The email arrived on a Tuesday morning. It was from one of our clients — a longtime customer, the kind of relationship you assume will outlast any business cycle. The subject line was three words: “We have a problem.”
What followed was a phone call that every business owner dreads. Their accounting system had been encrypted overnight. A ransomware message demanded payment in cryptocurrency. Their backup, it turned out, had been failing silently for eleven weeks. The “IT guy” they had relied on for nearly a decade — a talented, well-meaning generalist — had not been monitoring the alerts. Nobody had.
That conversation, more than any sales pitch or industry whitepaper, is what convinced me to rethink how I run technology inside my own business. I tell this story because the lesson scales: most owners of small and mid-sized companies are running their IT the same way that the client was. And most of them will only learn the cost of that approach in the worst possible way.
The Quiet Assumptions That Get Businesses in Trouble
When I talk with other owners in the 10- to 75-employee range, the same assumptions surface again and again:
- “We’re too small to be a target.”
- “Our IT guy has it handled.”
- “We have backups.”
- “Our industry isn’t really regulated.”
- “We’d know if something was wrong.”
Every one of those statements was true for that client, right up until it wasn’t. Attackers don’t choose targets based on company size. They choose based on opportunity — and opportunity, in 2026, is defined by unpatched systems, weak authentication, untested backups, and the absence of monitoring. A 30-person business with sloppy hygiene is a far more attractive target than a 3,000-person enterprise with a security operations center.
The “we’d know if something was wrong” assumption is the one I want to dwell on. In the incident I described, the attackers were inside the network for nineteen days before they detonated the ransomware. Nineteen days of reconnaissance, privilege escalation, and quietly disabling defenses. The business owner had no idea. The IT generalist had no idea. The first signal that anything was wrong was the ransom note.
What I Wish I Had Understood About “Having IT”
The biggest mental shift for me was recognizing that “having IT” and “having an IT function that protects the business” are entirely different things. The first is about keeping things running. The second is about anticipating what can go wrong and building the systems, processes, and oversight to prevent it — or to recover quickly when prevention fails.
That distinction matters because most internal IT setups, and a surprising number of external providers, are built around the first definition. They are reactive by design. Tickets come in, tickets get closed. Servers run, printers print, and email flows. By the metrics that get measured, everything looks fine. The problem is that the metrics that matter most — patch compliance, backup integrity, identity hygiene, endpoint visibility, log retention — are usually not being measured at all.
When I finally sat down with a managed services provider that took security seriously, the first thing they did was not pitch me. They ran an assessment. The report was uncomfortable. It identified gaps I did not know I had in systems I assumed were fine. That assessment, more than any contract, is what sold me. It told me the truth about my own business.
The Questions I Now Recommend Every Owner Ask
If you take nothing else from this article, take these questions and put them in front of whoever currently handles your technology — internal or external:
- When was our last successful backup restore test (not just a backup completion)?
- What percentage of our endpoints are current on security patches this week?
- Do we have multi-factor authentication enforced on every account with access to email, file storage, or financial systems?
- What tools are monitoring our network for unusual activity, and who is reviewing the alerts?
- If we were hit with ransomware tonight, what is our documented recovery process and recovery time objective?
The answers will tell you almost everything you need to know about whether your current setup is built for the reality of running a business in 2026. If the answers are vague, defensive, or absent, that is your signal. For owners who want to understand what a security-first IT relationship actually looks like in practice — including transparent per-user pricing — reviewing a provider’s small business cybersecurity solutions is a useful starting point.
The Cost of Waiting
The client I mentioned at the start of this article survived their incident. They paid a six-figure recovery cost, lost roughly three weeks of productive operations, and spent the better part of a year rebuilding customer trust. They are still in business. Many businesses in their position are not. Authoritative guidance from federal sources, including the CISA cybersecurity best practices for small businesses, makes clear that small organizations remain the most frequently targeted segment of the threat landscape — and the least prepared to recover when an incident lands.
I am not in the business of selling fear. I am in the business of running a company, and the honest reflection from this side of an incident is that the decision to take IT and security seriously was the single most consequential operational choice I have made in the last five years. The only regret is the timing. The right time to make that decision is before the Tuesday morning phone call — not after.