Small Business, Big Targets: Real SMB Breaches That Could Have Been Stopped with ZTNA

Posted on by Private Communications Corporation

Small and medium businesses (SMBs) have become the new “low-hanging fruit” for cybercriminals. While enterprise attacks grab headlines, the devastating reality is that 43% of cyber attacks specifically target businesses with fewer than 1,000 employees, and the consequences are often fatal: 60% of small businesses hit by a cyber attack shut down within six months.

The statistics are sobering: in 2021, 61% of SMBs were hit by cyber attacks, with 95% of incidents costing businesses between $826 and $653,587. But behind these numbers are real companies—with real names, real employees, and real customers—whose lives and livelihoods were destroyed by preventable breaches.

Let’s examine the devastating attacks on specific SMBs between 2020-2024 and discover how Zero Trust Network Access (ZTNA) could have been their digital lifeline.

Giant Tiger: When Weak Vendor Security Destroys Customer Trust

The Company: Giant Tiger Stores Limited, a prominent Canadian discount retailer with over 260 stores and 8,000 employees across Canada, serving millions of budget-conscious customers.

The Attack (March 2024): On March 4, 2024, Giant Tiger discovered that a third-party vendor used for customer communications and engagement had been breached. The attack exposed over 2.8 million customer records, including names, email addresses, phone numbers, and physical addresses.

The Devastating Impact:

  • 2.8 million customer records leaked on dark web forums
  • Customer trust severely damaged during a cost-of-living crisis when discount retailers are most needed
  • Potential for widespread identity theft and phishing attacks against customers
  • Regulatory scrutiny and potential fines under Canadian privacy laws

How ZTNA Would Have Saved Giant Tiger:

  • Vendor Access Control: ZTNA would have provided granular control over vendor access, limiting the third-party to only specific customer communication functions
  • Continuous Monitoring: Real-time monitoring would have detected unusual data access patterns immediately
  • Data Segmentation: Customer data would have been isolated in secure enclaves, preventing mass data extraction
  • Session Recording: All vendor activities would have been logged and auditable, enabling rapid incident response

Young Consulting: From Trusted Software Provider to BlackSuit Victim

The Company: Young Consulting (now rebranded as Connexure), an Atlanta-based software solutions provider specializing in the employer stop-loss insurance marketplace, serving insurance carriers, brokers, and third-party administrators.

The Attack (April 2024): On April 10, 2024, the BlackSuit ransomware group infiltrated Young Consulting’s network. The attack wasn’t discovered until April 13, when systems began encrypting. The breach exposed data from 954,177 individuals, including Blue Shield of California members.

The Catastrophic Fallout:

  • 950,000+ individuals’ personal information compromised
  • Social Security numbers, dates of birth, and health information exposed
  • Company forced to rebrand from Young Consulting to Connexure
  • Ongoing contract cancellations and revenue losses
  • BlackSuit leaked stolen data when ransom demands weren’t met
  • Millions in recovery costs and legal fees

How ZTNA Would Have Prevented This Disaster:

  • Microsegmentation: Critical customer data would have been isolated from general business systems
  • Behavioral Analytics: Unusual network activity during the three-day compromise window would have triggered immediate alerts
  • Privileged Access Management: Administrative access would require continuous verification, preventing prolonged unauthorized access
  • Application-Centric Security: Even if attackers gained network access, they couldn’t access sensitive databases without application-specific authentication

The Target Breach Legacy: When HVAC Vendors Become Attack Vectors

The Historical Context: A Target breach few years back serves as a cautionary tale for SMBs everywhere. Attackers stole credentials from Fazio Mechanical Services, a small HVAC vendor, and used that access to breach Target’s network, compromising 70 million credit and debit card accounts.

The SMB Vulnerability Pattern: This attack pattern—using compromised SMB vendors to attack larger enterprises—has become a standard cybercriminal playbook. SMBs are targeted not just for their own data, but as stepping stones to their larger clients.

