Think your business is too small to attract hackers? It isn’t. Attackers automate their scans and go where defenses are light. Small firms get hit a lot: the SBA cites research that 43% of cyberattacks target small businesses and only a small share feel ready to defend themselves (SBA). In the latest Hiscox Cyber Readiness Report, 59% of SMEs said they suffered a cyberattack in the last 12 months (Hiscox 2025; press release).

A quick, hypothetical “could happen tomorrow” scenario

Picture a Main Street practice (pick your industry). An employee reuses a password that was exposed in some unrelated website leak. An attacker logs in to email, watches payment traffic for a week, then sends a convincing “new banking details” message to your bookkeeper. A $25,000 wire goes out. A day later, your point-of-sale freezes with a ransom note. You’re offline, fielding angry calls, and under New York’s SHIELD Act you now have breach-notification duties if personal data was accessed (NY AG).

That’s not a horror movie — it’s how these incidents unfold.

Why small businesses get picked

• Easy entry: In the Verizon DBIR, stolen or brute-forced credentials drive the majority of “hacking” breaches in key patterns; stolen credentials show up in ~80%+ of those cases (Verizon DBIR).
• High frequency: SMEs report attacks every year; ransomware alone hits more than a quarter of firms and many still pay (Hiscox 2024/2025).
• Real money: A small-business breach commonly runs ~$120,000 (and up) once you total downtime, forensics, notices, and reputation hits (BigID summary of 2024 DBIR data; PurpleSec).
• Recovery isn’t instant: Multiple surveys find ~50% of SMBs take 24+ hours to recover from their most disruptive attack (NAVEX; StrongDM).

About that oft-quoted “60% of small companies close within six months” stat: it’s widely repeated but not well-sourced. Even the National Cybersecurity Alliance has flagged it as unsupported (NCSA statement). The point still stands: an uninsured, unprepared incident can be business-ending.

Five safeguards you can put in place this week

1. Turn on multi-factor authentication (MFA) everywhere
   Email, banking, payroll, Microsoft/Google, remote access. Credential theft fuels the majority of break-ins; MFA kills most of those attempts (Verizon DBIR).
2. Back up like your revenue depends on it
   Daily backups of servers, workstations, and SaaS data; keep at least one copy off-network or in immutable cloud storage. Test a restore.
3. Train, then retrain, on phishing and payment fraud
   Teach “stop and verify.” Any request to change bank details or send a wire must be confirmed by a known phone number or secondary channel. Run short refreshers quarterly; real attacks look like routine emails.
4. Patch everything on a schedule
   OS updates, POS, routers, website plugins. Set auto-update where you can. Unpatched systems are the front door.
5. Segment and monitor
   Use a business-class router/firewall. Put guest/personal devices on a separate Wi-Fi. Consider a low-cost EDR/AV tool for behavior-based blocking.

Don’t forget: cyber liability insurance

No control is perfect. A solid cyber policy helps cover:

• Breach response: forensics, notification, credit monitoring, PR, and legal.
• Ransomware/Extortion: negotiators and restoration costs (policy terms apply).
• Business interruption: lost income while systems are down.
• Liability/regulatory: defense and fines/penalties where insurable (e.g., NY SHIELD Act enforcement) (NY AG overview).

Many small firms still don’t carry cyber insurance; some surveys put adoption near ~17% (B.D. Emerson roundup). If you handle customer data or take electronic payments, price it out — premiums are often reasonable for small operations.

A 10-minute checklist to start now

• Do we have MFA on email, banking, payroll, and remote access?
• Are backups recent, off-network, and test-restored?
• Do we have a written “verify before you pay” step for any bank-detail change?
• Are we patching Windows/macOS, POS, routers, and website plugins monthly?
• Who’s our incident call tree (IT, legal, bank, insurance broker)?
• Do we carry cyber insurance? If not, what would it cost?

---

Want help without the jargon?
Ask for a quick cyber risk review. We’ll check your controls, explain what a right-sized cyber policy would actually cover, and line up fixes you can do this week — so attackers move on to an easier target, and you’re financially protected if one slips through.