The question
What we told them
It's real, and it matters more to companies your size than to the enterprises. Security researchers recently documented a fully autonomous intrusion: an AI agent found an internet-exposed system, broke in through a known flaw, harvested cloud credentials, and worked through the network — start to finish in under an hour, with no human steering it.
Here's why that lands on small businesses specifically. Targeting used to cost attackers time, and time meant they went where the money was. Automation makes reconnaissance and exploitation close to free — so everything exposed to the internet gets probed, not just the companies worth a headline. The economics that protected small businesses are gone.
The defenses, meanwhile, are almost disappointingly unglamorous:
- Patch anything internet-facing, fast. The documented attack walked in through a known, fixable flaw. A patch cadence measured in days, not quarters, closes the door most automated attacks use.
- Guard the cloud keys. Credentials were the prize. Rotate them, scope them to the least access that works, and never leave them sitting in files on servers.
- Make sure alerts reach a human. An attack that finishes in an hour beats a monitoring setup nobody reads until Monday. Activity moving faster than a person plausibly could is itself the red flag.
One opinion to close: you'll be pitched “AI-powered defense platforms” off the back of stories like this. Most small businesses don't need new AI tooling first — they need the boring fundamentals above done consistently. Buy the shiny tool after the patching schedule exists, not instead of it.
Automation made targeting free, so “too small to be a target” is over. The counters are unglamorous — fast patching, guarded cloud keys, alerts a human actually reads — done on a schedule, not after an incident.