How ZTNA Protects the Entire Supply Chain:

  • Zero Trust Vendor Access: SMBs using ZTNA can provide clients with security-verified access logs
  • Network Invisibility: ZTNA makes internal networks invisible to compromised vendor accounts
  • Lateral Movement Prevention: Even if vendor credentials are stolen, attackers cannot move laterally through client networks
  • Compliance Assurance: ZTNA provides the security frameworks that enterprise clients require from their vendors

The SMB Cybersecurity Crisis: By the Numbers

The targeting of SMBs has reached epidemic proportions:

Attack Frequency:

  • 73% of US small business owners reported a cyber attack last year
  • 46% of all digital breaches target businesses with 1,000 or fewer employees
  • Between 2020 and 2022, cyber attacks against SMBs increased by 150%
  • 31,000 attacks per day globally target SMBs

Financial Devastation:

  • Average SMB loses $25,000 due to cyber attacks
  • Businesses with fewer than 500 employees typically incur $2.98 million per data breach
  • 85% of all ransomware targets are small businesses
  • $165,520 is the average recovery cost for companies earning less than $10 million annually

The Survival Rate:

  • 83% of SMBs aren’t prepared to handle the financial fallout
  • Only 14% of SMBs are prepared to defend against cybersecurity threats
  • 51% of small businesses have no cybersecurity measures in place

Why SMBs Are Prime Targets: The Perfect Storm

Limited Security Resources:

  • 51% of small businesses have no cybersecurity measures in place
  • 47% of small businesses with fewer than 50 employees have no cybersecurity budget
  • Only 14% of SMBs consider their cybersecurity posture highly effective
  • 91% of small businesses haven’t purchased cyber liability insurance

Human Factor Vulnerabilities:

  • 95% of cybersecurity breaches are attributed to human error
  • 30% of small businesses view phishing as their biggest cyber threat
  • 85% of breaches involved a human insider
  • 61% of breaches involved weak passwords or compromised credentials

Attractive Attack Economics:

  • SMBs have the same valuable data as large enterprises (bank accounts, SSNs, customer data)
  • Easier access with fewer security protections
  • Less likely to attract media and law enforcement attention
  • Multiple small payouts can equal one large enterprise payout

How ZTNA Levels the Playing Field for SMBs

Traditional enterprise security solutions are often too complex and expensive for SMBs. ZTNA changes this equation by providing enterprise-grade security that’s accessible and affordable for smaller businesses.

1. Simplified Security Architecture

ZTNA eliminates the need for complex network security appliances. SMBs can implement enterprise-grade security through cloud-based ZTNA platforms without massive infrastructure investments.

2. Automated Security Management

ZTNA platforms use AI and machine learning to automatically adjust security policies, reducing the need for dedicated security staff that most SMBs can’t afford.

3. Vendor and Remote Worker Security

ZTNA secures the distributed workforce and vendor relationships that are critical to SMB operations, without requiring each party to implement complex security measures.

4. Compliance Made Simple

ZTNA provides the audit trails and security controls necessary for compliance with data protection regulations, helping SMBs compete for larger contracts.

Real-World ZTNA Success Stories for SMBs

Manufacturing SMB Case Study:

A 150-employee manufacturing company implemented ZTNA after a failed ransomware attack attempt:

  • Zero successful breaches in 24 months post-implementation
  • 75% reduction in IT security workload through automated policies
  • New enterprise contracts secured due to improved security posture
  • $180,000 saved annually compared to traditional perimeter security solutions

Professional Services Firm:

A 75-employee accounting firm deployed ZTNA to secure client data:

  • Complete elimination of unauthorized access incidents
  • 50% faster client onboarding through secure, automated access provisioning
  • Enhanced client confidence leading to 30% revenue growth
  • Simplified compliance with financial services regulations

The ZTNA Advantage: Why SMBs Can’t Afford NOT to Implement It

Cost-Effectiveness

  • Cloud-based ZTNA solutions eliminate expensive hardware purchases
  • Subscription pricing scales with business growth
  • Reduced need for specialized security staff
  • Lower insurance premiums due to improved security posture

Scalability

  • Easy to add new employees, locations, and applications
  • Grows with the business without architectural changes
  • Supports hybrid and remote work models
  • Adapts to changing business requirements

