HomeBlogOpsOSBook a Call
Back to All Articles
CybersecuritySMB OperationsDigital TransformationOperationsBusiness Growth

Cybersecurity Isn't Just an IT Problem

43% of cyberattacks target small and mid-sized businesses, and 60% fold within six months of an attack. Your operational systems are either your best defense or your biggest vulnerability.

Erwan Folquet
By Erwan Folquet
March 16, 2026
8 min read
Cybersecurity Isn't Just an IT Problem

Cybersecurity as an operational imperative — not just an IT checkbox

Let me tell you about a Tuesday afternoon that changed everything for a $28M HVAC contractor in the Southeast.

At 2:14 PM, their office manager clicked a link in an email that looked like it came from their insurance broker. By 2:17 PM, ransomware had encrypted their entire server — project files, accounting data, customer records, everything. By Wednesday morning, the hackers demanded $350,000 in Bitcoin to restore access.

The company didn't have $350,000 in liquid cash. Their backups? On the same server that was now encrypted. Their disaster recovery plan? Nonexistent. Their cyber insurance? They'd declined it during their last renewal because "we're an HVAC company, not a bank — who would target us?"

It took 11 weeks to rebuild their systems. They lost $1.2M in revenue during the downtime. Three major clients moved to competitors. Two key employees quit because they couldn't handle the chaos. The owner later told me: "I almost lost a business I spent 22 years building because of one email."

This isn't an anomaly. This is the new normal for mid-market businesses.

The Numbers You Can't Ignore

The statistics around cybersecurity for small and mid-sized businesses are staggering — and they're getting worse:

  • 43% of all cyberattacks target small businesses, according to Verizon's annual Data Breach Investigations Report
  • 60% of small businesses that suffer a cyberattack go out of business within six months, per the U.S. National Cyber Security Alliance
  • The average cost of a data breach for companies with fewer than 500 employees is $3.31 million, according to IBM's Cost of a Data Breach Report
  • Only 14% of small businesses rate their ability to mitigate cyber risks as "highly effective," per Accenture
  • Ransomware attacks increased 105% year-over-year in 2024, with mid-market businesses seeing the sharpest increase in targeting

Why do attackers target mid-market businesses? Because you're the perfect victim. You have enough data and revenue to make the attack profitable, but you typically lack the security infrastructure that makes enterprise targets harder to breach. You're the unlocked car in a parking lot full of locked ones.

Why Cybersecurity Is an Operations Problem

Here's where most SMB cybersecurity advice goes wrong: it treats security as an IT issue. Install antivirus software. Set up a firewall. Use strong passwords. Check the boxes and move on.

But the vast majority of successful cyberattacks against mid-market businesses don't exploit sophisticated technical vulnerabilities. They exploit operational vulnerabilities — the gaps in how your business actually functions day to day.

Operational Vulnerability 1: The Shadow IT Ecosystem

Your team is using tools you don't know about. Personal Dropbox accounts for file sharing. WhatsApp for project communication. Free online PDF converters for document processing. Personal email accounts to forward work files.

According to Gartner, 30-40% of IT spending in enterprises goes to shadow IT — technology adopted outside of IT's control. In mid-market businesses without a formal IT department, that percentage is likely higher. Much higher.

Every shadow IT tool is an unmonitored access point to your business data. When your project manager shares blueprints via a personal Google Drive, those files exist outside your security perimeter, outside your backup system, and outside your control.

Operational Vulnerability 2: Process Gaps That Create Attack Surfaces

Consider the common mid-market payment process: a vendor sends an invoice via email, the accounts payable clerk matches it against a PO, and the owner approves payment. Simple enough.

Now consider the attack vector called Business Email Compromise (BEC), which the FBI reports caused $2.7 billion in losses in 2023 alone. An attacker gains access to a vendor's email account (or creates a convincing lookalike), sends a fraudulent invoice with updated banking details, and your AP clerk processes the payment — following your standard process perfectly.

The process was designed for efficiency, not security. There's no verification step for banking changes. There's no out-of-band confirmation with the vendor. The process itself is the vulnerability.

Operational Vulnerability 3: Access Without Boundaries

When an employee joins your company, they typically get access to everything — email, file shares, accounting software, project management tools, CRM. It's easier to give universal access than to figure out role-based permissions.

When that employee leaves, how quickly is their access revoked? In most mid-market businesses, the honest answer is "days to weeks — if we remember at all." Former employees with active credentials are one of the most common breach vectors for SMBs.

This is an operational problem — onboarding and offboarding processes that don't include access management as a standard step.

Operational Vulnerability 4: The Backup That Doesn't Work

"We have backups" is the most dangerous sentence in SMB cybersecurity. Because having backups and having functional, tested, isolated backups are completely different things.

Common backup failures in mid-market businesses:

  • Backups stored on the same network as production systems (encrypted together during ransomware attacks)
  • Backup processes that stopped running months ago and nobody noticed
  • Backups that have never been tested for restore capability
  • Backup scope that misses critical systems (backing up files but not databases, or databases but not configurations)

Your backup isn't a security measure until you've successfully restored from it. If you've never tested a restore, you don't have a backup — you have a hope.

The People Problem

Technology can detect threats, but people create most of them. According to Stanford University research, 88% of data breaches are caused by human error. In a mid-market business, the human error surface is particularly large because:

Training is rare. Most mid-market employees have never received cybersecurity training. They don't know how to identify phishing emails, don't understand why they shouldn't use the same password everywhere, and don't recognize the social engineering tactics that attackers use daily.

Culture doesn't prioritize security. In a construction company or manufacturing operation, the culture prioritizes getting the job done. Security measures that slow things down get bypassed. The shared admin password exists because it's faster than individual accounts. The USB drive gets plugged in because the file needs to transfer now.

Accountability is diffuse. Without a CISO or even a dedicated IT person, nobody owns security. The "IT guy" might be the office manager's nephew who's good with computers. The security "strategy" is whatever the managed service provider included in their standard package.

Building Cybersecurity Into Operations

The solution isn't to hire a CISO or buy enterprise security software. It's to embed security thinking into the operational processes you already have — the People, Process, and Technology approach that AnchorPoint applies to every operational challenge.

People: Build a Security-Aware Culture

You don't need your warehouse workers to understand encryption algorithms. You need them to understand three things:

  1. Don't click suspicious links or attachments. If it looks wrong, it probably is. When in doubt, call the sender on a known phone number.
  2. Protect credentials. Unique passwords for every system. A password manager to make this manageable. Multi-factor authentication wherever available.
  3. Report anomalies. If something seems off — an unusual email, an unexpected login prompt, a system behaving strangely — say something immediately. The difference between a prevented breach and a catastrophic one is often the 15 minutes between "that's weird" and "I should tell someone."

Training doesn't need to be elaborate. A 30-minute session quarterly, with real examples of attacks targeting businesses like yours, is more effective than an annual compliance checkbox exercise.

Process: Close the Operational Gaps

Review every process that touches sensitive data or financial transactions with a security lens:

Payment processes. Add an out-of-band verification step for any change to vendor banking information. This means calling the vendor at a known number — not the number in the email requesting the change — to confirm the request. This single step prevents the vast majority of BEC fraud.

Access management. Build access provisioning and deprovisioning into your onboarding and offboarding checklists. When an employee starts, they get access to exactly what their role requires — no more. When they leave, access is revoked the same day — no exceptions.

Incident response. You need a plan before you need a plan. Who do you call when something happens? What systems get isolated? How do you communicate with clients? Where are the backup restoration procedures documented? This doesn't need to be a 50-page binder. It needs to be a two-page document that everyone can find and follow under pressure.

Vendor management. Your security is only as strong as your weakest vendor's security. Any vendor with access to your systems or data should meet minimum security standards. Ask the uncomfortable questions: Do you encrypt data? How do you handle credentials? When was your last security assessment?

Technology: The Right Tools, Properly Configured

After — and only after — addressing the people and process dimensions, implement technology that supports the security posture you've designed.

