"There is nothing more deceptive than an obvious fact." — Sherlock Holmes
Initially, there were a few million internet users, and now a few billion. In the beginning, a user used a handful of apps or services. By now, we might have tried out at least a dozen messenger and social media apps alone on average. If we don't forget about the billions of non-human internet-connected devices, that is way too many entry points for attackers. What other less obvious ways you can be under cyber attack apart from the most commonly known and technical attacks such as viruses and hacking?
The partners you trust might have been compromised
Humans and machines are connected to the services, which are often subsequently connected to dozens to hundreds of other services. When an attacker manages to use a compromised account, they can potentially use many underlying services. For example, if you rely on Google Single Sign-on, and if it is compromised, the attacker may get access to all the internal and external services that depend on Google's login.
Business growth is a signal that you need a Cybersecurity framework
Your organization hasn't grown. That isn't good for the business but good for cybersecurity. Conversely, your organization has been succeeding. That's good for the business but not so much for cybersecurity. The moment you start emerging as a serious player in the market, you attract cyber attackers' attention.
If you have money but barely have an online presence, you're likely to be attacked, too
It doesn't matter how small your online presence is. For example, you are releasing an alpha version of a fund transfer portal to a closed group of users. If it can be exploited to get access to the money, they will make sure you pay. On the other hand, if you and your people expose personal data online, primarily via social media, which somehow is relevant to the password or secret question-answer used to access funds, you will be under attack. Someone is always watching and scrutinizing you and your online behavior if you have funds, no matter how small your online footprint is.
Using your resources to attack others
Let's consider you're running a popular blog hosted on WordPress, and you have a plugin installed that allows an attacker to inject PHP code that embeds a JavaScript snippet for all readers. It is possible to create a network of bots and a hard-to-detect coordinated attack for the victim. If you have 5000 active readers, imagine getting DDoS attacks from 5000 different and legit IPs. It is non-trivial for the victim to identify whether this is a legitimate use of the services or otherwise.
Criminal groups and (real) terrorists
If you are into art & literature, you might have learned how mafia groups work. It is not difficult to imagine that there could be many ways a group's interest may be served by attacking and/or hijacking data from you. Like real-life, it is non-trivial to identify and correlate attack incidents with such groups, but know that the motive exists.
Disgruntled employees
Your family members can do the most damage to you unless you have no ties with them. The same goes for the employees. It is nearly impossible to act as a gatekeeper for all the IT resources your company uses to build your business. The developers who develop your systems may have unrestricted access to the critical production systems, especially for debugging purposes. On the other hand, IT admins manage all access. Humans are highly unpredictable, so there is no reason to be surprised if someone has malicious intent, possibly after quitting/getting fired or not getting what they want.
Geopolitical crises
Read news regularly, even if it upsets you, especially the ones of a geopolitical nature. You do business with a country or an organization with an office in that country. A group is upset with that country for some reasons that may not be remotely related to your industry. They want to make a statement or take revenge or show that they can negatively impact that country by attacking your business. Sometimes, even if your organization is not big enough for an attack, you should remain vigilant. Sometimes, attackers do not discriminate against their targets to increase the number of victims regardless of attack quality.
Pandemics
Crises make people vulnerable, especially if it is health and wellbeing related. People tend to give away everything or do anything to be able to survive. Personal data is more valuable for netizens than cash. However, crises may trivialize the sense of the value of data. Therefore, pandemics such as COVID-19 brings many opportunities for the attackers by luring victims to fake vaccines and cures.
Another example is stealing identities to claim unemployment insurances. Governments in many countries are offering cash benefits to prevent an economic collapse. It is essential to educate the people in your organization about the danger of entering into such traps and getting business systems compromised as a result.
Conclusion
According to IBM it takes 280 days on average to detect and contain a data breach. If you don't put monitoring measures, you will not even know that your data has been compromised until maybe the damage has been done. Cybercriminals can put your business at one lawsuit away from annihilation, let alone the damages they can cause directly. When it comes to Cybersecurity, always expect unexpected ways of getting surprised.