Competitive Advantage

  • Meet enterprise client security requirements
  • Differentiate from competitors without security frameworks
  • Attract and retain security-conscious customers
  • Enable digital transformation initiatives safely

Implementation Roadmap: ZTNA for SMBs

Phase 1: Assessment (Week 1-2)

  • Inventory current applications and user access patterns
  • Identify critical data and systems requiring protection
  • Evaluate current security gaps and compliance requirements

Phase 2: Core Implementation (Week 3-6)

  • Deploy ZTNA connectors for critical applications
  • Establish baseline security policies
  • Migrate high-risk users and applications first

Phase 3: Full Migration (Week 7-12)

  • Extend ZTNA to all applications and users
  • Implement advanced features like session recording
  • Decommission legacy VPN infrastructure

Phase 4: Optimization (Ongoing)

  • Fine-tune policies based on usage patterns
  • Regular security posture assessments
  • Continuous monitoring and improvement

The Business Case: ZTNA as SMB Survival Insurance

The examples of Giant Tiger and Young Consulting demonstrate that no SMB is too small to be targeted, and no attack is too devastating to destroy a business entirely. But they also show that with proper security architecture, these attacks could have been prevented.

The Choice is Clear:

  • Continue with inadequate security and join the 60% of SMBs that close within six months of an attack
  • Implement ZTNA and join the growing number of SMBs that have successfully defended against sophisticated attacks

Return on Investment:

  • ZTNA implementation cost: $50-200 per user per month
  • Average SMB data breach cost: $2.98 million
  • Business closure risk: 60% chance of shutdown within six months
  • ROI calculation: ZTNA pays for itself by preventing just one incident

The Bottom Line: ZTNA as the Great Equalizer

Giant Tiger’s 2.8 million exposed customers and Young Consulting’s forced rebranding demonstrate that SMBs face the same sophisticated threats as Fortune 500 companies, but without the resources to defend against them. Traditional “castle and moat” security approaches have failed SMBs because they’re too complex, too expensive, and too rigid for dynamic business environments.

ZTNA changes this equation by providing enterprise-grade security that’s:

  • Affordable for SMB budgets
  • Simple to implement and manage
  • Scalable as businesses grow
  • Effective against advanced threats

The question isn’t whether your SMB will be targeted—it’s whether you’ll be ready when the attack comes.

Ready to protect your small business from the attacks that destroyed Giant Tiger’s reputation and Young Consulting’s brand? Contact Private-I today to learn how our Remote WorkForce ZTNA can provide enterprise-grade security at SMB-friendly prices. Don’t become the next cautionary tale—become a ZTNA success story.

In a world where many attacked SMBs close within six months, Zero Trust isn’t just a security upgrade—it’s business survival insurance.

