There's a version of the cybersecurity conversation that's all complexity - nation-state actors, zero-day exploits, AI-generated deepfakes. That version is real and getting more interesting by the day. It's also not how most small business breaches actually happen.
When we look at the incidents we've responded to - and at the broader research from Verizon, IBM, and CISA - the picture is much simpler and much more frustrating: the same three entry points, over and over again. The reason they keep working isn't that businesses are careless. It's that these three things are easy to overlook and consequential when missed.
Entry Point 1: Compromised Credentials
The most common way attackers get in is with a username and password that was either phished, purchased off the dark web, or guessed. Not cracked - guessed. Or credential-stuffed, meaning an attacker took a list of billions of email/password pairs from previous breaches and tried them against your systems until one worked.
This works so reliably because most people reuse passwords. If your employee used the same password for their personal Netflix account as for their work email, and Netflix had a breach three years ago, that credential may be sitting on a criminal marketplace right now. It almost certainly is - the average business email address appears in multiple past breach databases.
The fix is two things working together. First, a password manager that generates and stores unique passwords for every account, so reuse stops. Second, multi-factor authentication so that even a correct password isn't enough to log in without the second factor. MFA alone blocks over 99% of automated account-takeover attacks according to Microsoft's own telemetry.[1]
Neither of these requires buying new infrastructure. Microsoft 365 has MFA built in. It just needs to be turned on and enforced.
Entry Point 2: Phishing
Phishing is the category that covers everything from "Nigerian prince" emails to sophisticated business email compromise targeting your CFO. The spectrum is wide. What makes it consistent as an entry point is that it exploits humans rather than systems - and humans are harder to patch than software.
The modern phishing email doesn't look like the obvious ones anymore. It looks like a DocuSign request from someone you've worked with. A Microsoft login page that's pixel-perfect but hosted on a slightly wrong domain. An invoice from a vendor whose email account was compromised. The tell is almost always subtle.
There's no single fix that makes phishing go away. The realistic approach is layers: email security that catches most of it before it reaches inboxes, training that helps employees recognize the signs, and a clear process for reporting suspicious messages without fear of judgment. We've also seen good results from phishing simulation programs - they get uncomfortable when employees get "caught," but the discomfort is mild compared to the real thing.
Entry Point 3: Unpatched Systems
Every major software vulnerability that gets public attention - every emergency Microsoft patch, every "update your VPN immediately" advisory - represents a known, published attack surface. The vulnerability has been documented. The exploit code often gets published within days. The race is between defenders patching their systems and attackers scanning the internet for unpatched ones.
Attackers win that race more often than you'd expect, because patching is operationally harder than it sounds. Patches need to be tested before deployment. Some require reboots at inconvenient times. Some break something. So patches get delayed, then forgotten, then never applied.
The businesses we see breached through this vector typically had a known critical vulnerability that had been unpatched for months. Not days - months. CISA maintains a catalog of Known Exploited Vulnerabilities with required remediation dates for federal agencies; the same list is a good guide for anyone else to understand which vulnerabilities are being actively used in the wild right now.[2]
Automated patch management closes most of this gap. Patches get tested and deployed on a schedule, exceptions get tracked, and compliance gets reported. It's not exciting work - but neither is explaining to your cyber insurer why you were running a three-month-old critical vulnerability when you got breached.
Why the Same Three Keep Working
These entry points keep showing up not because they're sophisticated but because they work. They're also effective against the long tail of targets - automated tools can credential-stuff ten million accounts, scan billions of IP addresses for unpatched systems, and send phishing emails at industrial scale. The cost per attack is essentially zero.
The defense doesn't have to be complex. MFA everywhere. Email security that filters before messages reach inboxes. Automated patch management that doesn't let known vulnerabilities sit for months. These three things, properly implemented, close the door on the majority of attacks that affect businesses your size.
If you're not sure which of these three you're most exposed on, that's a conversation worth having. We do security assessments that give you a clear picture of your current posture without the sales pressure to buy everything at once.
References
- Microsoft Security, How effective is multi-factor authentication at deterring cyberattacks? MFA blocks 99.9% of automated attacks. microsoft.com/security
- CISA, Known Exploited Vulnerabilities Catalog. cisa.gov/known-exploited-vulnerabilities-catalog