When a big company gets hacked, the coverage almost always follows the same script. Someone chose them. Someone had a reason. There was a plan. It's presented like a heist movie where the villain spent months casing the joint before making their move.

It makes for a good story. It also lets every business owner reading it breathe a quiet sigh of relief, because clearly this only happens to companies with enemies.

That's the part worth pushing back on.

In March 2026, a company called Stryker had a very bad week. If you haven't heard of them, Stryker makes the equipment that keeps hospitals running—surgical tools, orthopedic implants, the robotic systems used in operating rooms. They're a Fortune 500 company with over 56,000 employees and products that reach more than 150 million patients across 61 countries. Not a small business, not a niche player. One of the most recognized names in medical technology.

A hacker group with ties to Iran claimed they wiped out 200,000 of Stryker's devices and systems and forced their offices in 79 countries to shut down. Employees showed up to work and found a hacker logo on their screens instead of the company's. The news coverage went wild with theories: was it because of Stryker's connections to Israel? A statement about the medical supply chain? Retaliation for US military actions in the region?

Maybe. But here's the more realistic read: the hackers had a way into Stryker's systems, they knew it was valuable, and they chose the most damaging possible moment to use it. Active military conflict was underway. The timing was intentional. The decision to act was deliberate.

What probably didn't happen is someone deciding Stryker was the target and then spending weeks figuring out how to get in.

That's a small distinction that has enormous implications for your business.

Here's something most business owners have never heard of: there are people whose entire job is breaking into companies—not to steal anything themselves, but to sell that access to someone else. It's a real, organized market. Think of it like a locksmith who makes a copy of your key and then auctions it off to whoever wants it. The locksmith doesn't rob you. They just hand the key to someone who will and collect a fee for the trouble.

These aren't rare, exotic operations. This happens constantly, across every industry, at every company size. A small accounting firm. A regional manufacturer. A medical practice. A law office. Access to any of these gets bought and sold, often for less money than you'd spend furnishing a conference room.

The buyer could be anyone—a ransomware group looking for a payday, a foreign government looking to cause disruption, or someone who just wants data they can sell. They don't pick your business because of who you are. They pick it because someone already found a way in and put it up for sale.

That's the part of these stories that never makes the news, and it's the part that should change how you think about your own exposure. Stryker is a $25 billion company, and if access to their systems ended up in the wrong hands through opportunity rather than deliberate targeting, the same thing can happen to any business running systems that haven't been properly looked after.

That’s the shift most organizations haven’t made yet.

The question isn’t whether someone would choose to target your business. It’s whether your environment is easy enough to access that it could be found, packaged, and sold without you ever knowing.

Because in a market where access is bought and sold every day, security isn’t just about stopping attacks. It’s about reducing the chances that your business ever becomes something a threat actor can purchase in the first place.

That’s not a technical question. It’s an operational one. And it’s one leadership teams need clear answers to before someone else decides your business is worth the price.

In Part 2, we'll talk about what "properly looked after" actually means in practice—and why the companies that avoid this aren't doing anything exotic.