If you're on the Internet, you're a target. Most online attacks are automated; they probe domains or IP addresses, looking for weaknesses wherever they may be. Whether your network is big or small, it's on many lists.
All websites, at some point in time, will be attacked by automated malware. More than a million new malware samples are detected each day.
Small businesses are attractive to criminals who prefer a steady stream to the uncertain hope of a big haul. Verizon's 2019 Data Breach Investigations Report says that 43% of cyberattacks are aimed at small businesses. The proportion might be even higher; many small companies don't admit to anyone that they've been attacked, or they don't realize that they have. Some sources put that percentage as high as 70%.
CNBC reports that the average incident costs a small business roughly $200,000. It states that "for small business owners, it's no longer a matter of considering if security threats will arise, but rather thinking in terms of when." Nonetheless, a majority of the people making decisions for small businesses think they aren't likely to be targeted.
Estimates vary, but the costs are always high. Kaspersky Lab has placed the average cost of a breach for small businesses at $38,000 in direct costs. This includes $10,000 in professional services, $5,000 in lost business, and $23,000 in downtime. Indirect costs are harder to quantify but add thousands more. They include efforts to prevent another breach and damage to the business's reputation.