Anatomy of an SMB Cyberattack: A 7-Step Walkthrough (and How to Stop It)

Reading time: 7 minutes  ·  Last updated: 13 May 2026

Cyberattacks on small businesses don’t unfold the way movies show them. There’s no hooded figure typing furiously while green text scrolls. The reality is slower, quieter, and more procedural — which is why understanding the anatomy of a cyberattack is the single most useful exercise an SMB owner can do. Once you see the steps, you see exactly where to break the chain.

Here are the seven stages of a typical SMB cyberattack, what attackers do at each one, and the specific defences that stop them.

Stage 1 — Reconnaissance

Attackers spend days or weeks researching you. Your website, your LinkedIn pages, your team’s job titles, your vendors, your social media. They learn who handles money, who’s on holiday, who’s new, and which software you use. AI has made this 10× faster than it was three years ago.

How to break the chain: Limit what’s publicly visible about your tech stack. Train staff that sharing “we use [vendor]” on LinkedIn or in conference talks is a quiet vulnerability.

Stage 2 — Initial access

The attacker gets a foothold. The three most common routes for SMBs:

• A phishing email that captures a password or installs a small piece of malware. (Most common.)
• A stolen password bought on a credential marketplace, typically reused from a personal site that was breached.
• A vulnerable internet-facing service — an unpatched VPN, exposed remote desktop, or old firewall.

How to break the chain: Multi-factor authentication everywhere (kills 99% of stolen-password attacks), modern email security with anti-impersonation, and patching all internet-facing services within 14 days.

Stage 3 — Persistence

Attackers don’t want to lose their foothold if you reset a password. They install backdoors, create new accounts, or hijack legitimate scheduled tasks. By the time you spot the original breach, they may have three or four ways back in.

How to break the chain: Endpoint detection and response (EDR) software watches for these techniques and alerts. A managed SOC (security operations centre) reviews those alerts 24/7.

Stage 4 — Privilege escalation

The first compromised account rarely has access to everything. The attacker now hunts for an admin password — by reading documents on the compromised laptop, dumping credentials from memory, or tricking an admin into authenticating to a malicious service. Once they get an admin credential, they own the network.

How to break the chain: Separate admin accounts from daily-use accounts. Require MFA for every privileged action. Restrict admin rights on workstations.

Stage 5 — Lateral movement and discovery

With admin rights, the attacker maps your network. Where are the file servers? Where are the backups? Where is the financial data? Where is the email archive? They want to know everything before they make their move, because they only get one chance to make it count.

This stage often takes days to weeks. SMBs that detect attackers here, before the destructive stage, almost always survive without major loss.

How to break the chain: Network segmentation (so the printer’s network can’t reach the file server’s network), monitoring for unusual east-west traffic, and behavioural alerts when accounts touch systems they normally wouldn’t.

Stage 6 — Exfiltration and impact

Modern ransomware operators don’t just encrypt your data. First they steal a copy. Then they encrypt your systems and demand a ransom. If you don’t pay, they leak the data. This is “double extortion” and it’s standard now. Attackers also specifically target backups in this stage — encrypting or deleting them so you have no choice but to pay.

How to break the chain: Immutable backups (see our 3-2-1-1-0 post). Egress monitoring on your firewall to detect large data uploads. Encryption of sensitive data at rest, so even stolen copies are useless.

Stage 7 — Extortion and recovery

The ransom note appears. The attacker has done their homework on your insurance, your revenue, and your fragility — the demand is calibrated to be just below what they think you’ll pay rather than rebuild. From here, your options depend entirely on whether your incident response plan exists and whether your backups are real.

How to break the chain: A pre-planned, rehearsed incident response: who calls whom, which systems get isolated, where backups are, who talks to insurers, who talks to staff and customers. This is the difference between a 3-day rebuild and a 6-week disaster.

Where SohoWizz clients break the chain

For our managed clients, the chain typically breaks at stage 2 (MFA + email security stop most initial access attempts), stage 3 (EDR catches persistence techniques), or stage 5 (behavioural alerts catch lateral movement). Almost no incident reaches stage 6 because of layered defence and 24/7 monitoring.

The principle is straightforward: you don’t need to be perfect at every stage. You need to break the chain at any stage. Each layer is another chance.

What an SMB-grade defence actually looks like in 2026

• MFA on everything — not just email.
• EDR on every endpoint, monitored 24/7 by humans.
• Modern email security with anti-impersonation and link sandboxing.
• Patching cadence under 14 days for internet-facing systems.
• Network segmentation and egress monitoring.
• Immutable backups with tested restores.
• An incident response plan you’ve actually rehearsed.
• An ongoing phishing and security awareness programme.

That stack is no longer “enterprise” — it’s the SMB baseline. Insurers know this and are pricing accordingly.

How SohoWizz delivers this

Our managed cybersecurity service builds out every layer above, monitors them 24/7, runs the phishing programme, owns the incident response plan, and reports the trend lines to leadership every quarter. We’ve seen the chain in real engagements often enough to know exactly where to invest first.

Read these next

• 5 Cybersecurity Red Flags Every SMB Should Watch
• Phishing in 2026: How to Train Your Team
• The 3-2-1-1-0 Backup Rule for SMBs