A Cybersecurity Myth: We’re Too Small to Target

too small to target

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, writing, cheering on all our fantastic Bay Area sports teams, and traveling near and far as much as I can. Read more about my work at CGNET here.

Cyber Security

April 23, 2026

A common thing we hear from smaller organizations when it comes to cybersecurity is this:

“We’re not a big organization, so we don’t have anything worth stealing. I doubt we’re even on anyone’s radar!”

But while the idea that being small means you’re overlooked by hackers is comforting, sadly, it is also dead wrong.

Contents

Where the Myth Comes From

The mental picture most people have of a cyberattack looks something like this: A massive corporation with sensitive financial data. A sophisticated, targeted breach that is planned over months.

And to be fair, those attacks do happen. But that’s not what most cyber incidents look like today. Most attacks aren’t personal; they’re not targeted in the way people imagine. And they’re definitely not reserved for large organizations.

Here’s the reality:  The majority of attacks are automated.

You’re Not Being Targeted. You’re Being Scanned

Cybercriminals don’t need to “choose” you. They run automated tools that scan thousands — sometimes millions — of organizations at once, looking for easy entry points:

  • Weak or reused passwords
  • Unpatched systems
  • Misconfigured cloud storage
  • Over-permissioned accounts

When they find a gap, they take it. It doesn’t matter if you’re a Fortune 500 company or a 20-person foundation. What matters is how easy you are to access.

Why Smaller Organizations Are Often Easier Targets

Here’s the uncomfortable truth: Attackers often prefer smaller organizations. Not because they’re more valuable, but because they’re more accessible. Here’s why.

1. Fewer Resources, More Gaps

Nonprofits and foundations tend to run lean. IT teams are small (or nonexistent), and security often competes with mission priorities. That’s understandable — but it creates openings.

2. High-Trust Environments

Mission-driven organizations rely on collaboration, openness, and relationships. That’s a strength culturally, but it can translate into looser controls around access and data sharing.

3. Valuable (but Overlooked) Data

You may not think you have anything “worth stealing,” but consider what you actually hold:

  • Donor and financial information
  • Internal communications
  • Grantmaking strategies
  • Personally identifiable information (PII)

To an attacker, that’s more than enough.

4. Third-Party Connections

Many nonprofits rely heavily on vendors, partners, and consultants. Each connection is another potential pathway in.

The Real Impact Isn’t Just Technical

One of the biggest misconceptions is that cybersecurity is primarily an IT issue. In reality, the biggest impacts are operational and reputational.

A cyber incident can:

  • Disrupt grantmaking or program delivery
  • Lock staff out of critical systems
  • Expose sensitive communications
  • Damage trust with donors, partners, and communities

For organizations built on relationships, that last one matters most.

“We’ve Never Had an Issue” Isn’t the Same as “We’re Secure”

Another version of the myth sounds like this:

“We’ve been fine so far.”

And that may be true. But most organizations that experience a breach felt the same way — right up until the moment they didn’t. Cyber risk isn’t static; the environment changes constantly, and attackers only need to be right once.

What “Right-Sized” Security Actually Looks Like

This isn’t about turning your organization into a fortress. It’s about putting the right level of protection in place for your size, your risk, and your mission.

In practice, that often means focusing on a few high-impact areas:

  • Strong identity and access management (Multi-factor authentication, regular access reviews)
  • Basic security hygiene (Patching, updates, device management)
  • Staff awareness (Especially around phishing and social engineering)
  • Clear visibility into your systems and data (Knowing what you have and where it lives)
  • An incident response plan (And ideally, having practiced it)

You don’t need everything. But you do need the fundamentals.

Shifting the Mindset

The question isn’t: “Are we big enough to be a target?”

It’s: “Are we easy enough to get into?”

That’s the lens attackers use.  And it’s the one organizations need to adopt.

A Better Way to Think About It

Cybersecurity, especially in nonprofits, is less about defending against a specific threat, and more about reducing unnecessary risk. It’s about making sure that the work you’re doing — the mission you’re advancing — isn’t disrupted by something preventable.

Because most incidents are preventable. Not with massive budgets or complex systems, but with awareness, structure, and a few well-chosen controls.

 

 

 

At CGNET, we work with mission-driven organizations to take a practical, right-sized approach to cybersecurity. That might mean assessing where your biggest risks actually are, strengthening identity and access controls, or helping your team build a plan for when something does go wrong. If you’ve ever found yourself thinking, “We’re probably too small to be a target,” it’s worth a conversation. Reach out today.

 

 

 

You May Also Like…

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Translate »
Share This
Subscribe
CGNET
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.