In a way, “small" business is a misnomer. SMBs account for half of GDP1 in the U.S., and nearly 60 percent of GDP in many European and Asian nations. And the customer information and financial data they possess and process is just as vital and valuable as it is in any large organization. The customer that has their data exposed isn't going to care how large the breached company was.
There is a combination here of wishful thinking and practical limitations. On the one hand, SMBs tell themselves a harmful breach won't likely happen to them. On the other, even if they do respect the danger, they don't have the resources to mount an adequate defense.
SMBs are facing the same cyber threats as large enterprises, but have a fraction of the budget to deal with them. At a small company, IT duties might fall to someone whose primary role is something entirely different; that person ends up handling the company's data security because, well, someone has to. Even when there is a dedicated IT staff, it can be just one or two people, charged with everything from fixing the faulty Wi-Fi to keeping all company software up to date to making strategic plans for the company's data foundation, to ensuring data security.
And with a massive to-do list, defending against data-stealing and unseen criminals on the other side of the world may not seem like a top priority. Not to mention the skill set required — large companies have a difficult enough time finding and retaining top-notch data security resources, let alone an SMB. The writing is on the wall: If they rely on wishful thinking or meager protection, SMBs simply will remain unsecure and prime targets.