What's the single most likely cyberattack to hit a small business today?

A phishing email that lands a credential, followed by either a ransomware deployment or a quiet bank-fraud follow-up a few days later. The FBI's annual Internet Crime Report has had phishing at the top of the cybercrime list every year I've checked. It's not the most damaging type per incident, but it's the one your business is statistically most likely to see this quarter.

Are managed cybersecurity services worth it, or can I do this myself?

If you have one or two technical people who can own patching, identity, backups, and incident response in addition to their day jobs, you can run this in-house up to a certain size. Past about 10 to 15 staff, the corners stop being cut by accident and start getting cut on purpose. That's usually the moment a managed partnership pays for itself, because it shifts the cost from full-time headcount to a retainer that covers the same scope.

How much should a small business actually spend on cybersecurity?

Less than the marketing material from any cyber-insurance vendor will tell you. The pareto for a small business is: enforced password manager and SSO, MFA on every account that supports it, full-disk encryption on every laptop, off-site immutable backups, and a documented response plan you've actually tested. That's a few hundred euros a month in tooling for a 5 to 10 person team, plus the time to run it. Anything beyond that is risk-tier-specific.

What does 'Zero Trust' actually mean in practice for a small business?

It means stop assuming your office network or your VPN is a safe zone. Every request, from every device, gets authenticated and authorized regardless of where it's coming from. In practice that's enforced SSO with MFA, identity-aware access for every internal tool (no more 'only reachable on the VPN'), and isolating sensitive work into hardened, ideally containerized workspaces. It's a model, not a product, but the products that implement it well are worth the investment.

Cybersecurity Threats Modern Businesses Actually Face

The cybersecurity threats most modern businesses run into today aren’t the dramatic, movie-style hacks. They’re the same five or six attack patterns repeating against everything that moves: ransomware on the helpdesk inbox, a phishing link in a Slack invite that looks just like the real one, a third-party vendor with the keys to half your accounts who forgot to rotate a credential last year, an employee on a personal laptop running a browser extension that turned malicious last Thursday. None of these are clever. All of them work, because the perimeter that most businesses still implicitly defend stopped matching how the work actually happens years ago.

This post is the high-level map of what business cybersecurity actually looks like today. Where the perimeter cracks, what attackers reliably exploit, and what shifting your operating model does about it. It’s the version I send to clients before we get into specifics, so we’re both starting from the same set of assumptions.

What’s actually changed for business cybersecurity

The conversation with most clients used to be about firewalls and antivirus on the office desktop. The conversation now is about identity, third-party access, and the half-dozen SaaS tools the marketing team signed up for without telling anyone. The threat surface didn’t shrink. It moved.

Cloud and remote work made the office perimeter irrelevant

Cloud computing, IoT, and remote work are everywhere now. None of them are bad on their own. Each one just adds another entry point that doesn’t sit behind the firewall you used to trust. Employees log in from coffee shops on personal laptops, from home networks shared with smart TVs and teenage gaming rigs, from airport Wi-Fi. The “office network” as a security boundary has been functionally dead for years.

Server interconnectivity creating cyber risks across cloud, IoT, and remote work environments

The modern stack has more entry points than the office firewall ever protected. Each cloud service, each SaaS tool, each remote endpoint is its own boundary that needs to defend itself.

The shift to hybrid work multiplied this. People use whatever devices they have, on whatever network is available, with whatever extensions they installed last quarter. You can’t enforce uniform security on a fleet of devices you don’t own and a network you don’t operate. The fix isn’t fighting reality; it’s accepting it and moving the security boundary to the identity and the workspace layer.

Remote work security vulnerabilities from personal devices and unsecured networks

Remote work isn’t going away. Trying to defend a perimeter that no longer exists is how most “we hardened our network” projects end up underwater.

Most cybercrime is automation now

The phrase “sophisticated cyber threat” gets thrown around a lot, but most attacks against small and mid-sized businesses are not sophisticated. They’re industrial. Phishing kits are sold by subscription. Ransomware operators run affiliate programs. AI-driven payload generators hit thousands of inboxes a minute. The attacker isn’t a person; it’s a pipeline.

