FRIGHTENING FACT: 60% of smaller businesses that suffer a cyber attack go out of business within six months.

Data on cyber attacks for the past few years (including 2025) show that small- and medium-size businesses (SMBs) and startups in the US face significant — and potentially existential — cybersecurity threats.

Cyber criminals are constantly changing their tactics, running new plays, like a team changing its offensive strategy mid-game — especially targeting smaller companies to try and gain access to valuable data.

Think of cyber criminals’ approach as a full-court press — relentless and aggressive. Staying ahead of them requires continuous threat intelligence and frequently adapting your defenses.

SMB Cyber Attacks in the US: By the Numbers

The following statistics highlight the increasing vulnerability of SMBs to cyberattacks, and the need for improved cybersecurity measures and preparedness.

• 60% of small business owners consider cybersecurity threats a top concern, yet only 23% say they are very prepared to handle a cyberattack.
• 43% of all cyberattacks in 2023 targeted small businesses.
• 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
• 95% of cybersecurity incidents can be attributed to human error.
• 54% of businesses admit their IT departments lack experience to handle complex cyberattacks.
• The most common types of cyberattacks on small businesses are:
• 37% of ransomware attack victims have fewer than 100 employees.
• 82% of ransomware attacks in 2021 targeted SMBs with fewer than 1,000 employees.
• Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
• Small businesses receive the highest rate of targeted malicious emails, with 1 in 323 being affected.
• SMBs spend between $826 and $653,587 on cybersecurity incidents.
• 76% of small businesses have increased their cybersecurity spending due to rising threats.

KEY TAKEAWAY: If you don’t want your business to become a statistic, you’re going to have to have to build resilience by implementing a solid cybersecurity game plan… fast!

What’s the Financial Impact of Cyber Attacks on SMBs?

The financial consequences of cyber attacks on smaller businesses are substantial:

• The average data breach from 2018-2023 cost companies around $4.5 million.
• Detection and escalation costs: $1.58 million.
• Lost business costs: $1.3 million.
• Response following a breach: $1.2 million.

What Are the Risks for Bay Area Businesses?

Businesses in the Bay Area are particularly vulnerable for a number of reasons:

• San Francisco’s reputation as a high-tech environment makes businesses in the city more attractive targets for cybercriminals, including smaller businesses.
• Hackers often target smaller businesses in the Bay Area as potential gateways to larger, more lucrative networks.
• The competitive landscape of the Bay Area means intellectual property theft is a significant concern, particularly for companies developing innovative products.
• Bay Area businesses face among the highest costs for data breaches in the world.

What’s Your Plan to Secure Your Business from Attack?

Whether you’re based in the Bay Area or beyond, being cyber resilient is crucial.

Like a basketball team needs a solid strategy and strong players to win the March Madness tournament, your business needs a comprehensive cyber resilience plan to withstand disruptions, survive and succeed in today’s complex digital landscape.

Also, cyber resilience isn’t just a good strategy for all businesses in general, but if yours is a regulated business, it’s a requirement for you to be cyber secure. Like a championship team, you need a robust defense to protect sensitive data and maintain compliance.

What is Cyber Resilience?

Cyber resilience is essential for keeping businesses secure, reducing risk, and maintaining strong security practices against potential threats. It involves preparing a business to respond to and recover from potential cyber incidents.

Building cyber resilience means understanding business vulnerabilities and strengthening defenses.

Key steps from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF – V2.0, available free of charge*) guidelines provide a foundation for building cyber resilience and recovering from security incidents.

*The NIST CSF “…provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of highlevel cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”

What Are the Core Elements of Cyber Resilience?

The building blocks of cyber resilience include: Govern, Identify, Protect, Detect, Respond, and Recover. Download our Cyber Resilience Checklist as a reminder.

• Proactive cybersecurity defense measures involve neutralizing threats before they cause harm through regular assessments, threat intelligence, and strong policies.
• A well-structured incident response plan allows for quick risk detection and mitigation.
• Strategic business continuity planning includes backup and disaster recovery steps to prevent disruptions from cyberattacks.
• Staying ahead of the curve means adaptability through evolving with the threat landscape, learning from past incidents, and continuously strengthening defenses.
• Fostering a security-conscious culture involves awareness training so that employees are better able to identify and manage risks.
• Up-to-date compliance involves meeting regulatory requirements to avoid fines, lawsuits, and damage to brand reputation.

KEY TAKEAWAY: Strategic cyber resilience involves proactive defense, quick response, business continuity, staying ahead of the curve, security-conscious culture, and compliance.

What Are the Challenges to Achieving Cyber Resilience?

1. Evolving Threat Landscape: Hackers are Running a Fast Break

Just as teams adapt their strategies throughout a tournament, cybercriminals are constantly evolving their tactics: developing new methods of attack and finding new ways to break through your defenses, making it difficult to keep up with the latest threats.

Think of a cyber attack like a buzzer-beater three-pointer from a team you never saw coming. Just like a 15-seed can upset a 2-seed, unexpected cyber threats can take down even the most confident businesses. The chances of this type of game outcome are historically low, but still possible: in March Madness, upsets happen.

In cybersecurity, they happen too. Just like UMBC shocked Virginia in 2018, a small, overlooked vulnerability can lead to a major breach. And the odds of a breach are increasing as the frequency of attacks on smaller businesses rises, just like the number of upsets in recent tournaments. Don’t let your business be the next big upset.

KEY TAKEAWAY: You need to be prepared to break the press and protect your data. Regular patching and staying updated on cybersecurity trends are crucial.

2. Resource Constraint: You Can’t Win with Just One Star Player.

You can’t expect your business to win against cyber threats with just one IT person — that’s like trying to win March Madness with only your star player. You need to draft the right players and have a full team of solutions and strategies.

Many businesses — including in regulated industries — struggle with limited budgets and staff, and with the cost of compliance; and so, they don’t allocate enough budget for cybersecurity or a dedicated IT team. But you don’t need an NBA-sized budget to build a strong defense.

Training employees and partnering with a reliable IT service provider can help. Think strategically about your draft picks — prioritize essential security tools and partner with experts such as managed security services (MSSPs) who understand your particular needs and who can provide industry-specific cybersecurity solutions.

KEY TAKEAWAY: Working with an MSSP is like having a dedicated coach and training staff specializing in your league’s rules — ensuring you stay compliant and secure.

3. Complexity: The Zone Defense of Cybersecurity

Cybersecurity is like a zone defense — it requires everyone to know their role and work together. And compliance is like learning the rulebook for your league. It can be overwhelming, but it’s essential to stay in the game.

Integrating cyber resilience into every aspect of a business can be overwhelming, especially without an IT background or properly trained IT resources. Not to mention trying to navigate complex regulations like HIPAA or GDPR.

But breaking it down into manageable steps and outlining the key plays you need to run makes it easier to defend.

KEY TAKEAWAY: Frameworks like the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) and automation tools can simplify the cyber resilience process.

4. Awareness: No Fouls Allowed — Everyone Plays Defense

Employees often lack the training to understand how their actions can compromise a business. A single employee clicking on a phishing email is like a player traveling with the ball — it can cost you the game.

Employee awareness is crucial, especially in regulated industries where data privacy is paramount. In regulated industries, a data breach is like a flagrant foul – it can lead to severe penalties.

Everyone in your organization needs to understand their role in protecting sensitive information. Taking measures such as implementing strict password controls and mandatory security training can address this.

KEY TAKEAWAY: Just like coaches drill their players on fundamentals, you need to drill your employees on cybersecurity best practices to keep them sharp.

The Championship Run: Building Your Resilience Strategy

To build a championship-caliber cyber resilience strategy you need to include the following moves in your playbook:

1. Scout Your Team: Assess your current security posture and identify vulnerabilities.
2. Draft Top Talent: Invest in skilled cybersecurity professionals or partner with reputable service providers.
3. Practice, Practice, Practice: Regularly test and update your incident response plans.
4. Study the Playbook: Leverage resources like the NIST CSF to guide your strategy.
5. Win as a Team: Ensure every employee understands their role in maintaining security.

REMEMBER: Just as only one team cuts down the nets in April, the businesses that prioritize cyber resilience will be the ones celebrating long-term success in the digital era.

We Can Help You Understand The Key Plays And Develop A Winning Game Strategy

When there’s so much at stake, partnering with a managed security service provider (MSSP) such as Tru Technical is like having a dedicated coach and training staff, but without the hefty price tag.

We provide tailored, practical and cost-effective outsourced IT Support and Cybersecurity solutions focused on relevant industry regulations and best practices, and including comprehensive staff awareness training.

We’ll simplify the process of making your business more cyber resilient, making it more manageable for you and your team. Think of us as your sixth man — coming off the bench to provide crucial support when you need it most.

For more insights, get our Cyber Resilience Checklist, download our Cyber Resilience eBook, and read our blog: ‘Top 4 Challenges to Achieving Cyber Resilience and How to Overcome Them’