Key Takeaways

• Ninety-four percent of SMBs have experienced at least one cyberattack. Attackers target vulnerability, not organizational size.
• Incident response planning follows four phases: preparation, detection and analysis, containment and recovery, and post-incident review.
• Most small organizations skip the preparation phase because it feels abstract. That miscalculation is what separates organizations that survive from those that do not.
• Cyber liability insurance now requires documented controls and a documented response plan to qualify. The qualification process forces the preparation work.
• Every third-party platform connected to your environment extends your security perimeter and becomes part of your vendor risk.

A True Story

A nonprofit director on Chicago’s South Side called me after eleven days offline. Ransomware had taken her systems down — a workforce development program, modest staff, the database that tracked participants and connected residents to jobs.

Eleven days is not an IT problem for an organization like that. It is eleven days of people not getting placed in jobs.

She told me she never thought they had anything worth stealing. She was wrong.

That story is not an anomaly. It is the pattern.

What the Industry Reports

In 2025, global cybercrime costs reached $10.5 trillion, according to Cybersecurity Ventures, a figure that would make cybercrime the third-largest GDP in the world, behind only the United States and China. That level of financial incentive does not produce a criminal ecosystem that goes after large, well-defended targets and ignores everyone else. It produces one that scales. It goes after whoever is most accessible. And right now, small businesses and nonprofits are among the most accessible organizations in the digital economy.

Consider what the data actually shows. According to a 2024 survey conducted by Vanson Bourne and commissioned by ConnectWise, 94 percent of SMBs have experienced at least one cyberattack, a dramatic rise from 64 percent in 2019.

According to the Verizon 2025 Data Breach Investigations Report, 37 percent of companies hit by ransomware have fewer than 100 employees. The median ransom payment has reached approximately $115,000, according to Coveware’s Q4 2024 data, and that figure does not include the cost of forensic response, data recovery, and system hardening that typically follows. For a small business or nonprofit operating on thin margins, that is not a disruption. That is an ending.

The question I hear most often is some version of: why would anyone come after us? The answer is simpler than most people want to accept. Attackers are not always coming after you specifically. They are scanning for vulnerability, and if your systems present an opening, they will walk through it, regardless of your size, your sector, or what you think you have worth protecting.

A Framework for What to Do About It

What changes the outcome is preparation. Not perfection but preparation. And there is a structured process for it.

Phase One: Preparation

The first phase covers the decisions you make and the protections you put in place before anything goes wrong. This includes identifying what data you hold and who has access to it, establishing baseline endpoint security across all devices, putting data backup systems in place that cannot be reached by ransomware, and documenting the steps your organization will take if a breach occurs. Most small organizations skip this phase because it feels abstract until something happens.

That is the miscalculation.

Phase Two: Detection and Analysis

The second phase is developing the ability to recognize when something is wrong. An operational glitch and a cybersecurity event are not the same thing, and treating every alert as a crisis or dismissing every anomaly as a technical hiccup both carry real costs.

Most breaches are not discovered immediately. The average attacker spends weeks inside a network before detection, and every day that window stays open, the damage compounds. Organizations that have monitoring in place close that window faster, and they are better positioned with insurance carriers, whose underwriting standards now require documented detection capability as a condition of coverage.

Detection is not an advanced practice. It is what separates organizations that contain an incident from organizations that discover they had one months later.

Phase Three: Containment, Eradication, and Recovery

The third phase is the active response to a confirmed incident.

Containing the threat means isolating affected systems before the damage spreads, and that decision needs to happen fast, because ransomware and lateral movement tools are designed to expand their footprint while your team is still figuring out what happened.

Eradication means removing the attacker’s presence from your environment, not just the visible symptoms of the breach, but the access points and vulnerabilities they used to get in.

Recovery means bringing systems back online in a controlled, verified sequence.

The impulse when systems are down is to get them back online as quickly as possible. That impulse is understandable. It is also where most organizations make the mistake that leads to a second incident.

Organizations that skip the eradication step and rush straight to recovery often find themselves responding to the same incident twice.

Phase Four: Post-Incident Review

The fourth phase, the one most frequently neglected, is the post-incident review. After the adrenaline fades and systems are back online, there is an understandable impulse to move on.

Resist it.

The lessons embedded in how your organization responded, where the gaps were, and what the response cost you in time and money are the most valuable inputs available for strengthening your security profile. This phase is not a formality. It is where institutional resilience is actually built.

Where to Begin

The Foundational Baseline

Where you start depends on the maturity and size of your organization. For a small team, whether that is a five-person nonprofit or a ten-person professional services firm, the foundational priorities are data backup and recovery, basic endpoint security, privilege access management (which simply means ensuring people only have access to the systems they need to do their jobs), and a documented response plan. These are not sophisticated interventions. They are the baseline conditions that separate organizations that survive incidents from those that do not.

Cyber Liability Insurance

Cyber liability insurance has become harder to obtain and more rigorous to qualify for, but it remains one of the most important financial tools available to a small organization in the current threat environment. The majority of small businesses that carry coverage did not purchase it until after an attack had already occurred, which means they bore the full cost of recovery themselves. The process of qualifying, which now requires documented security controls and an actual incident response plan, is itself a useful forcing function for getting prepared.

