Basic Cyberattacks Are Putting SMBs Out Of Business: Expert

‘When [small businesses] get hit by something damaging like this, a majority of the time they do go out of business within a very short period of time,’ says cybersecurity consultant Jeremiah Baker.

Across the numerous types of scams that cybercriminals frequently utilize today, many of the attacks are still not very sophisticated from a technical perspective, according to cybersecurity consultant and author Jeremiah Baker.

During a keynote Sunday at XChange Security 2025, Baker ran through a litany of real-world scams he has known about that have led to significant losses for the victims—and sometimes even the end of their businesses.

Particularly for small businesses, “when they get hit by something damaging like this, a majority of the time they do go out of business within a very short period of time,” said Baker, while discussing an aviation company that folded after falling victim to a $740,000 wire fraud scam.

The incident—along with several others mentioned by Baker—involved an email account takeover, something that is frequently made possible due to accounts that continue to be unprotected by multifactor authentication.

The attack that defrauded the aviation company “wasn't super highly technical, but it was super damaging,” he told an audience of MSP and MSSP executives during XChange Security 2025, which is hosted by CRN parent The Channel Company and being held this week in Frisco, Texas.

The reality is that even as technology continues to advance rapidly, many cyberattacks do not require advanced technical abilities to succeed, MSP executives in attendance Sunday told CRN.

This is often the case even when it comes to state-sponsored threat groups, according to Robert Cochran, a former longtime FBI special agent focused on cybercrime investigations. Following his retirement from the FBI after two decades in 2022, Cochran is now co-founder and chief services officer at Bawn, a security-focused MSP based in Austin, Texas.

From his experience tracking state-sponsored attackers linked to governments such as China, the groups typically “weren’t using zero-day exploits,” Cochran said. “They were using basic exploits that they would find off of GitHub. They would use basic external scanning tools to find exposed ports online that shouldn’t be exposed.”

In other words, “these are tools that everybody out there can use in a matter of 30 minutes. These don’t take skills,” he said. “These are just misconfigurations and people not paying attention to the devices that they have.”

And while there certainly are attackers with capabilities for utilizing high-level, zero-day exploits, “the vast majority of the cases that I saw were basic exploits from an unpatched device that had been unknown, that was still active on a network,” Cochran said.

The continued proliferation of ransomware-as-a-service—which divvies up the steps of a ransomware attack among various entities—is also a key factor making the technical barrier to entry very low for many threat actors, said Brian Oleksiuk, president of Oxygen Technologies, an MSP and MSSP based in Winnipeg, Manitoba.

“It doesn’t take much,” Oleksiuk said. “With ransomware-as-a-service, bad actors are selling this stuff on the darkweb. It’s accessible. And that is why every company is a target.”