TL;DR (AKA the short version)

Nation-state threat actors are increasingly shifting their attention downmarket. They’re not just targeting Fortune 500 firms anymore—they’re exploiting the weaker links in the supply chain. That means small manufacturers, niche service providers, IT vendors, and yes, even financial planners and wealth management firms like yours.

For years, the conventional wisdom in cybersecurity has been this: nation-state attackers go after the big fish—government agencies, multinational corporations, defense contractors. But here’s the uncomfortable truth in 2025: if you’re a small or mid-sized business (SMB), especially one that supports a larger organization, you are now the target.

As Eric Chien from Broadcom’s Symantec Threat Hunter team put it, “The vast majority of organizations hit by nation-states are private sector and in the middle market.” That’s a wake-up call for anyone who still thinks “we’re too small to be a target.”

Why SMBs Are in the Crosshairs

Let’s face it—many SMBs still treat cybersecurity like a side project. They’ve got basic antivirus software, maybe an outdated firewall, and a password policy that hasn’t evolved since 2015. But attackers are no longer seeing SMBs as collateral damage—they’re the entry point. If your business is connected to a larger organization in any meaningful way, you’re part of the attack surface.

And the numbers back this up. According to recent reports:

• 70% of cyber incidents affecting small businesses involve ransomware.

• 90% of incidents in mid-sized firms (500 to 5,000 employees) involve ransomware.

• Cybercriminals are blending state-sponsored espionage with for-profit crime—moonlighting, if you will.

We’re seeing deepfake phishing, supply chain compromises, and identity provider breaches, all hitting SMBs who didn’t think they’d ever appear on an adversary’s radar.

The Low-Hanging Fruit

What makes SMBs so attractive? It’s not just lack of resources—it’s lack of awareness. Most small firms don’t realize the extent of their exposure or their place in the broader ecosystem. Take manufacturing, for example—many small shops supply parts or software to larger companies. If one of those systems gets compromised, it opens the door to much bigger damage upstream.

This isn’t hypothetical. Nation-state actors like Volt Typhoon (China), APT33 (Iran), and various Russian groups are already targeting critical infrastructure and private sector companies that, on paper, look like just another small business.

What You Can Do—Starting Now

Here’s the good news: the same technologies that protect major banks and government agencies are available to SMBs at a reasonable cost. There’s no “lite” version of cybersecurity anymore.

If you’re looking for a short list of high-impact moves:

• Implement Multifactor Authentication (MFA) — immediately. It’s still one of the lowest-cost, highest-value protections you can deploy.

• Invest in Endpoint Detection and Response (EDR) — and better yet, Managed Detection and Response (MDR) for round-the-clock eyes on glass.

• Train your team — regularly. People are the front line, and phishing remains the #1 delivery method for attacks.

• Patch your systems — old vulnerabilities are still being exploited every day.

Even if you have an internal IT team, you still need an expert to employ and monitor security measures properly. The reality is, small businesses need enterprise-grade cybersecurity support now more than ever.

Final Thought

Just because your logo isn’t on the front page of Forbes doesn’t mean you’re not a high-value target. The rules have changed, and so have the adversaries. The best time to harden your defenses was yesterday. The second-best time is right now.

If you’re unsure where to start or want to assess your exposure, let’s talk.