There is a persistent myth in the small business community that data theft is a large-enterprise problem — that hackers are after the Fortunes 500s, the major banks, the hospital systems with thousands of beds. The data says otherwise. The Verizon 2024 Data Breach Investigations Report found that small and medium-sized businesses accounted for a substantial share of all confirmed data breaches across every analyzed industry sector.[1] The attackers going after your competitors are often the same ones going after the largest companies in your space — they have simply learned that small businesses are easier targets with fewer defenses and less incident-response capability.
This post focuses on data exfiltration specifically: what it is, which industries face the highest risk, why attackers want the data those industries hold, and how the threat has evolved beyond simple theft into a model designed to maximize leverage over victims.
What Is Data Exfiltration?
Data exfiltration is the unauthorized transfer of data from your environment to one controlled by an attacker. It is distinct from ransomware (which encrypts your data in place) and from denial-of-service attacks (which disrupt availability). Exfiltration is about theft — copying or moving data out of your network to be used for financial gain, competitive advantage, extortion, or resale on criminal marketplaces.
Exfiltration can occur through multiple mechanisms: malware that stages and transmits files in the background, an attacker using legitimate remote access tools to browse and copy data manually, phishing-compromised credentials used to access cloud storage or email, or insider threats where an employee transfers data before departing. In many cases, exfiltration is not a single event — it is a sustained process that may run for weeks or months before detection, if it is detected at all.
In plain language: Imagine a burglar who doesn't break your locks or trash your office — instead, they make a quiet copy of every file in your filing cabinet while you're at lunch, and walk out looking completely normal. You come back, everything looks fine, and you have no idea it happened. That is data exfiltration. The theft is often invisible for months. You don't notice a system going down. You don't get a ransom note. You simply don't know your client records, financials, contracts, or patient data have been copied and are now in the hands of someone who plans to sell or use them.
According to IBM's Cost of a Data Breach Report 2024, the average time to identify and contain a data breach globally was 258 days — nearly nine months.[2] In small business environments without dedicated security monitoring, that number is often far higher. By the time a breach is discovered, the data has typically been staged, exfiltrated, and in some cases already sold or published.
The Industries Most at Risk
Not all industries are equally targeted. Attackers follow data value and the path of least resistance. The industries below represent a consistent pattern across multiple years of breach data from Verizon, IBM, and the FBI's Internet Crime Complaint Center (IC3).
Healthcare
Healthcare has held the top position for data breach cost and frequency for over a decade. IBM's 2024 Cost of a Data Breach Report found that the healthcare industry experienced the highest average breach cost of any sector — $9.77 million per incident.[2] This is not coincidental. Healthcare organizations hold Protected Health Information (PHI): medical records, diagnoses, treatment histories, insurance data, and Social Security numbers. A complete medical record sells for dramatically more on criminal markets than a payment card number, because unlike a credit card, a medical identity cannot be quickly cancelled and reissued.
Small practices, dental offices, specialty clinics, and independent physical therapy or mental health providers are heavily targeted precisely because they hold the same category of data as large hospital systems — but with significantly fewer security controls. The Health and Human Services Office for Civil Rights (HHS OCR) breach portal, which tracks all HIPAA-reportable incidents, consistently shows hundreds of breaches per year at small covered entities with fewer than 500 affected records per incident.[3]
In plain language: A stolen credit card number is worth a few dollars on the black market — the bank cancels it within hours of fraud being detected. A complete medical record, on the other hand, contains your name, address, Social Security number, insurance policy details, employer information, and a complete health history. That information can be used to fraudulently bill insurance companies, obtain prescription medications, open new credit accounts, or be held over a patient as blackmail. It doesn't expire. It can't be cancelled. This is why healthcare data is among the most valuable stolen information in existence — and why small healthcare providers are attacked constantly.
Financial Services and Professional Services
Financial institutions — community banks, credit unions, mortgage brokers, independent financial advisors, and insurance agents — are obvious targets. They hold account numbers, routing information, investment portfolios, and tax identification data. The Verizon 2024 DBIR consistently ranks financial services among the top three most breached industries by volume.[1]
Less obvious, but equally targeted, is the broader professional services category: accounting firms, law firms, and HR consultants. An accounting firm serving 200 small business clients holds the tax returns, bank account information, payroll data, and financial statements for every one of them. A law firm handling mergers and acquisitions, real estate closings, or employment disputes holds extraordinarily sensitive client information — privileged communications, pending transaction details, and intellectual property. Attackers who compromise a small professional services firm do not just get that firm's data. They potentially get access to the data of every client the firm serves.
In plain language: A small accounting or law firm is essentially a data warehouse for everyone it serves. An attacker who gets into a three-person CPA office doesn't just steal that firm's information — they get the tax returns, bank accounts, and financial details for every business client on the firm's books. This is called a supply chain attack: instead of going after each business directly, attackers go after the trusted vendors and advisors those businesses share. One breach, dozens of victims. It is extremely efficient from the attacker's perspective, which is why professional services firms are a consistent target.
