How small companies are becoming prime targets — and what you can do about it
“The best protection? Make yourself unprofitable for hackers.”
– Karl Emil Nikka, IT Security Specialist at Stöldskyddsföreningen (SSF)
When we think of ransomware or cyberattacks, we often picture high-profile breaches at major corporations. But today’s threat landscape tells a different story: small and medium-sized companies are increasingly under attack – and often the most vulnerable.
In a recent incident, Swedish sports platform Sportadmin was hit with a ransomware attack. While the financial demands haven’t been made public, the attackers didn’t just encrypt the data — they stole it, too. That means even if a company refuses to pay, they still face the threat of sensitive data being leaked or sold.
“There’s usually a negotiation. Hackers know exactly how much you can pay — whether you’re a large enterprise or a small local firm,” says Karl Emil Nikka.
Norsk Hydro: A Case Study in Transparency
One of the most talked-about ransomware cases is from 2018, when global aluminum producer Norsk Hydro was attacked. The company famously responded with full transparency — a rare move at the time. The breach was caused by a single employee opening a malicious email attachment, and the fallout was massive: over $71 million in damages.
What’s important to note? The method of attack was the same as in many small-company breaches — simple phishing.
Why Small Businesses Are Big Targets
Small companies are often used as springboards in larger organizations. Hackers exploit the fact that small firms may lack enterprise-grade cybersecurity, using them as an entry point in supply chain attacks.
At the same time, small businesses often don’t have access to the same tools or resources as big companies – making them easier to breach.
Phishing: Still the #1 Threat
According to Nikka, phishing remains the most common entry point. And it’s getting more sophisticated.
“One of the most convincing phishing attacks I’ve seen was through a Google ad. The ad used Google’s real domain – ads.google.com – but clicking on it led to a fake login page that captured your credentials. It looked completely legitimate.”
His advice?
- Use ad blockers to stop malicious search ads
- Consider privacy-focused search engines where ads can be disabled, e.g., DuckDuckGo
- Install DNS filters on work devices
- Enable multi-factor authentication or even better, passkeys – a phishing-resistant sign-in method already supported by major platforms
What You Can Do Today
Nikka’s key message is this: You don’t need to be hack-proof. But you can make yourself unprofitable and uninteresting to attackers.
Here’s how:
- Train your team on phishing and good cyber hygiene
- Use password managers and passkeys
- Block ads and suspicious domains
- Use DNS filters and secure browsers
- Have a plan for software updates and vulnerability patching
- Visit sakerhetskollen.se — a free, practical resource with step-by-step security guides for individuals and organizations
Final Words
Security isn’t just about confidentiality — it’s about availability and resilience.
And in an era where ransomware-as-a-service is a growing business, no company is too small to be targeted.
The best defense? Stay informed. Stay updated. Stay ahead.
