a firewall breach. Not with some hoodie-wearing hacker in a basement. Just a single employee clicking a link they shouldn’t — because the email looked convincing, and they were trying to get their job done.

If you’re leading a professional-services firm, here are a few steps you can take today to reduce your risk:

Acknowledge that cybersecurity is business risk, not “an IT thing.” Your firm’s reputation and revenue are what’s on the line.

Invest in real security awareness training. Your people are your first line of defense — and your most common point of failure.

Implement modern security guardrails. Zero Trust tools, 24/7 monitoring, and SOC-backed protection aren’t “nice to have” anymore.

Document your compliance posture. FTC Safeguards, WISP requirements, and industry expectations matter more than ever.

Stop relying on luck. Hope is not a cybersecurity strategy. Preparedness is.

At the end of the day, cybersecurity isn’t about paranoia — it’s about freedom. When your systems are protected and your risks are managed, you’re free to focus on the work that actually drives your mission and impact.