As your business grows, you pass two filters that financially motivated attackers apply: you become visible to automated scanners, and your data becomes worth targeting. Most SMBs cross both thresholds before they realize it.

The average small business breach costs $140,000. Most of that traces back to three failures that cost nothing to prevent: a skipped patch, an undocumented system, and a backup nobody checked. Three recurring practices fix all three.

Clients call me in with a clear ask: install security software that guarantees their code is safe. No software does that. Installing a WAF or SIEM addresses one of six functions in NIST CSF 2.0 — the other five require people, policy, and practice.

AI builds what you ask for. It has no context for what you didn't ask. The result is a predictable set of vulnerabilities across AI-built SMB products — and business consequences that go well beyond a data leak.

The obscurity defense — "we're too small to target" — no longer holds. AI has collapsed the per-target economics of exploitation by combining mass scanning at 36,000 scans per second with LLM-powered exploit chain generation.

The same three lines of PHP appeared in functions.php across roughly 50 Korean loan sites. Every application submitted was being silently exfiltrated to an attacker's server in parallel with the CRM. No errors, no user-visible signs.