This actually changes how you should defend. You’re not protecting against a targeted attacker who knows your business. You’re protecting against a wide net that’s looking for the cheapest possible victim. Don’t be the cheapest possible victim. Almost every defensive measure that raises the cost of compromise even slightly turns the automation off, because there’s a softer target one IP over.

Compliance is a separate axis from security

Data privacy regulations (GDPR in the EU, CCPA in California, sector-specific stuff like HIPAA and PCI-DSS) keep showing up alongside cybersecurity in the same conversations, but they’re not the same thing. Compliance tells you what you’re allowed to do with the data; security is whether you can actually keep it from being stolen. A compliant business with weak security gets breached and gets fined. A secure business with weak compliance gets fined without being breached. Both matter, neither one substitutes for the other.

For most clients I work with, the practical implication is: pick the regulation that applies to you, document the controls you have, audit them annually, and stop pretending the compliance checkbox is the security strategy.

Your supply chain is your attack surface

Most businesses today depend on dozens of third-party services: payment processors, marketing platforms, customer support tools, CRMs, analytics. Each one of those vendors has access to some slice of your data and some level of trust in your accounts. They’re also each running their own security program with their own gaps.

The 2020 third-party breach that exposed customer data across 70+ platforms is the canonical version, but it happens at smaller scale every quarter. A vendor your marketing team integrated with two years ago has a credential leak today, and the access they had to your customer database is now the attacker’s access to your customer database.

Insider threats sit on the same axis. Whether the employee is malicious or just careless, the unauthorized data movement happens through accounts that the business itself granted. The defensive answer is the same in both cases: tighten what each account can actually do, and audit access continuously instead of at offboarding.

The skill gap is real, but the answer isn’t more headcount

There aren’t enough cybersecurity professionals to fill the open roles, and the cost of hiring the ones that do exist has gone vertical. That’s a real problem. The way most vendors want you to solve it is by buying their automated platform and paying for ongoing licenses.

The way I’d suggest solving it is by reducing the surface you actually have to defend. Fewer accounts to monitor, fewer admin permissions across the company, fewer endpoints handling regulated data. The skill-gap problem largely dissolves if you’ve simplified the environment to the point where one technical person can own its security in addition to other things, or where a small managed partnership can cover it without 24/7 staffing.

The financial weight of a breach is real and it’s getting heavier, both immediately (incident response, forensics, regulator fines) and over time (lost trust, churn, increased insurance premiums). The economically rational response is to invest in not getting breached, not to insure your way out after the fact.

The threats that show up most often

The above is the structural picture. The day-to-day picture is narrower. These are the specific incident types I see come up over and over with real businesses.

Ransomware

Ransomware attacks holding business data hostage with extortion-style notes

The classic pattern: an attacker encrypts your data and demands payment to release it. The newer pattern: they exfiltrate it first, then encrypt, so paying doesn’t actually undo the damage.

Cybersecurity Ventures predicted that by 2021 a business would fall victim to a ransomware attack every 11 seconds, and the trend has only gone vertical since. The economics work for the attackers because most businesses can’t operate while encrypted, can’t restore quickly enough from clean backups, and end up paying. The defenses that actually break this loop are immutable, encrypted, off-site backups, tested restore procedures, and identity-aware access that limits how far an attacker can pivot from the first compromised account.

Phishing

The FBI’s 2020 Internet Crime Report flagged phishing as the most-reported cybercrime, and every year since has reinforced the ranking. Sophistication varies wildly: some phishing is generic and easy to spot, some is hand-crafted to your specific business after weeks of reconnaissance against your LinkedIn presence. The defensive logic is the same: assume some percentage of phishing will succeed regardless of training (the human element in cybersecurity defense post is the longer version of why), and harden the layer underneath so a single stolen credential doesn’t unlock everything. MFA, hardware keys for high-value accounts, and password managers that flag the wrong domain do most of this work for you.

