In July 2025, a group of state-sponsored hackers managed to breach the U.S. agency responsible for overseeing nuclear weapons. That’s not a sci-fi movie plot, it’s a real-world reminder that even the most fortified organizations have cybersecurity gaps. So what does this have to do with your business? More than you think. If attackers can infiltrate a nuclear security agency, imagine what they can do to a small business without dedicated IT staff or up-to-date protections.
This post isn’t about panic, it’s about perspective. Let’s look at what happened, why it matters to small businesses, and what you can do right now to protect yourself from similar threats.
The Story: A Nuclear Weapons Agency Got Hacked
The U.S. National Nuclear Security Administration (NNSA), the agency responsible for maintaining the nation's nuclear warheads, was among some 400 organizations breached by a recent cyberattack. Microsoft revealed that Chinese state-sponsored hackers exploited newly discovered flaws in Microsoft SharePoint, a popular document-sharing platform used by many businesses and agencies. These vulnerabilities, found in SharePoint's on-premises servers (not the cloud version), allowed attackers to essentially pretend to be authorized users and run malicious code on the affected servers. In other words, the hackers found a bug that let them break into the system, steal sensitive keys, and access data.
This cyberattack unfolded quickly. According to Microsoft, the attackers began exploiting the SharePoint flaws as early as July 7, 2025, aiming to gain initial access to target networks. By mid-July, security researchers observed a mass exploitation campaign, one cybersecurity firm found dozens of compromised SharePoint servers after scanning over 8,000 servers worldwide. In the U.S., the victims included not just the NNSA but also the National Institutes of Health (NIH) and even a regional power grid operator. Thankfully, NNSA reported that no classified information was compromised, partly because the Department of Energy (which NNSA is part of) relies heavily on Microsoft’s cloud-based SharePoint service. The on-premise SharePoint servers were the vulnerable point, only self-hosted versions had the flaw, while cloud-hosted SharePoint was not affected.
Microsoft rushed to release security patches (updates) to fix these vulnerabilities and urged all organizations using on-premises SharePoint to install those updates immediately. U.S. cybersecurity officials also sounded the alarm, warning that the SharePoint bug could allow attackers "full access" to all information on those servers, including file data and login credentials. In short, if a SharePoint server was left unpatched, attackers could potentially see and steal everything on it. There was even concern that hackers might have left “backdoors” (hidden access points) in some systems to return later.
It might be surprising that an agency as sensitive as NNSA could be breached. After all, one would expect a nuclear security agency to have ironclad defenses. And indeed, NNSA does have strong cybersecurity in general. Yet this incident highlights a sobering truth: no organization is 100% immune to cyber threats. In this case, the attackers used a so-called “zero-day” vulnerability, a software flaw that was previously unknown to the vendor, giving targets no chance to patch in advance. Even the best security team can be caught off-guard by a brand-new exploit. As an NNSA spokesperson noted, the department was only “minimally impacted” thanks to its widespread use of Microsoft’s secure cloud and strong cyber defenses. In other words, they limited the damage, but the breach still happened.
If highly secure government agencies and large corporations can be hit by cyberattacks, small businesses are certainly not out of reach. In fact, many hackers specifically target smaller firms, figuring they likely have weaker defenses. There’s a common misconception among small business owners that “hackers only go after big companies or government, not a little company like mine.” Unfortunately, the data says otherwise. Nearly 46% of all cyber breaches impact businesses with fewer than 1,000 employees, and one report found 61% of small and mid-sized businesses were targeted by cyberattacks in a single year. Attackers know that smaller organizations often lack dedicated security staff and might not be keeping systems up-to-date, making them easier targets.
You might be thinking, "Okay, but my company doesn't use SharePoint. Does this really relate to me?" The specifics might differ, but the tactics are absolutely relevant to small businesses. The SharePoint hack is just one example of how cybercriminals exploit weaknesses:
Unpatched software vulnerabilities: Hackers in this campaign scanned the internet for vulnerable servers that hadn't been updated. Similarly, attackers regularly hunt for common software used by businesses, whether it's a content management system on your website, an outdated operating system, or a forgotten database, and try known exploits. If your business’s software isn’t patched with the latest security updates, it could be only a matter of time before an automated scan finds it. Remember, many attacks aren't personal; criminals often let bots crawl the web for any vulnerable system. If you happen to be running one, you can get swept up in a mass attack. In fact, studies show 60% of breach victims were compromised via a known vulnerability that hadn’t been patched. In this SharePoint incident, Microsoft warned that the hackers would keep going after any unpatched servers, a pattern that holds true for most exploits.
Social engineering and human error: Not all attacks are high-tech exploits; many are low-tech tricks. Social engineering refers to scams that target people’s trust or ignorance, for example, phishing emails that trick you into clicking a malicious link or divulging a password. This is a threat every small business should take seriously. In fact, 68% of data breaches in 2024 involved the human element (mistakes or social engineering) Small businesses are especially on the radar for these tactics: employees at companies with under 100 people experience 350% more social engineering attacks than those at larger enterprises. Why? Attackers assume you might not have formal security training or strict protocols. If a hacker can't easily hack into your systems, they might try to con someone at your company into letting them in, by impersonating a trusted vendor, faking an urgent email from the boss, or any number of creative scams.
“Too small to matter” mindset: A lot of small businesses inadvertently make themselves targets by assuming no hacker would bother with them. Alarmingly, over half of small businesses have no cybersecurity measures at all, and many owners in that group believe their business is “too small to be attacked”. The SharePoint breach should dispel that myth: the attackers went after hundreds of targets of all sizes, not just the biggest fish. In reality, size is not a defense. Many cybercriminals actually prefer hitting many small targets, it's less likely to make headlines or attract law enforcement, and the aggregate payoff can be large. For example, a hacker might find it easier to steal $5,000 each from 20 small businesses than $100,000 from one well-secured large firm. Plus, smaller companies often keep customer data (credit cards, personal info, etc.) that can be sold or misused; about 87% of small businesses hold sensitive customer data that hackers would love to get.
In short, the same tactics used in the NNSA SharePoint attack, exploiting unpatched software or using clever deception, could absolutely be used against a small business. The good news is that knowing this helps you prepare. The NNSA incident, while scary, underscores some simple things that could have prevented trouble: the vulnerable servers needed a patch, and the breach was detected quickly by monitoring. These are things you can do too.
So what can a small business owner or team do, practically, to fend off these kinds of threats? The following are accessible, non-technical steps that will significantly boost your security. You don’t need a huge IT department, just some diligence and smart habits:
Keep Your Software Updated (Patch Your Systems): Software companies regularly release updates (also called patches) to fix security holes. Make it a habit to apply those updates on all your devices and applications. This includes not just your computers, but also servers, website platforms, and even network gear like routers. Enable automatic updates wherever possible, so you don’t have to remember every patch. Many attacks succeed simply because a known flaw was left unpatched, in fact, over 60% of breaches involve a vulnerability that had a fix available, but was never applied. Don’t give attackers an easy win. The recent SharePoint breach is a prime example: once Microsoft issued patches, only organizations that didn't install them remained at risk. Staying up-to-date is one of the most effective (and simplest) security measures you can take.
Use Multi-Factor Authentication (MFA) wherever you can: MFA means that in addition to a password, you require a second proof of identity to log in, typically a temporary code from a smartphone app or text message, or a fingerprint/face scan. This makes it dramatically harder for someone to break into your accounts. Even if a hacker steals or guesses an employee’s password, they still can’t get in without that second factor. Turn on MFA for email, financial accounts, file storage, and any cloud services your business uses. Most major services (Microsoft 365, Google Workspace, banking apps, etc.) support MFA, often it’s just a settings toggle. It’s a bit of extra hassle for a legitimate user, but it’s one of the strongest defenses you can have. If a service offers two-factor authentication, enable it, it’s like adding a deadbolt on your digital front door.
Monitor Your Systems for Suspicious Activity: You can’t always prevent 100% of attacks, so it’s crucial to have a way to detect if something unusual is happening in your IT environment. Larger companies use things like intrusion detection systems and 24/7 security operations centers, but even a small business can do the basics. Make sure you have reputable antivirus/anti-malware software installed and kept up-to-date; it can catch many common threats. Use a firewall to monitor incoming connections. Many modern security tools or services (including those from MSPs, like PeachByte) can send you alerts if, say, there’s a login to your system at 2 AM, or a large amount of data being downloaded unexpectedly. Even reviewing your log files or account activity periodically can help spot a problem early. In the SharePoint case, an IT security firm noticed “unusual activity” on a client’s server, which helped uncover the breach quickly. That kind of vigilance can greatly reduce the damage if an incident occurs.
Educate and Train Your Team: People are often the weakest link in cybersecurity, but they can also be your strongest asset if educated. You don't need to turn your employees into IT experts, but basic security awareness goes a long way. Teach everyone on your team how to spot common scams, for example, how to recognize a phishing email (look for suspicious senders or urgent, fear-inducing language), and to double-check before clicking links or downloading attachments. Encourage a culture where it’s OK to pause and verify requests: if someone gets an odd email supposedly from the CEO asking for a wire transfer, they should feel free to call or message that person directly to confirm. Regular short trainings or even informal discussions about recent scams can keep security top-of-mind. Verizon reported that in 2024, a whopping 68% of breaches involve human error or social engineering tricks. Investing time in staff awareness is as important as investing in software. There are many free resources online for cybersecurity training, and some insurance providers or IT partners offer phishing simulation exercises that can be both eye-opening and educational.
PeachByte offers comprehensive cybersecurity solutions that include user training, phishing simulations, and ongoing awareness campaigns, designed to help your team spot threats before they become incidents. It’s not just about technology; it’s about building habits that keep your business secure from the inside out. Learn more
The idea of a nuclear weapons agency getting hacked may be scary, but it serves to remind us that cybersecurity is a universal concern. The same principles that protect a government agency can protect a retail shop, a startup, or a family business. The attackers and threats out there don't discriminate by size, they look for weaknesses. By learning from high-profile incidents like the SharePoint breach, we can all improve our defenses.
The key takeaways for a small business are clear: keep your systems updated, use strong authentication, monitor for threats, and educate your people. These steps aren’t overly costly or technical, but they yield huge security benefits. Yes, even with all these measures, no defense is perfect, but think of it like securing your home. You lock the doors, install an alarm, and teach your family safety habits. Could a determined burglar still find a way? Maybe, but you’ve dramatically lowered the odds. The same goes for cyber threats.
At PeachByte, we believe that with a bit of knowledge and the right precautions, cybersecurity doesn’t have to be overwhelming. Even small businesses can build smart defenses to punch above their weight. The fact that a well-resourced agency got breached is not a sign to throw up our hands in defeat, it’s a call to action to double-check our own readiness.
Stay safe out there.