It might be surprising to hear that Romanian hackers allegedly stole credit card data between 2008 and 2011 from 150 Subway franchises and 50 other small businesses and racked up $3 million in bogus charges. But it shouldn’t.

Small business owners who think that they’d never be the target of cyber attacks—and a recent Symantec study [pdf download] says there are a whole lot—had better think twice. They are fast becoming the preferred target of criminal hackers. Unfortunately, most are so sure that they’re not on the virtual crime radar that they fail to take the measures necessary to keep their bank accounts, and their customers’ identities, safe.

The Subway franchises and other companies supposedly all had one thing in common: a type of remote access software on their computers. Presumably, the owners wanted access to the company systems from home. But the software is vulnerable to attacks. The hackers allegedly scanned the Internet for such systems, broke in, and got into the point-of-sale systems.

What makes this an example of foolishness is that the PCI Security Standards Council, which is the industry body that sets security standards for the payment card industry, specifically warns against having remote access software on computers that run POS systems. That requirement and others were handed to the Subway franchisees.

So why didn’t they take the proper precautions? Because, like most other small business owners, they thought they were invulnerable. A September study that Symantec did of 1900 companies around the country found that more than half of the businesses said that because they were small, they wouldn’t be a target of cyber attacks. As a result, few took the steps that would protect them.

But according to other Symantec research, the businesses are wrong, wrong, wrong. The firm found last year that 40 percent of all targeted cyber attacks were aimed at small and medium businesses. Here’s how Kevin Haley, director with Symantec Security Response, explains it:

They’re a very tempting target. They don’t have very good security but they also have things worth stealing. Let’s look at a banking situation where I’m trying to steal money from your bank account. If you’re a big company, there’s probably a lot of money there but you have a lot of security in place. As an end user, you’re easy to break into, but you don’t have much money in your bank account. But SMBs fit in the middle: They have a significant amount of money in the bank account but don’t do much about security.

To paraphrase bank robber Willie Sutton, SMBs are where the money is and the back doors are left open.

Still think no one would target you?