The cybersecurity industry loves to sell fear. Enterprise-grade threat intelligence, zero-trust architecture, SOC-as-a-service — none of this is relevant to a 10-person service business in Fresno. What is relevant: the attacks that are actually hitting small businesses right now, and the practical steps that stop most of them.
The threat landscape for small business in 2026
Three attack types account for the overwhelming majority of small business breaches:
Business Email Compromise (BEC). An attacker spoofs or compromises an email account — often a vendor, accountant, or owner — and instructs an employee to wire money or change payment details. The FBI's 2025 Internet Crime Report lists BEC as the costliest cybercrime category for small businesses. The average loss per incident is $137,000. No malware required. Just a convincing email.
Ransomware via phishing. An employee clicks a link or opens an attachment. Ransomware encrypts your files and demands payment for the decryption key. Attackers now routinely target small businesses because they're easy targets with real assets. Ransom demands for small businesses typically run $10,000–$50,000. Many pay. Many don't recover their data even after paying.
Credential stuffing. Employees reuse passwords across personal and work accounts. A data breach at any service they use — LinkedIn, a food delivery app, anything — exposes those credentials. Attackers run them automatically against business email, accounting software, and banking portals. This is how most "hacks" actually happen: not sophisticated exploitation, just a reused password.
What actually stops these attacks
Multi-factor authentication (MFA) on everything. Email, accounting software, banking, payroll, hosting — every account that matters needs MFA enabled. This single control stops credential stuffing entirely and significantly raises the bar for BEC. Google Workspace and Microsoft 365 both have MFA built in and free. If your team isn't using it, that's your first call to make tomorrow morning.
Email filtering with spoofing protection. SPF, DKIM, and DMARC are DNS records that tell receiving mail servers how to handle emails claiming to be from your domain. Properly configured, they make it nearly impossible to spoof your domain — which is the first step in most BEC attacks. Your IT provider or web host can configure these in under an hour. Most haven't because no one asked.
Automated offsite backups. If ransomware encrypts your files, the only leverage you have is a clean backup. Backups need to be: automated (humans forget), offsite (ransomware encrypts network drives too), and tested (most backups fail silently). A $15/month service like Backblaze Business Backup covers a 10-person company. This is not optional.
Employee awareness — one real training per year. Not a mandatory video. One real conversation: here's what a phishing email looks like, here's what to do if you clicked something, here's who to call. The goal is to make people feel safe reporting mistakes immediately rather than hoping it goes away. Delayed reporting is what turns a near-miss into a breach.
The $500/year security stack
For a 10-person Fresno service business, the minimum viable security posture costs roughly:
Google Workspace Business Starter — $72/user/year for email with MFA, spam filtering, and Drive backups. For 10 users: $720/year. If you're still using @gmail.com for business, this is the first upgrade.
Backblaze Business Backup — $99/year per computer. For 5 computers: $495/year.
1Password Teams — $19.95/user/month for a shared password manager with MFA integration. For 10 users: $2,394/year. This is the most expensive item but eliminates credential reuse entirely.
Total: roughly $3,600/year for a 10-person company — about $300/month. That's less than one hour of your accountant's time if something goes wrong.
What we see most often
In our work with Central Valley small businesses, the single most common gap is email: no MFA, no DMARC, personal Gmail accounts being used for business correspondence, and no offsite backup. These three things together create a situation where one employee mistake can be catastrophic.
We don't sell cybersecurity products. But we build the infrastructure that exposes these gaps — websites, APIs, email systems — and we can assess your current setup and tell you exactly what's missing. That conversation is free.