A 30-person company often assumes it is too small to be a target.
That assumption is the target.
Here is what most owners get wrong. They picture a hacker choosing them on purpose, studying the company, deciding it is worth the effort. That is not how most attacks work. Attackers run automated tools that knock on millions of doors at once, looking for any that are unlocked. They do not know your name. They do not care what you do. They care that you are easy.
And a small business is often easier than a large one. No dedicated security team. No one is reviewing logs. Some cash in the bank and a lot of trust between employees who all know each other. That combination is exactly what these tools are built to find.
The good news is that the basics stop most of it. Three things you can do this week, for almost nothing:
- Turn on multifactor authentication everywhere, not just email. It blocks the large majority of account attacks on its own.
- Make sure your backups exist and can actually be restored. A backup you have never tested is a guess, not a backup.
- Train your team to slow down on email links and payment requests. Most breaches start with one person clicking too fast.
None of this is exciting. That is the point. The boring work keeps you out of the headlines, and it costs far less than the cleanup.