A few months ago, I got a call from a restaurant group owner — three locations, about 40 employees. She’d woken up to find her point-of-sale system locked. A ransom message on every screen. $15,000 to get her data back.
She hadn’t opened a suspicious email. Nobody on her team had done anything obviously wrong. An outdated plugin on her booking system had left a door open, and someone walked right through it.
Her first words to me were: “I always thought hackers went after big companies.”
That’s the most dangerous myth in small business today. And it’s costing people everything.
Why Small Businesses Are Actually the Preferred Target
Here’s something most people don’t know. Cybercriminals aren’t just sitting in dark rooms trying to breach Fortune 500 companies. That’s actually hard. Those companies have entire security teams, enterprise-grade firewalls, and dedicated incident response protocols.
You know what’s easier? A 30-person logistics company running Windows 10 with no multi-factor authentication and a Wi-Fi password that hasn’t changed since 2019.
Small businesses are the path of least resistance. Less security investment. Smaller IT teams — if there’s one at all. Employees who’ve never had formal security training. And often, data that’s just as valuable as a large enterprise’s: client records, payment information, contracts, credentials.
43% of all cyberattacks target small businesses. Less than 20% of small businesses say they’re confident in their cybersecurity posture.
That gap is where attacks happen.
The Real Cost Isn’t Just the Ransom
When people think about a cyberattack, they imagine the dramatic moment — screens locked, data gone, hackers demanding payment. But that’s just the beginning of the damage.
The restaurant owner I mentioned ended up paying the ransom. That was $15,000. But then came the forensic investigation to figure out how they got in. The system rebuild. The two days of downtime across three locations. The PR damage when word got out. The legal consultation to understand her liability around customer data.
Total cost by the end? Closer to $60,000.
And she was one of the lucky ones. The average data breach costs a small business over $200,000 when you factor in everything. 60% of small businesses that experience a serious breach close within six months — not always because of the breach itself, but because of the cascading financial and reputational damage that follows.
The hard truth is that recovering from a breach is almost always more expensive than preventing it. And yet most small businesses spend almost nothing on proactive security.
The Gaps That Get Exploited Most
In the work we do at Do Systems, we’ve run hundreds of security assessments for small and mid-size businesses. The vulnerabilities we find most often aren’t exotic or complicated. They’re painfully common.
Weak or reused passwords are still the leading entry point for breaches. Most people know they shouldn’t reuse passwords across accounts. Most people do it anyway — especially in work environments where nobody’s enforcing a policy.
Phishing emails have gotten frighteningly convincing. They no longer look like the Nigerian prince scams from 15 years ago. Today’s phishing emails look exactly like invoices from your suppliers, shipping notifications, DocuSign requests. One click from one employee can hand an attacker full network access.
Outdated software is a gift to hackers. Every piece of software has vulnerabilities — the developers know this, which is why they release patches and updates. If your systems aren’t being updated regularly, you’re essentially leaving known doors unlocked.
No multi-factor authentication means a stolen password is all anyone needs. With MFA, a stolen password alone isn’t enough. Without it, your entire business might hinge on whether one employee uses “Password1” on their work account.
And then there’s backup — or the lack of it. Most small businesses have some form of backup. Very few have tested whether it actually works. We’ve seen companies lose years of data because their backup system had been silently failing for months.
What Proper SMB Cybersecurity Actually Looks Like
I want to clear something up: enterprise-level security doesn’t require an enterprise budget. The fundamentals that protect 90% of small businesses from 90% of attacks aren’t complicated or expensive. They’re just rarely implemented properly.
A proper security setup for an SMB includes a full audit of your current vulnerabilities — not a guesswork checklist, but an actual look at your network, devices, software, and access points. It includes multi-factor authentication across every critical system. Automated, tested backups stored in multiple locations including offsite. Real-time monitoring that catches unusual activity before it becomes a breach. And employee training — because your team is both your biggest vulnerability and your best line of defence.
That last one matters more than most people realise. The most sophisticated firewall in the world won’t stop an employee from entering their credentials into a convincing fake login page. Awareness training isn’t just a nice-to-have. It’s a core part of your security posture.
The Conversation You Don’t Want to Have
Every business owner I’ve had a post-breach conversation with says the same thing in some form: “I knew I should have dealt with this sooner.”
Security always feels like something you can handle later. There’s always a more pressing priority. Until the morning you wake up to locked screens and a ransom demand — and “later” has already become “too late.”
The restaurant owner I mentioned at the start has since rebuilt her systems with proper security in place. She told me recently that the peace of mind alone was worth every dollar. She stops thinking about it. Which means she can focus on actually running her business.
That’s what good security gives you. Not just protection. Clarity.
Is your business actually protected — or just hoping it won’t happen to you?
Book a free cybersecurity assessment with the Do Systems team at www.dosystemsinc.com — we’ll show you exactly where your gaps are, with no obligation and no jargon.
Comments are closed