Third-party data breaches

The pattern is simple: you trust a vendor, the vendor has a breach, your data leaks because it was sitting in their system. Sometimes the leak is a misconfigured cloud bucket. Sometimes it’s a compromised employee at the vendor. Sometimes it’s a sub-vendor of theirs that you didn’t know existed. The defensive answer is to audit what each vendor actually has access to, revoke what they don’t need, and minimize the number of integrations carrying sensitive data in the first place.

DDoS

Distributed Denial of Service attacks remain a persistent threat to public-facing services and revenue-generating sites. The record-setting attacks of recent years have crossed into the multi-terabit range, which means even mid-sized businesses without specific DDoS mitigation can be knocked offline by a well-resourced attacker. Cloudflare, Fastly, and similar edge providers handle the bulk of mitigation for most clients I work with; the cost of running without one isn’t worth the savings.

Insider data leaks

Insider threats account for a meaningful slice of breaches and tend to look benign right up until they aren’t. The Proofpoint case where a departing executive allegedly walked away with sales-enablement trade secrets is the public version, but smaller variations happen quietly all the time. Defensive controls that actually work: automatic offboarding flows that revoke every account on day one, DLP rules on the high-value document repositories, and access reviews quarterly instead of annually.

Cloud-based incidents

Cloud security incidents are now near-universal. A survey by a major cloud security vendor reported that more than 80% of organizations experienced a cloud security incident in the previous year. These aren’t all catastrophic, but they confirm that cloud is now the most active attack surface. Misconfigurations, over-permissive IAM roles, exposed storage buckets, and forgotten test environments are the classic causes, and almost all of them are preventable with periodic configuration review.

What to actually do about it

Most of this isn’t an exotic-tooling problem. The shape of a workable defensive program for a modern small or mid-sized business looks like:

Enforce MFA everywhere it’s available, with hardware keys on the high-value accounts. The Authentik self-hosted identity provider is the SSO + MFA layer I default to for agency setups; 2FAuth is the self-hosted TOTP vault for the accounts that don’t speak SSO.
Run a password manager and require it for every business account; ban shared credentials.
Move sensitive work into hardened, isolated workspaces so a compromised personal device doesn’t take the business with it. The insurance-agent story is the lived example of why this matters.
Keep backups immutable, stored off-site, and tested by actually restoring once a quarter.
Harden the boxes that host this stack. The Linux server security fundamentals baseline is the fifteen-minute pass that goes on every server before anything else does, and the comprehensive WordPress security guide is the application-layer companion when WordPress is in the mix.
Lock down the email layer. Phishing and business-email-compromise are the cybercrime category that shows up most often. SPF, DKIM, and DMARC done properly close the door, and the Managed Email Security engagement is what I run for clients who’d rather not own the protocol detail. (For the underlying server: Mailcow self-hosted email.)
Behavioural blocking at the perimeter via CrowdSec catches the credential-stuffing and brute-force noise before it reaches your application logs.
Audit third-party access quarterly. Revoke what isn’t actively used.
Document an incident response plan and rehearse it once a year, even if it’s a tabletop exercise.

For a deeper take on the simplest version of the workspace-isolation piece, the virtual machines for secure work environments post walks through the do-it-yourself starting point. The Secure Workspaces solution is what that approach looks like when you scale it past two or three users and want it run for you. If you’d rather start with a structural review of the whole stack, the Cloud Infrastructure Audit & Hardening engagement is the natural starting point.

Closing the loop

The cybersecurity threats facing modern businesses aren’t getting more exotic. They’re getting more efficient. The defensive answer isn’t more tools. It’s a smaller surface to defend, harder identities, better-isolated workspaces, and a small number of well-rehearsed responses for when something does go wrong. Pick the parts of that picture that match your actual business, and ignore the parts that are sold to you as a substitute.

If you’d rather just hand the technical side of this off, that’s what most of my client work looks like. The infrastructure, the workspaces, the identity layer, and the monitoring sit on my plate, and the business gets to keep doing the thing it actually exists to do.

More in Cybersecurity & Hardening

View all →