Retail and E-Commerce
Retail — particularly e-commerce — represents one of the largest attack surfaces for payment card data theft. The Payment Card Industry Data Security Standard (PCI DSS) was created specifically because of the volume of card data handled by merchants, but compliance does not guarantee security, and many small retailers operate with payment environments that are misconfigured, outdated, or improperly scoped.
Point-of-sale (POS) malware, web skimmers embedded in e-commerce checkout pages (a technique known as Magecart), and credential theft targeting e-commerce platform admin accounts are all methods used to silently harvest card data over extended periods. The Verizon DBIR has tracked web application attacks and payment-card theft as persistent, high-volume threats against retail organizations year over year.[1]
In plain language: A web skimmer is a hidden piece of code that sits invisibly on your checkout page and makes a silent copy of every credit card number, expiration date, and CVV code that any customer types in — then sends that information to the attacker in the background. Your site looks and works perfectly. Customers have no idea. You have no idea. The attacker quietly collects card numbers for weeks or months, then sells them in bulk. Small online retailers are targeted because they often run older or unpatched e-commerce platforms and have less visibility into what is happening on their own websites.
Manufacturing and Industrial Services
Manufacturing is a frequently underestimated target because the industry's primary value is not often thought of as "data." But modern manufacturers hold significant intellectual property: product designs, proprietary processes, supplier contracts, customer lists, and pricing structures. Nation-state threat actors targeting industrial IP — documented extensively by CISA and the FBI in joint advisories — are a real and persistent concern for manufacturers of any size.[4]
Beyond IP theft, the integration of operational technology (OT) and IT networks in manufacturing environments creates pathways from corporate networks into production systems. Disruption of manufacturing operations through data theft or ransomware has been used as leverage, with attackers threatening to publish proprietary designs or halt production unless demands are met.
Construction, Real Estate, and Mortgage Loan Processing
Construction firms, real estate brokerages, and mortgage loan processors consistently appear in breach data because of the volume of wire transfer activity they process. Business Email Compromise (BEC) — a social engineering attack in which an attacker impersonates a trusted party to redirect a wire transfer — is the single highest-dollar-loss crime category tracked by the FBI IC3. The FBI's 2023 Internet Crime Report documented $2.9 billion in BEC losses alone in that year.[5] Real estate closings, construction contract payments, and vendor invoicing are all high-value wire transfer events that attackers specifically target.
Mortgage loan processors are a particularly high-value target within this group. A single loan file contains an extraordinary concentration of sensitive personal data: full legal name, date of birth, Social Security number, employment history, tax returns, bank statements, pay stubs, credit reports, and property details. This is effectively a complete financial and identity profile of the borrower. Multiply that across hundreds of active loan files in a small mortgage office and the exposure is significant. Attackers who gain access to a mortgage processing environment do not just have a wire transfer opportunity — they have a ready-made identity theft database. The Consumer Financial Protection Bureau (CFPB) and HUD both impose data security obligations on mortgage servicers and originators, meaning a breach carries regulatory exposure on top of the direct harm to borrowers.[5]
In plain language: Business Email Compromise is one of the most financially devastating attacks on small businesses and it does not require breaking through a firewall at all. The attacker monitors your email communications — often after stealing a credential through phishing — waits for a large payment to come up (like a real estate closing or a contractor invoice), then sends an email that looks exactly like it came from a legitimate party with updated wiring instructions. The money gets wired to an account the attacker controls. Once a wire transfer is sent, recovery is extremely rare. This is one of the clearest examples of why data security and email security directly protect your money, not just your files.
The Double-Extortion Evolution
Until roughly 2019, ransomware followed a simple model: encrypt the victim's files and demand payment for the decryption key. Organizations that maintained robust backups could theoretically recover without paying. Ransomware groups recognized this limitation and adapted.
The double-extortion model — first widely attributed to the Maze ransomware group in late 2019 — added data exfiltration as a second leverage mechanism.[6] Before encrypting files, attackers now spend time inside the network identifying and exfiltrating the most sensitive data they can find: client records, financial documents, personnel files, intellectual property. They then encrypt the network and present the victim with two problems: your files are locked, and we have a copy of your most sensitive data. Pay the ransom to recover your files and prevent us from publishing or selling what we took.
This model fundamentally changed the risk calculation for all organizations. Backups — while still essential — no longer fully resolve a ransomware incident. The exfiltration has already occurred. The data is already outside your control.
In plain language: The old version of ransomware was like someone breaking into your office and changing all the locks — you couldn't get in, but your stuff was still there. Good backups were like having a spare key. The new version is more like a hostage situation: they took your confidential files on the way out before changing the locks. Even if you use your spare key to get back in, your most sensitive information is still in their hands. They post a countdown clock on a public website and tell you that if you don't pay in 72 hours, they'll publish your patient records, client contracts, or employee Social Security numbers for anyone to see. This is the reality of modern ransomware for small businesses — backups alone are no longer enough.
