April 10, 2026
There’s a comforting lie that business owners tell themselves: “We’re too small for hackers to care about us.” It made sense five years ago. Today it’s exactly backwards.
The business of ransomware has industrialised. The same criminal ecosystem that used to target Fortune 500 companies has built automation to hit thousands of small businesses at once. You’re not being specifically targeted — you’re being swept up by bots that scan the internet looking for any business with weak defenses and enough money to pay.
After years of high-profile breaches, large enterprises now spend millions on security: SOCs, red teams, advanced endpoint detection, zero-trust architectures. Attacking them is possible but expensive and slow. The ROI on attacking a Fortune 1000 company dropped.
A 50-person accounting firm or a regional retailer might pay a $200,000 ransom without blinking if the alternative is going out of business. Attackers learned quickly that many SMBs also carry cyber insurance that will pay out.
The average 30-person company still runs on consumer-grade antivirus, no multi-factor authentication on email, a part-time IT contractor who responds in 48 hours, and backups that haven’t been tested in two years. You don’t need to outrun the bear — you just need to have weaker defenses than the business next door.
The Hollywood version — a hacker furiously typing green code — is nonsense. Here’s what actually happens, in order:
A short list of unglamorous controls prevents the vast majority of attacks. In rough order of bang-for-buck:
Email. VPN. Remote desktop. Cloud admin portals. Anything exposed to the internet. MFA alone blocks over 99% of account-takeover attacks. If you do nothing else from this list, do this.
Replace consumer antivirus with a real EDR product (SentinelOne, CrowdStrike, Microsoft Defender for Business). These watch for suspicious behaviour, like a Word document spawning PowerShell.
Many attacks exploit vulnerabilities that had patches available for months. Automated patching of operating systems, browsers, and major apps closes that window.
Follow the 3-2-1-1-0 rule: 3 copies of data, on 2 media types, 1 off-site, 1 immutable (can’t be deleted), 0 errors on the last restore test. The immutable and tested parts are what stop ransomware from wiping your safety net.
Modern email gateways (Proofpoint, Barracuda, Mimecast, Microsoft Defender for Office 365) catch phishing before it reaches inboxes.
Does your receptionist need admin rights? Does everyone in finance need every HR file share? Ransomware spreads faster where everyone has access to everything.
Humans are the primary entry point. Quarterly phishing simulations and short training modules drive click rates down dramatically over time.
Insurers have tightened underwriting dramatically. Applications now require proof of MFA, EDR, tested backups, and employee training — or the policy won’t be issued. Insurance without these controls isn’t insurance; it’s false comfort.
A hardened small business can be secured for $20–$50 per user per month. An actual ransomware event costs most SMBs $150,000–$500,000 once you add ransom, downtime, forensics, legal fees, customer notifications, and deductibles.
You don’t need enterprise security. You need deliberate security — most of these controls are standard features of Microsoft 365 and Google Workspace that simply need to be turned on, configured, and monitored. If you want an honest assessment of where you stand, we run free 30-minute security reviews for businesses across Surrey, Vancouver, and Canada.