The Small Business Attack Surface: What's Exposed Online

Nobody Is Targeting You. That's the Point.

The "why would anyone attack us" reflex makes sense if you picture an attacker choosing a victim. A person sitting at a keyboard, deciding your business is worth their time. That isn't how most attacks start.

What actually happens is automated. Scanners sweep across the internet continuously, knocking on every reachable address to see what answers. They fingerprint the software running on each one, compare it against a list of known weaknesses, and flag anything that looks soft. The operator never decided to attack you. A bot found a door, and you happened to be behind it.

Log4Shell is the cleanest example of how fast this moves. When the Log4j vulnerability (CVE-2021-44228) went public in December 2021, scanning for vulnerable systems started across the whole internet within hours, before most teams had even read the advisory. Tools like Shodan keep a standing index of internet connected devices and the services they run, which means a lot of the reconnaissance is already done before anyone goes looking.

For a small business, what matters is plain: what do you have exposed to the internet, and is any of it the kind of thing a scanner trips over. How interesting you are as a target barely comes into it. The gap between what you think is reachable and what actually is reachable is where the trouble lives.

What Counts as Your Attack Surface

Your external attack surface is everything reachable from the public internet that belongs to you. Not just the main website. The whole footprint.

One of our clients, Beauty Formulation, develops custom cosmetic formulations for beauty brands. They also offer ready-to-brand white label skincare, professional cosmetic bases, and the compliance, testing, and manufacturing work that takes a product from an idea to something on a shelf. They handle formulations, customer data, and regulatory paperwork, so security genuinely matters to them. And like almost every growing business, their public web footprint is broader than just the main website, and it keeps expanding as they add pages, tools, and integrations.

For a typical small firm, the surface includes:

• Domains and subdomains. The main site, plus anything that was ever spun up. A blog, a shop on a separate subdomain, an old staging site, a "temporary" landing page from a campaign three years ago.
• The web stack itself. The CMS (often WordPress), its theme, and every plugin. Each plugin is a separate piece of software with its own update cycle and its own track record of vulnerabilities.
• Mail. The mail server, and the DNS records that say who's allowed to send as you. Weak or missing records here are what let someone spoof your domain.
• Admin and login surfaces. The CMS admin page, hosting control panels, database tools, anything that exists so a human can manage the site remotely.
• Third party integrations. Payment, booking, analytics, chat widgets, form handlers. Each one is another door, and most of them you don't directly control.
• Cloud storage. A storage bucket set up to hold images or downloads, sometimes left readable by anyone who finds the URL.

None of that is unusual. The point is that the surface is broader than "our website," and most small businesses have never written down the full list.

What's Usually Exposed

When you actually look at a small business from the outside, the same handful of issues come up again and again. None of them are exotic. That's exactly why automated scanning finds them.

• Forgotten subdomains and staging sites. A development copy of the site, often running older software than production, often with weaker passwords, sometimes with a full copy of the database. It was meant to be temporary. It's still there.
• Out of date CMS and plugins. WordPress core might be current while three plugins are two years behind. Known vulnerabilities in popular plugins get scanned for constantly, because so many sites run them.
• Exposed admin and management panels. A login page reachable from anywhere, protected by a password alone. Database tools like phpMyAdmin left open. These are the first things credential stuffing and brute force tools go for.
• Weak or expiring TLS. Old protocol versions still enabled, a certificate that's about to lapse, or a misconfiguration that weakens the encryption between your visitors and the site.
• Missing email authentication. No SPF, DKIM, or DMARC, which makes your domain easy to impersonate in phishing aimed at your customers and suppliers.
• Default credentials. Software installed and never reconfigured, still running on the username and password it shipped with.
• Publicly readable cloud storage. A bucket meant for internal use that anyone can list and download.

Most of these map straight onto the OWASP Top 10, where Security Misconfiguration rose to the number two spot in the 2025 update. They're also the kind of thing that turns up in bigger incidents. The ShinyHunters Salesforce breach hit hundreds of companies through a permissions misconfiguration, not a clever exploit. The EU Commission cloud breach traced back to assets that were reachable when they shouldn't have been. The mechanism is the same at every scale. Something was exposed that nobody was watching.

Why Small Businesses Underestimate It

The footprint grows quietly. Someone sets up a subdomain for a project, the project ends, the subdomain stays. A plugin gets installed to solve one problem and is never removed. The person who built the site leaves, and the credentials and the mental map of what exists leave with them.

On top of that, nobody owns it. At a small company security isn't anybody's full time job, so the work of tracking what's exposed falls into the gap between "the web person" and "the IT person," neither of whom may exist. We've written before about how this plays out in practice, and the numbers aren't kind to small firms. Verizon's Data Breach Investigations Report consistently shows smaller organisations taking several times more confirmed breaches than large enterprises, with vulnerability exploitation accounting for roughly a fifth of breaches as an entry point. That's covered in more detail in our piece on why SMBs became the primary ransomware target.

The "too small to matter" belief does the rest. It feels reasonable, so the gaps never get treated as urgent, and the surface keeps expanding without review.

You Can't Defend What You Can't See

Every item on the list above shares one property. You can fix it cheaply once you know it's there, and you can't fix it at all while you don't. The first job isn't patching or hardening. It's getting an honest inventory of what exists.

This is where external scanning earns its place. Not as a replacement for good habits, but as the thing that tells you what your footprint actually is right now, from the same vantage point an attacker has. It's how we keep Beauty Formulation's external footprint under control. We point the scanner at their domains on a schedule, so "we think it's just the website" stays a concrete, current list of what's reachable and what needs attention, not a guess.

The "on a schedule" part matters more than it sounds. A one off scan is a photograph. It's accurate the day you take it and slowly goes stale, because the surface changes every time someone adds a plugin, launches a page, or stands up a new service. Continuous scanning keeps the inventory current and flags new problems close to when they appear rather than at some review that may never get booked. We made the broader case for automating this in our write up on the benefits of automated vulnerability scanning.

A Short Checklist

If you run a small business website and want to shrink the surface without hiring anyone, this is most of the value for almost none of the budget:

• Write down every domain and subdomain you own. All of them, including the ones you forgot. You can't secure what isn't on the list.
• Kill what you don't use. Old staging sites, dead subdomains, plugins you installed once. Every removed asset is one fewer thing to defend.
• Patch the internet facing software first. CMS core, plugins, themes, anything with a login page. Turn on automatic updates where you can.
• Put admin behind more than a password. Multi-factor authentication on every login surface, and restrict the admin pages by IP if your host allows it.
• Fix the easy hygiene. Current TLS configuration, valid certificate, and SPF, DKIM, and DMARC records on your domain so it can't be spoofed.
• Lock down storage. Check that no cloud bucket is publicly listable, and that no database tool is reachable from the open internet.
• Scan from the outside, and keep doing it. See your footprint the way an attacker does, and set it to repeat so new exposure gets caught early.

If you want a starting point for what "exploited in the wild" actually looks like, CISA's Known Exploited Vulnerabilities catalog is the public list of flaws attackers are using right now. If anything on your stack appears there, it goes to the front of the queue.

The Bottom Line

Being small doesn't keep you off the list, because there's no list. There's a scanner that doesn't know or care how big you are, looking for the same handful of mistakes on every address it can reach. The small business advantage is that the surface is small enough to actually get your arms around. Most firms have never tried, which is the only reason the easy doors stay open.

References

• OWASP Top 10:2025
• Verizon: Data Breach Investigations Report
• CISA: Known Exploited Vulnerabilities Catalog