What Exfiltrated Data Is Actually Worth
Understanding why attackers pursue data theft requires understanding what the data commands on criminal markets. Credentials — usernames and passwords — enable further attacks and account takeover. Payment card data is sold in bulk, with complete card profiles including billing address fetching higher prices. Healthcare records command premium prices because of the density of exploitable personal information they contain. Intellectual property and trade secrets may be sold to competitors or nation-state actors. Personally identifiable information (PII) in aggregate is used for identity fraud, tax fraud, and synthetic identity creation.
The downstream harm to victims extends well beyond direct financial loss. IBM's 2024 research found that the average cost of a data breach includes not just incident response and recovery expenses, but regulatory fines, legal fees, customer notification costs, credit monitoring for affected individuals, and the long-term reputational damage that follows disclosure.[2] For a small business operating on thin margins, a single significant breach is often existential — studies have consistently shown that a substantial proportion of small businesses that experience a serious breach do not survive beyond 12 months.[7]
How to Reduce Your Exposure
Data exfiltration is a technical problem that requires technical controls — but the starting point is knowing what data you hold, where it lives, and who can access it. You cannot protect what you have not mapped.
Know your data. Identify where sensitive data resides across your environment: file servers, cloud storage, email, backups, workstations, and any third-party platforms. This is the foundation for every other control. Data you don't know about is data you cannot protect.
Control access tightly. The principle of least privilege — giving users access only to what they need to do their job — directly limits how much damage a compromised account can do. An attacker who steals the credentials of a receptionist should not be able to access every client file in the organization. Role-based access, combined with multi-factor authentication (MFA), significantly raises the cost and difficulty of exfiltration even after a credential compromise.
Monitor for anomalous outbound activity. Data exfiltration produces network traffic. Large file transfers to cloud storage services, unusual volumes of outbound DNS queries, connections to unfamiliar external IP addresses at odd hours — these are signals that a properly instrumented network can detect. Visibility tools and SIEM platforms can alert on these patterns before an ongoing exfiltration becomes a confirmed breach disclosure.
Implement endpoint detection and response (EDR). Modern EDR solutions detect the behavioral patterns associated with exfiltration: bulk file access, staging in temporary directories, data compression, and transmission to external destinations. CISA's Cybersecurity Performance Goals specifically recommend EDR deployment as a foundational control for organizations in all sectors.[4]
Encrypt sensitive data at rest. Exfiltrated encrypted data is dramatically less useful to an attacker without the decryption keys. Full-disk encryption on workstations and servers, combined with proper key management, means that stolen hardware or copied files do not automatically translate to usable stolen data.
Evaluate your third parties. Your vendors, IT providers, and software platforms have access to your environment. A breach at a managed service provider or a vulnerable plugin on your website can be the entry point for an attack on your data. Periodic review of third-party access and vendor security posture is essential — particularly for the professional services industries where third-party access is extensive.
The Bottom Line
Data exfiltration is not a byproduct of attacks on large enterprises that occasionally spills over to smaller organizations. It is a primary attack objective against small businesses in healthcare, finance, professional services, retail, manufacturing, and real estate — precisely because those businesses hold high-value data and are disproportionately likely to lack the controls needed to detect or prevent it.
The threat has also become structurally more dangerous with the adoption of double-extortion ransomware. Backups protect your operations. They do not protect your clients, your employees, or your business from the consequences of data that has already left your network.
Understanding which category your business falls into — and what data you hold that makes you a target — is not a theoretical exercise. It is the starting point for a security posture that matches your actual risk profile. Warden Networks conducts data security assessments and network security reviews for small and mid-sized organizations in exactly these industries. If you are not sure what an attacker would find most valuable in your environment, that is the question to start with.
Sources
[1] Verizon. (2024). 2024 Data Breach Investigations Report. Verizon Business. Retrieved from verizon.com/business/resources/reports/dbir.
[2] IBM Security. (2024). Cost of a Data Breach Report 2024. IBM Corporation. Conducted by Ponemon Institute. Retrieved from ibm.com/security/data-breach.
[3] U.S. Department of Health & Human Services, Office for Civil Rights. (2024). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. Retrieved from ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
[4] Cybersecurity and Infrastructure Security Agency (CISA). (2023). Cross-Sector Cybersecurity Performance Goals. U.S. Department of Homeland Security. Retrieved from cisa.gov/cross-sector-cybersecurity-performance-goals.
[5] Federal Bureau of Investigation, Internet Crime Complaint Center. (2024). 2023 Internet Crime Report. FBI IC3. Retrieved from ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf.
[6] Cimpanu, C. (2019). Maze ransomware threatens to release stolen data if victims don't pay ransom. ZDNet. See also: Sophos. (2024). The State of Ransomware 2024. Sophos Ltd. Retrieved from sophos.com/en-us/content/state-of-ransomware.
[7] National Cybersecurity Alliance & Cybersecurity Ventures. (2023). Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report. See also: U.S. Small Business Administration. Small Business Cyber Security. Retrieved from sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity.