This in-depth article explains why smaller companies are under as much risks of cyber-attack as large, well established ones: the value of the disruptive technologies they are developing, the fact that they are networked to larger firms through supply chain software, that they use cloud technologies to lower costs and that employees use their own devices at work. Board of directors of these companies cannot just accept the risks and should look for the company to adopt a balanced approach toward security, which is part prevention, part detection and part response.