Vendor Risk

Every third-party platform integrated into your environment, including scheduling tools, cloud storage, payment processors, and communication platforms, carries its own vulnerabilities, and those vulnerabilities become yours the moment you connect them to your systems. Before you integrate a new tool, know its security history. Review what liability the vendor accepts if their platform is the source of a breach. That due diligence is not optional; it is part of operating responsibly in a connected environment.

For individuals within your organization managing their own accounts across personal and professional systems, I have developed a concrete strategy called compartmentalization, building credential boundaries across your digital life so that one compromised account cannot become total exposure. Read: Compartmentalization: The Enterprise-Level Strategy That Protects Your Digital Life. Watch or listen to the companion episode, Ep 6: The New Rules of Personal Cyber Safety In 2026, covers this strategy step by step.

The cybercrime economy does not distinguish between organizations by size, by sector, or by mission. It distinguishes by vulnerability. The organizations that survive, and increasingly the ones that are even eligible for cyber insurance coverage, are the ones that have done the work of preparation before an incident forces their hand.

The good news is that work is not out of reach. It starts with an honest assessment of where your organization stands today, and a deliberate decision to close the gaps before someone else finds them for you.

In Closing

The four-phase framework described in this article is the practical foundation of what cybersecurity operations actually look like inside a small business or nonprofit, and building that foundation before an incident is the single most consequential decision an organization can make.

The work described in this article is what we do every day at Data Defenders.

Also Recommended

• The Human Element: Why Your People Are Your Biggest Cybersecurity Risk — and What to Do About It
• No Longer a Small Fish: Why AI and Quantum Computing Make Every Business a Target
• Compartmentalization: The Enterprise-Level Strategy That Protects Your Digital Life
• Ep 6: The New Rules of Personal Cyber Safety In 2026

The framework covered in this article was presented live at a SCORE Chicago session. You can watch the full presentation on YouTube or listen on Spotify. For ongoing conversations on what cybersecurity operations actually look like for organizations like yours, The Cyber Resilience Report covers the real decisions behind building a defensible operation.

Frequently Asked Questions

Q: My organization is small and our data is not particularly sensitive. Do I really need an incident response plan?

A: Yes. Ninety-four percent of SMBs have experienced at least one cyberattack, and attackers are typically not evaluating the sensitivity of your data before attempting access. They are scanning for whatever is accessible. An incident response plan is not about the value of your data; it is about what happens after you are hit, when every decision your team makes under pressure either limits the damage or compounds it.

Q: What is the difference between eradication and recovery, and why does the order matter?

A: Eradication means removing the attacker’s presence from your environment, including every access point they used and every foothold they established. Recovery means bringing systems back online. The order matters because recovering before eradication is complete leaves the same vulnerability that enabled the first breach still present. Organizations that rush recovery often find themselves responding to the same incident twice.

Q: How do I know if my organization is ready for cyber liability insurance?

A: Insurance carriers now require documented security controls and an actual incident response plan to qualify for coverage. The qualification process itself, identifying what data you hold, documenting your controls, defining your response procedures, is the preparation work. If your organization cannot satisfy those requirements, you have a clear picture of where to start.

Q: What does vendor risk management mean for a small business that is not a technology company?

A: Every third-party platform integrated into your environment carries its own security vulnerabilities. If a vendor’s platform is compromised, that compromise extends into your environment. Before connecting a new tool, understand its security history and what liability the vendor assumes if their platform is the source of a breach.

Q: What does a post-incident review actually produce?

A: A structured review of what happened, when, how your team responded, where the gaps appeared, and what the incident cost in time and money. That information is the most accurate input available for improving your security profile, and it is also the documented evidence of due diligence that insurance carriers, regulators, and in some cases the organizations you serve will ask for.

Q: Should a small business pay a ransomware demand?

A: This decision requires legal and cybersecurity counsel in the moment. From an operational standpoint: paying a ransom does not guarantee data recovery, and organizations that pay are frequently targeted again. The presence of a documented incident response plan and functional backups that cannot be reached by ransomware are the factors that most often give an organization the ability to refuse payment. The time to build those capabilities is before an incident.

Q: How long does recovery typically take for a small business after a cyber incident?

A: Recovery timelines vary significantly based on the type of incident, the quality of pre-incident preparation, and whether the organization had functional backups in place. Organizations with documented plans and tested backups typically recover faster and with lower total costs. The absence of either, or rushing recovery before eradication is complete, is what turns a recoverable incident into an extended operational shutdown.

Sources

• ConnectWise / Vanson Bourne. “The State of SMB Cybersecurity in 2024.” Conducted March–April 2024, published June 2024. 700 IT and business decision-makers across US, Canada, UK, and Australia/NZ.

• Verizon Business. “2025 Data Breach Investigations Report.” Verizon, 2025.

• Coveware. “Ransomware Marketplace Report, Q4 2024.” Coveware, 2024.

• Cybersecurity Ventures. “Official Cybercrime Report 2025.” Cybersecurity Ventures / Cybercrime Magazine, 2025.

About the Author

Cyrus J. Walker III, CCFE is the Founder and CEO of Data Defenders, LLC® — is a Chicago-based Managed Cybersecurity Operations Provider (MCOP) serving SMBs, nonprofits, municipal governments, and enterprises. With 30 years of experience spanning cybersecurity operations, digital forensics, and civic leadership, he has trained over 5,000 federal, state, and local law enforcement professionals, advised the U.S. Department of Homeland Security on election infrastructure security, and appeared on CNN, Bloomberg, Forbes, ABC, CBS, NBC, Fox, and NewsNation.