American small and mid-sized businesses occupy a strange middle ground in the cybersecurity landscape. They are large enough to be targeted, small enough to lack a dedicated security function, and old enough to have accumulated a decade of technical debt. The result is a threat surface that is remarkably consistent, regardless of the sector the business operates in, and remarkably underestimated by the people who touch these businesses professionally.
This is a summary of what LeakTrace consistently observes across our scans of American SMBs, published to help business owners, professional advisors, and industry associations understand what they are actually looking at when they engage with mid-market American firms.
The pattern below holds across every category of American SMB we scan. Dental practices, medical clinics, veterinary hospitals. Law firms and accounting practices. Wealth advisors, insurance brokers, mortgage brokers, M&A advisors, business brokers, real estate agencies and property managers. Construction and trades. Manufacturing and industrial. Retail and e-commerce. Restaurants and hospitality. Automotive dealerships. Transportation and logistics. Technology and SaaS. Private schools. Non-profits. Fitness studios and wellness clinics. The exposures do not care what the business does. They care whether anyone has been watching.
Where the gaps concentrate
Across the SMB scans we conduct in the American market, a handful of exposure categories recur with striking consistency, largely independent of sector:
Email authentication is almost never configured properly
Proper DMARC configuration (the domain-level authentication standard that prevents attackers from spoofing a company's own email address) is the exception rather than the rule. Missing SPF hardening compounds the gap. In practical terms, this means the vast majority of American SMBs can be spoofed from their own domain to send fake wire instructions to their customers, their vendors, their patients, their clients, their suppliers, or their bookkeepers. A construction firm's project manager can be impersonated to redirect a subcontractor payment. A dental practice's front desk can be impersonated to phish a patient. A law firm can be impersonated to redirect a real estate closing wire. The FBI's Internet Crime Complaint Center consistently ranks Business Email Compromise as the highest-loss internet crime category, and this is the underlying mechanism.
Employee credentials are frequently exposed
Employee email addresses appearing in monitored breach databases is common enough to be the default assumption rather than a red flag. When we scan an American SMB with a public-facing team page and any history of hiring, finding at least one credential in the compromised-credential landscape is a near-universal outcome. This holds equally for a five-person law firm in Austin, a forty-person dental group in Denver, a two-hundred-person manufacturer in Ohio, or a family-owned dealership in Georgia.
Infrastructure is quietly ossified
Non-standard ports left open on public interfaces (RDP, FTP, database endpoints), aging content management systems, and unpatched public-facing services are widespread. Each one is a direct path for automated ransomware toolkits scanning the American IP address space. The toolkits do not read your website to decide if you are a good target. They scan the entire IP range and hit whatever answers on a vulnerable port. A veterinary clinic's exposed RDP is exactly as attractive as an M&A firm's exposed RDP. The exposed port does not know what industry the business belongs to.
Public records feed threat actor targeting
Business registry data (corporate structure, officers, registered agent addresses, EIN patterns, state filings) is public by design. Threat actors scrape state Secretary of State filings, SEC EDGAR records, and county assessor data at scale to construct targeted business email compromise campaigns. Any SMB that has been incorporated in any US state is discoverable this way; most owners have no idea their public filing is being used as a targeting artifact. The data broker ecosystem then aggregates this with owner residential addresses, family relationships, and property holdings.
Third-party integrations quietly widen the surface
Most SMBs have accumulated a decade of third-party integrations. Payment processors, CRM systems, scheduling tools, email marketing platforms, document signing services, industry-specific software. Each integration adds an authentication surface. When any one of those third parties suffers a breach, every credential ever reused there becomes a foothold. This affects every sector equally, though the specific software mix varies by industry.
What this means, by role
For any SMB owner, regardless of sector
The controls that close the majority of common exposures are boring, cheap, and well-documented. The gap is not knowledge. It is nobody's job. There is a decade of IT accumulation and no continuous eyes on the perimeter. A forensic audit surfaces the picture. A structured remediation sprint closes it. Continuous monitoring keeps it closed. The whole stack costs less than the deductible on most cyber insurance policies. It costs less than a single successful Business Email Compromise incident, which the FBI IC3 puts at an average of over $120,000 per incident.
For M&A advisors and business brokers
Cyber diligence is now table stakes for any acquirer doing deals above $1M in enterprise value. Findings surfaced at day 45 post-LOI, when the seller has zero negotiating leverage, become re-pricing arguments in the range of 5 to 20 percent off ask, depending on severity. Sellers who run their own diligence 60 to 90 days before going to market walk into buyer-side cyber DD with a clean report and their sale price intact. This pattern is now consistent across professional services acquisitions, dental group roll-ups by private equity, HVAC and trades roll-ups, veterinary consolidations, retail acquisitions, and any other mid-market American deal we see cross a broker's desk.
For commercial insurance brokers
Underwriters are increasingly requiring email authentication posture and credential-exposure evidence before quoting. Missing DMARC on a renewing account is enough to trigger premium adjustments or coverage exclusions in some markets, particularly across cyber liability and errors-and-omissions books. Brokers who can surface these gaps for their clients before the renewal conversation, and offer a remediation path, become more valuable to their clients than the underwriter itself. This applies to every commercial book: professional liability, cyber liability, business owner policies, and E&O.
For CFOs, controllers, and outside advisors
The financial exposure from a single successful business email compromise incident at a mid-market American firm typically dwarfs the annual cost of the controls that would have prevented it. Wire fraud losses in the $50,000 to $500,000 range are routine, uninsured in many cases (subject to specific cyber policy language), and rarely recoverable once wired abroad. CPAs, fractional CFOs, and outside counsel who bring cyber posture into their annual client review win trust and often win the follow-on engagement.
For the regulatory picture
Unlike jurisdictions with a single federal privacy law, the United States operates under a patchwork of state-level breach notification statutes plus federal sectoral laws (HIPAA for health data, GLBA for financial institutions, FERPA for education). All 50 states now have breach notification laws with varying timelines and thresholds. California's CCPA and Colorado's CPA add additional obligations for consumer data. SMBs operating across multiple states must comply with the most stringent applicable requirements, which in practice means treating any breach involving personally identifiable information as reportable.
What we do not observe
It is worth naming what does NOT show up in American SMB scans, because the popular imagination gets this backwards. State-actor-level attacks are rare. Sophisticated zero-day exploitation is rare. The exposures that matter are almost always mundane: an unpatched WordPress install, a leaked credential from an old third-party breach, a DMARC record that was never configured, a shared password that never rotated. The attacks that succeed against American SMBs are automated, opportunistic, and take days rather than months to execute. Defending against them is straightforward. The barrier is attention, not sophistication.
The path forward
American SMBs sit at an inflection. Buyer-side cyber diligence, cyber insurance underwriting rigor, state-level regulatory attention, and the professionalization of ransomware operators are all trending in the same direction: exposure that was invisible two years ago is now consequential. Firms that address it early protect their sale price, their insurability, their regulatory posture, and their operational continuity. Firms that do not, quietly absorb the cost, usually in the form of a breach, a re-priced sale, or a lost insurance renewal that they attribute to something else.
LeakTrace publishes this research to help the professional advisors best positioned to raise the topic with the SMB clients who most need to hear it. The brokers, the M&A advisors, the CFOs, the outside counsel, the industry associations. Whether the underlying business is a dental practice, a construction firm, a law firm, a wealth practice, a manufacturer, or any other American SMB, the exposure pattern is the same. Whoever raises it first tends to be the trusted advisor for the years that follow.