For most mid-market businesses, the essential technology stack is:

  • Endpoint protection (modern antivirus that uses behavioral detection, not just signatures)
  • Multi-factor authentication on all cloud services and remote access
  • Email filtering with advanced threat protection (catches the phishing emails before your team sees them)
  • Automated, isolated backups with regular restore testing
  • Network segmentation (so that a breach in one area doesn't compromise everything)
  • Monitoring and alerting (someone — even a managed service provider — needs to be watching for anomalies)

Notice what's not on this list: expensive SIEM systems, AI-powered threat hunting platforms, zero-trust architecture. Those are enterprise tools for enterprise problems. Your goal is to be the locked car, not Fort Knox. Lock the doors, close the windows, and don't leave valuables on the seat.

The Wright Brothers Thin-Slice Approach to Cybersecurity

Trying to implement a comprehensive cybersecurity program all at once is overwhelming — which is why most mid-market businesses never start. AnchorPoint's Wright Brothers thin-slice methodology breaks the challenge into manageable, sequential improvements.

Thin Slice 1 (Week 1-2): Multi-factor authentication and password management. Enable MFA on email, banking, and any cloud-based business application. Deploy a password manager company-wide. This single change prevents the majority of credential-based attacks.

Thin Slice 2 (Week 3-4): Backup verification. Audit your current backup system. Ensure backups are isolated from your primary network. Perform a test restore. If the restore fails, fix it before moving on. This is your safety net — make sure it actually catches.

Thin Slice 3 (Month 2): Process hardening. Implement the payment verification, access management, and incident response processes described above. These are operational changes, not technology changes — they cost nothing but time and discipline.

Thin Slice 4 (Month 3): Training and monitoring. Conduct your first security awareness training. Engage a managed service provider for monitoring and alerting if you don't have internal IT capability. Establish the cadence for quarterly training and annual process reviews.

Within 90 days — one Protocol TRIOS cycle — you've moved from "we're probably a target" to "we're defended against the most common attacks." Not perfect. Not enterprise-grade. But dramatically more resilient than you were on day one.

The Cost of Action vs. Inaction

"We can't afford cybersecurity" is the most expensive sentence in business.

The average cost of the improvements described above — MFA, password management, backup verification, process changes, basic training — is $5,000-$15,000 for a typical mid-market business. Annual ongoing costs for monitoring and training run $12,000-$24,000.

Compare that to the average breach cost of $3.31 million. Or the 11 weeks of downtime that HVAC contractor experienced. Or the 60% of businesses that never recover.

Cybersecurity isn't an IT project. It's an operational imperative. And the time to act isn't after the Tuesday afternoon that changes everything — it's before.

The Bottom Line

Your operational systems — the way your people work, the processes they follow, the technology they use — are either creating cyber vulnerabilities or preventing them. There's no neutral position.

Every shared password is a vulnerability. Every undocumented process is an attack surface. Every untrained employee is a potential entry point. And every day you delay addressing these operational gaps is a day you're betting that the attackers will target someone else.

That HVAC contractor made that bet for 22 years. He was right for 21 years and 364 days. On day 22 times 365, he nearly lost everything.

Don't wait for your Tuesday afternoon. Start building your defenses today. Not with expensive technology. Not with a CISO hire you can't afford. With the People, Process, and Technology framework that turns your operations from your biggest vulnerability into your strongest defense.

Share this article

Related Topics

CybersecuritySMB OperationsDigital TransformationOperationsBusiness Growth

Related Articles

AI Agents in Operations: Beyond the Buzzword

AI Agents in Operations: Beyond the Buzzword

Everyone's talking about AI agents. Nobody's explaining what they actually do in a 50-person construction company. Here's the practical reality — no hype, no jargon, just applications that work.

Mar 16, 2026Read more
The AI Divide: 68% of Small Businesses Use AI — But Only 15% Have a Strategy

The AI Divide: 68% of Small Businesses Use AI — But Only 15% Have a Strategy

Most small businesses are dabbling with ChatGPT. A few are using AI to redesign their entire operations. The gap between these two groups is about to become permanent.

Mar 18, 2026Read more

Contact Us

Let's connect and discuss how we can help you with tailored data technology solutions for your business.

Get the best data & AI experts for 30 minutes
info@anchorpointdata.com
4388 Rue Saint-Denis 200 #919 Montreal QC H2J 2L1
Schedule a free consultation