It's hard to imagine that your small business could be singled out for attack by a hacker, but it is entirely possible. Not only possible, it's likely. This article from Dark Reading provides a great analogy:
"If you're an armed robber, which do you target: a major national bank, or your local liquor store? True, the rewards at the bank are potentially much greater -- but so are the risks. In the end, most robbers choose the local store, where they know the defenses are weakest."
You must also remember that the average hacker does not work alone. The hacker has deployed numerous pieces of code on websites or via email to do the research for them. For each employee on your network who may be visiting a site of a personal nature or just conducting business with a suppliers website, your business is exposed. Once a vulnerability has been identified, the depth (or opportunity) is logged for the hacker to pursue later. Much like email is delivered to your inbox each day, a hacker has a new list of targets each time they log on.
What should you do to prevent this? There are no miracle cures obviously. Practice due diligence by confirming all assumptions about your network and any solution provider you bring in. Accept that practicing security is an investment not an expense.
Here are a couple of additional links to review: