Table of Contents
>
Urgent Cybersecurity Measures for Businesses
Just before Russia's invasion of Ukraine, a senior DOJ official warned U.S. companies to immediately strengthen their defenses. The White House followed with a direct call to action, urging all businesses to "make the following steps with urgency." That advisory has not been rescinded. U.S. cyber agencies have documented that threat actors linked to Russia and China regularly exploit platforms like Microsoft 365 to steal credentials, move laterally through networks, and deploy malware, often without triggering any alerts on poorly configured systems.
If you haven't evaluated your organization's exposure since that advisory, the data below makes the case for doing it now. The figures that informed the 2022 White House call to action, compiled in a Forbes analysis of small and medium-sized businesses, showed an already serious threat. The situation has only worsened since.
Key Statistics on Cyber Threats (2022 Baseline)
- 61% of all small and medium-sized businesses (SMBs) reported experiencing at least one cyber attack in the past year, highlighting the prevalence of these threats.
- A benchmark study by CISCO found that 40% of small businesses that faced a severe cyber attack suffered over eight hours of downtime, significantly increasing the overall costs associated with a security breach. This downtime disrupts operations, erodes customer trust, and compounds the total cost of a breach well beyond the initial incident.
- While many business owners may underestimate the threat of ransomware, it remains a major concern for managed service providers (MSPs). In fact, 85% of MSPs consider ransomware one of the biggest threats to their SMB clients, reflecting the need for increased vigilance and security strategies.
- 30% of small businesses believe that phishing attacks represent the largest cyber threat they face, underscoring the importance of training employees to recognize and respond to such tactics, which can include suspicious emails, fake websites, and social engineering schemes.
- Staggeringly, 83% of small and medium-sized businesses lack the financial preparedness to recover from a cyber attack, emphasizing the urgent need for planning, including setting aside a budget for cybersecurity measures and incident response.
- Despite the alarming statistics, 91% of small businesses have not purchased cyber liability insurance, indicating a lack of awareness and preparation for potential security breaches, which can be key in covering financial losses associated with cyber incidents.
- Only 14% of small businesses rate their ability to mitigate cyber attack risks as highly effective, pointing to a significant gap in confidence and capability that needs to be addressed through education and implementing strong security controls.
- 43% of SMBs do not have any cybersecurity plan in place, a significant oversight that could have dire consequences, including increased vulnerability to attacks and prolonged recovery times.
- Moreover, one in five small companies does not use endpoint security, and 52% of SMBs lack in-house IT security experts, leaving them exposed to threats that could otherwise be addressed through dedicated expertise.
Where the Threat Stands Today
Those 2022 figures established a baseline. More recent data shows the trajectory has continued upward. According to Verizon's 2025 Data Breach Investigations Report, ransomware was involved in 44% of all breaches, a 37% jump from the prior year, and appeared in 88% of SMB breach incidents, compared to just 39% at larger organizations. Small businesses are now the primary target, not a secondary one. The IBM Cost of a Data Breach Report 2024 put the global average breach cost at $4.88 million, a 10% increase and the largest single-year jump since the pandemic, with 70% of breached organizations reporting significant operational disruption. Stolen credentials remained the most common initial access vector, and per the 2024 Verizon DBIR, phishing victims fell for attacks in under 60 seconds. The White House advisory identified the right problems. They haven't gone away.
Three Steps to Take Now
The White House advisory identified specific actions businesses should take immediately. These three are the highest-impact starting points:
- Deploy a password manager across your organization. Dashlane for Business and similar tools generate strong passwords, flag credentials exposed in known breaches, and give administrators visibility into password hygiene across the team. Shared credentials and reused passwords are among the most common entry points in SMB breaches.
- Enable drive encryption on all Windows devices. Windows 10 and 11 business editions include BitLocker, which encrypts the full drive and ties decryption to the device's TPM chip. A stolen or lost laptop with BitLocker enabled cannot be read by an attacker even if the drive is removed. This costs nothing beyond the time to configure it correctly, but it must be managed centrally to be effective, since ad hoc enablement leaves gaps.
- Add email filtering at the gateway level. Tools like Proofpoint or Microsoft Defender for Office 365 scan inbound email before it reaches user inboxes, stripping malicious attachments and rewriting URLs to block access to phishing sites at click time. Phishing accounts for the majority of credential compromises at SMBs, and perimeter-level filtering stops attacks that user training alone will not.
These three steps address the most commonly exploited entry points, weak credentials, unencrypted endpoints, and phishing. They are also verifiable: an IT partner can confirm whether BitLocker is active on every device, whether email filtering is correctly configured, and whether password policies are being enforced, rather than assumed.
* The products mentioned are examples only; no benefit is gained from their mention. Security software should be implemented with the guidance of an IT professional.
Contact Stratify IT to have your current security configuration reviewed against the White House advisory recommendations. We'll identify gaps, prioritize what to fix first, and handle implementation, so the work gets done rather than scheduled.
The original advisory has not been rescinded, but CISA has issued several follow-on guidance documents, including the 2023 "Shields Up" campaign and joint advisories with the FBI and NSA targeting specific Russian and Chinese threat actor techniques. The core recommendations remain consistent: patch known exploited vulnerabilities, enable MFA, and audit privileged access. Checking CISA's Known Exploited Vulnerabilities catalog is the most current resource for staying aligned with federal guidance. Microsoft 365 is the dominant productivity suite in U.S. business, which makes it the highest-value target by volume. The specific techniques, password spraying, OAuth token abuse, and legacy authentication exploits, are well-documented against M365 because the attack surface is so well understood. Google Workspace isn't immune, but the documented nation-state playbooks skew heavily toward Microsoft environments. If you're on M365, disabling legacy authentication protocols alone closes a significant attack vector. Once an attacker compromises one account, say, a phished employee's email login, lateral movement means they use that foothold to access other systems, accounts, or data they shouldn't reach. Think of it as someone who broke into your mailroom then quietly tried every interior door. Without network segmentation or endpoint detection tools like CrowdStrike or Microsoft Defender for Business, that movement often goes unnoticed for weeks. The average dwell time before detection in SMB incidents has historically exceeded 200 days. IBM's Cost of a Data Breach Report has consistently put average SMB breach costs in the $120,000-$150,000 range, but that's an average skewed by outliers. A realistic floor for a business with 20-50 employees facing ransomware-driven downtime, factoring in lost productivity, emergency IT response, and customer communication, is $25,000 to $50,000. That doesn't include regulatory exposure under state breach notification laws, which can add legal fees regardless of whether sensitive data was actually exfiltrated. Most SMB owners anchor their risk perception to their own experience, if they haven't been hit, the threat feels abstract. There's also a size bias: business owners often assume attackers are only interested in large enterprises with big payouts. The reality is that ransomware groups increasingly automate their targeting and specifically seek out under-defended smaller organizations because they're easier to compromise and more likely to pay quickly rather than involve law enforcement or wait out a lengthy recovery. Start with a Microsoft Secure Score review if you're on M365, it's built into the admin portal and gives you an actionable priority list without hiring anyone. Pair that with a review of which accounts have admin privileges, because over-provisioned admin access is consistently the first thing exploited after initial compromise. If you're not sure who has access to what, that's the answer. You need an access audit before you can meaningfully address anything else.Frequently Asked Questions