No matter the size of your business, you must take security seriously.

I recently wrote about using passwords correctly, and a reader replied: “I’ve been getting told this for years, but who’s ever going to attack my 12-employee business?”

This isn’t the first time I’ve heard remarks like that. The answer is: “Who won’t attack you!?”

Hackers don’t care whether your annual revenue is in five figures or nine. They will target you. Indeed, if you’re on the smaller size, you’re more likely to be vulnerable because, chances are, you’re an easier target. After all, as BullGuard CEO Paul Lipman said: “Small businesses are not immune to cyberattacks and data breaches and are often targeted specifically because they often fail to prioritize security.”

A 2020 study by BullGuard, a cybersecurity company focused on the consumer and small business markets, found a third of companies with 50 or fewer employees report using free, consumer-grade cybersecurity. That’s okay as far it goes. For example, Microsoft Defender Antivirus, formerly Windows Defender, is, by the AV-TEST Institute‘s tests, a reasonably good anti-virus and malware-detection program. And, of course, it comes baked in and free in any still supported version of Windows. (Though if you’re still running Windows 7 or XP, you’ve got more security problems than any anti-virus program can help you with.)

But — and this is a killer — BullGuard also found one in five companies use no endpoint security whatsoever. I repeat no endpoint security. Tell me: Do you like playing Russian roulette with your company’s security?

Worse still, BullGuard also discovered that 43% of SMB owners have no cybersecurity defense plan in place at all. They’re relying on each user to do their best — like activating Microsoft Defender — to protect their PCs. These, mind you, are often the same people who use “password” for their password.

It gets better (or worse). While nearly 60% of SMB owners believe their business is unlikely to be targeted by cybercrooks, about 18.5% of SMB owners have suffered from a cyberattack or data breach within the past year. That tallies with my own experience.

For example, I’ve never been cracked, knock on wood, but then I do lock down my systems like they’re Fort Knox. I assume that I’m constantly under attack. I am. Every. Single. Day. For example, my website, Practical Technology, is a simple WordPress site I run off one of my own servers. All it does is contain an archive of my older stories. That’s it. I don’t update its content anywhere often enough and you can’t even post comments to it.

Care to guess how many times in the last week someone tried to hack in?

Go ahead, guess.

According to Wordfence, an excellent WordPress all-in-one security program that I highly recommend, I’ve had 1,551 attacks this week. So far.

Why would anyone do this? Because no one has to actually “target” me. Botnet networks do nothing all day but automatically scan the Internet looking for vulnerable targets. Have a popular network socket open on your firewall? Run WordPress, which now powers almost 40% of the web? Or, just run Windows? Whether you know it or not, you’re being attacked every day.

That’s not even counting all the malware hiding in the erectile dysfunction and other spam emails hitting your mailbox over and over. That’s not even counting spear-phishing, where someone has bothered to target individuals in your company. That, too, is easier to do than you might think.

Are you on Facebook? LinkedIn? If you are — and who isn’t on one social network or the other? — there’s enough information online for someone to whip up a message tempting you to download a malicious file or go to a poisoned web page that looks like a message from someone you might know or want to do business with.

So, what can you do about this? A lot. I’ll be going into some details in the weeks ahead. But, for now, let’s just go over the bare bones of defending yourself.

First, someone needs to keep an eye on security. You may not need a full-time security person on staff, but someone has to make sure that everyone’s using an updated anti-virus program. That same tech-support person must also make sure backups are being made — and that they actually are backing up your valuable files. Ransomware, where someone encrypts your data and demands you pay up for your customer data, doesn’t hurt as much when you can just restore your files.

There’s a lot more of course. There’s a reason why computer security is an industry in itself. But, if you just do that much, you’ll still be ahead of the game.

Next read this: