The belief sounds reasonable the first time you say it out loud. "We're twelve people. We don't have anything worth stealing." Most small offices have held this view at some point. Most of them have been wrong — and the breach usually follows shortly after the belief goes unexamined.
Small businesses are not overlooked by cybercriminals — they are targeted specifically for employee credentials, client records, payment account access, and trusted relationships with larger partners. The assumption that firm size offers protection is the most common factor in how small offices get breached. Baseline protections available in Microsoft 365 Business Premium address each of these attack paths directly.
Why is your firm a target?
Your credentials have value
Every Microsoft 365 account in your office is a login that someone will pay for. Criminals run automated phishing campaigns against public email addresses by the millions. They do not filter by firm size before sending. When a staff member clicks a convincing fake login page and enters a password, that credential goes to market. The attacker may never know your firm's name. The credential is the product.
Your client files are worth money
Legal, healthcare, financial, and professional services firms hold dense personal information — names, Social Security numbers, dates of birth, financial histories, medical records. A single breached client file has value on secondary markets. You do not need thousands of clients for that to matter. You need one.
You have payment access
Most small offices manage at least one bank account, send invoices, approve vendor payments, and handle payroll. Business email compromise — where an attacker impersonates an owner or vendor to redirect a payment — does not require a large target. It requires an unverified wire transfer. Small offices are more likely to skip the confirmation call precisely because everyone knows everyone.
You are a door to someone bigger
Your clients trust email from your domain. So do your referral partners, your vendors, and your professional contacts. An attacker who compromises your email account inherits that trust entirely. For a criminal targeting a larger firm, a small trusted vendor is a lower-cost entry point than attacking the larger firm directly. You may not be the destination. You may be the door.
What does the assumption get right?
There is a kernel of truth worth keeping. Sophisticated, targeted attacks — nation-state operations, large ransomware campaigns, multi-week intrusions — do tend to prioritize enterprises, hospitals, and critical infrastructure. If that is the threat you pictured when you said "we're too small," you are probably right.
But most attacks on small firms are not sophisticated. They are automated. Phishing kits run continuously against lists of public email addresses. Credential-stuffing scripts test known username-and-password combinations across thousands of accounts simultaneously, with no human operator watching. Automated attacks do not skip small firms — they process them in batches alongside everyone else. The economics favor volume over precision.
What should you actually do?
If your firm runs Microsoft 365 Business Premium, most of the baseline protections you need are already licensed. The problem is that they are not turned on by default.
Enable multi-factor authentication for every account
MFA is the highest-return single action any small office can take. It significantly reduces the risk of credential-based attacks — not because it is unbreakable, but because it raises the cost of an attack past the point where automated tools continue. Business Premium includes it. A single administrative session turns it on for your entire organization.
Configure Microsoft Defender for Business
Included in Business Premium, Defender for Business provides endpoint protection on every Windows device connected to your Microsoft 365 tenant. It is the same category of protection that enterprise IT departments purchase separately. It needs to be configured — not just licensed — to do its job.
Limit administrator access
In small offices, everyone often has full administrator rights because it is convenient. That convenience means one compromised account gives an attacker access to everything. Assign admin rights only to accounts that need them for a specific reason, and review those assignments at least once a year.
Keep phishing training short and consistent
Your staff does not need a certification course. They need a five-minute conversation every few months: do not click unexpected links, verify any payment redirection by phone using a number you already have on file, and report anything that feels wrong. That covers most of what people in a small office need to know.
Maintain a real backup
Microsoft 365 retains deleted items for limited periods, but that is not a backup. A dedicated backup solution for your email, SharePoint, and local files gives you a recovery path if ransomware encrypts your data. Without it, recovery means either paying the attacker or rebuilding from nothing.