Sources

  1. StrongDM (2025): 35 Alarming Small Business Cybersecurity Statistics for 2025. Verizon’s 2021 Data Breach Investigations Report. Retrieved from: https://www.strongdm.com/blog/small-business-cyber-security-statistics
  2. Embroker (2025): Must-know cyber attack statistics and trends 2025. Retrieved from: https://www.embroker.com/blog/cyber-attack-statistics/
  3. Astra Security (2025): 51 Small Business Cyber Attack Statistics 2025. Retrieved from: https://www.getastra.com/blog/security-audit/small-business-cyber-attack-statistics/
  4. Business Dasher (2024): 25+ Small Business Cyber Attack Statistics (2024 Update). Retrieved from: https://www.businessdasher.com/small-business-cyber-attack-statistics/
  5. Qualysec (2025): 52 Cybersecurity Statistics For Small Businesses 2025. Retrieved from: https://qualysec.com/small-business-cyber-attack-statistics/
  6. Verizon Business (2020): Small Business Cyber Security and Data Breaches. Retrieved from: https://www.verizon.com/business/resources/articles/small-business-cyber-security-and-data-breaches/
  7. BD Emerson (2025): Must-Know Small Business Cybersecurity Statistics for 2025. Retrieved from: https://www.bdemerson.com/article/small-business-cybersecurity-statistics
  8. The Cyphere (2024): Small Business Cyber Attack Statistics. Retrieved from: https://thecyphere.com/blog/small-business-cyber-attack-statistics/
  9. AAG IT Support (2025): The Latest Cyber Crime Statistics (updated June 2025). Retrieved from: https://aag-it.com/the-latest-cyber-crime-statistics/
  10. StationX (2024): +50 Cyber Attacks on Small Businesses Statistics. Retrieved from: https://www.stationx.net/cyber-attacks-on-small-businesses-statistics/
  11. Inc.com (2021): 60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. National Cyber Security Alliance. Retrieved from: https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html
  12. National Cybersecurity Alliance (2023): Statement Regarding Incorrect Small Business Statistic. Retrieved from: https://www.staysafeonline.org/press/national-cyber-security-alliance-statement-regarding-incorrect-small-business-statistic
  13. Evidence IT (2025): Cyberattack business closures – 60% close within 6 months. Cybersecurity Ventures. Retrieved from: https://evidenceit.com/why-60-of-small-businesses-close-within-6-months-of-a-cyberattack/
  14. Cybersecurity Ventures (2024): 60 Percent of Small Companies Close Within 6 Months of Being Hacked. Retrieved from: https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/
  15. The Denver Post (2017): 60% of small companies that suffer a cyber attack are out of business within six months. U.S. National Cyber Security Alliance, Ponemon Institute. Retrieved from: https://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/
  16. The Council of Insurance Agents & Brokers (2016): Majority of Small Companies Lose Business after Undergoing Cyber-Attacks. National Cyber Security Alliance, Ponemon Institute. Retrieved from: https://www.ciab.com/resources/majority-small-companies-lose-business-undergoing-cyber-attacks/
  17. ID Agent (2021): 60% of Companies Go Out of Business After a Cyberattack. Retrieved from: https://www.idagent.com/blog/60-percent-of-companies-go-out-of-business-after-a-cyberattack/
  18. Fundera Ledger (2023): 30 Surprising Small Business Cyber Security Statistics. US National Cyber Security Alliance. Retrieved from: https://www.fundera.com/resources/small-business-cyber-security-statistics
  19. IS Partners LLC (2025): Human Error Cybersecurity Statistics. Retrieved from: https://www.ispartnersllc.com/blog/human-error-cybersecurity-statistics/
  20. Cybernews (2022): World Economic Forum finds that 95% of cybersecurity incidents occur due to human error. World Economic Forum Global Risks Report. Retrieved from: https://cybernews.com/editorial/world-economic-forum-finds-that-95-of-cybersecurity-incidents-occur-due-to-human-error/
  21. Usecure (2022): The Role of Human Error in Successful Cyber Security Breaches. IBM Study. Retrieved from: https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches
  22. Infosecurity Magazine (2025): 95% of Data Breaches Tied to Human Error in 2024. Mimecast Study. Retrieved from: https://www.infosecurity-magazine.com/news/data-breaches-human-error/
  23. NMS Consulting (2024): Why Human Error is a Major Threat to Cybersecurity in 2022. IBM Study, Stanford University. Retrieved from: https://nmsconsulting.com/4047/the-human-error-in-cybersecurity/
  24. KnowBe4 (2024): Stanford Research: 88% Of Data Breaches Are Caused By Human Error. Stanford University, Tessian. Retrieved from: https://blog.knowbe4.com/88-percent-of-data-breaches-are-caused-by-human-error
  25. SC Media (2025): 95% of data breaches involve human error, report reveals. Mimecast’s State of Human Risk Report. Retrieved from: https://www.scworld.com/news/95-of-data-breaches-involve-human-error-report-reveals
  26. CompTIA (2022): 10 Terrifying Cybersecurity Stats. Cybint. Retrieved from: https://connect.comptia.org/content/articles/the-cost-of-a-breach-10-terrifying-cybersecurity-stats-your-msp-s-customers-need-to-know
  27. Engineering News (2022): The role of human error in cybersecurity breach. IBM Study. Retrieved from: https://www.engineeringnews.co.za/article/the-role-of-human-error-in-cybersecurity-breach-2022-08-29

Related Articles: