For most owner-led small businesses, "cybersecurity" is not a data center problem. It is your website, your contact forms, your email, and the handful of cloud accounts your business actually runs on. That is your whole attack surface — and it is usually the least attended-to part of the business, because nobody is formally responsible for it.
A ransomware attack costs a small business an average of $200,000. Not including the lost revenue while your systems are down. Not including the customers who leave because they no longer trust you with their data. Not including the three to six months of cleanup work afterward. If you are a CEO or founder running a company with 5 to 50 employees, cybersecurity probably ranks somewhere between "important" and "I know I should do something about it" on your priority list. It sits there alongside getting a flu shot and updating your estate plan — things you know matter but keep putting off because nothing bad has happened yet.
Here is the thing: the companies that get hit almost never saw it coming. They were not being reckless. They just did not think they were a target.
You are a target. Not because hackers have a personal vendetta against your company, but because small and mid-size businesses are the softest targets on the internet. You have valuable data, weak defenses, and limited ability to fight back. Attackers know this.
This post covers the five things every business leader needs to understand about protecting their company. No technical jargon. No scare tactics. Just the practical stuff that actually reduces your risk.
Thing 1: Your People Are Your Biggest Vulnerability
Ninety percent of successful cyberattacks start with a person clicking something they should not have clicked. Phishing emails — the ones designed to look like they are from your bank, your vendor, or your CEO — are the number one attack vector for businesses your size.
And they have gotten very good. The phishing email of 2015 had obvious spelling errors and came from suspicious addresses. The phishing email of today is nearly indistinguishable from a legitimate message. It uses your company's actual branding, references real projects, and sometimes even mimics the writing style of people you know.
What to do about it:
Train your team — but train them correctly.
The annual "click through this boring presentation about cybersecurity" training does almost nothing. People forget it within a week. What actually works:
- Monthly phishing simulations: Services like KnowBe4 or Proofpoint send fake phishing emails to your team and track who clicks. People who click get immediate, brief training. This creates ongoing awareness instead of a once-a-year event.
- The three-second rule: Train your team to pause for three seconds before clicking any link or opening any attachment. In those three seconds, they should ask: Did I expect this? Does the sender's address look right? Does this feel unusual?
- Make reporting easy and safe: Your team should be able to report suspicious emails with one click, and they should never be punished for reporting something that turns out to be legitimate. You want a culture where people flag everything questionable.
Implement a verification process for financial requests.
One of the most common attacks against small businesses is business email compromise (BEC). An attacker gets access to your email (or spoofs it convincingly) and sends a message to your bookkeeper or controller: "Please wire $35,000 to this new vendor account." The email looks exactly like it came from you.
The fix is simple and free: Any financial transaction above a certain threshold (you decide — $1,000, $5,000, whatever fits your business) requires verbal confirmation. A phone call. Not a text. Not a reply email. A phone call to a known number. This one policy eliminates the most damaging form of email-based attack.
Thing 2: Multi-Factor Authentication Is Non-Negotiable
If your business email, your banking, your CRM, your accounting software, or any other critical system is protected only by a username and password, you are one stolen password away from a breach.
Passwords get stolen constantly. Data breaches at other companies expose them. Employees reuse them across personal and work accounts. They get guessed by automated tools that try millions of combinations per hour.
Multi-factor authentication (MFA) means that even if someone steals a password, they still cannot get in. They need a second factor — typically a code from an authenticator app on a phone or a physical security key.
Implementation priority:
- Business email — this is the master key to everything else. If an attacker owns your email, they can reset passwords to every other system.
- Banking and financial systems — direct access to your money
- Cloud storage (Google Drive, Dropbox, OneDrive) — where your sensitive documents live
- CRM and customer database — your customer data
- Everything else — every system that supports MFA should have it turned on
This costs nothing for most services (MFA is a built-in feature) and takes about 10 minutes per system to set up. If you do nothing else after reading this post, turn on MFA for your business email this week.
Thing 3: Backups Are Your Safety Net (If They Actually Work)
When ransomware hits, it encrypts your files and demands payment for the decryption key. If you have good backups, you can restore your systems without paying the ransom. If you do not, you are either paying criminals or starting your business over from scratch.
But here is what most people get wrong about backups: they assume their backups work because they set them up once and never checked again.
The 3-2-1 backup rule:
- 3 copies of your important data (the original plus two backups)
- 2 different types of storage (for example, a cloud backup and an external drive)
- 1 copy stored off-site (physically separate from your primary location — cloud backups satisfy this)
Critical: At least one backup must be disconnected from your network. If your backup drive is always plugged in or always connected to the internet, ransomware will encrypt it along with everything else. The technical term is "air-gapped" but the concept is simple: keep one backup that an attacker cannot reach.
Test your backups quarterly. Pick a random file. Try to restore it from your backup. Time how long it takes. If you have never tested a restore, you do not actually have backups. You have a false sense of security.
We had a client discover during a backup test that their backup system had been failing silently for four months. No error messages. No alerts. Just quiet failure. If they had been hit with ransomware during those four months, they would have lost everything. A 30-minute quarterly test would have caught this immediately.