The Latest Cybersecurity Risks Facing Small Businesses — and How to Fix Them

Introduction:

If you’re running a business and you don’t have a full-time IT team, you’re exactly the kind of target cybercriminals love.

And they’re not using dark magic or zero-day exploits to break in. Most of the time, it’s the digital equivalent of jiggling doorknobs.

So instead of giving you generic, and potentially outdated advice, I took a look at the 2025 Verizon Data Breach Investigations Report (DBIR), one of the most respected sources of cybersecurity data, and pulled out what actually matters for Apple-based SMBs.

Spoiler: the three biggest risks are preventable. Here's what they are — and what you can do about them.

1. Stolen Credentials (Still #1 Year After Year)

According to Verizon, stolen or reused credentials are still the most common way attackers get in — accounting for over 22% of all breaches.

Why? Because your email, file storage, calendar, and client data are all one password away. If that password was exposed in a breach two years ago (and reused), you're wide open — even if you’ve never clicked on a shady link.

What to do:

• Use a password manager and stop reusing logins

• Turn on 2FA — preferably not via SMS

• Audit accounts for old users, third-party access, or weak recovery setups

• Check if your emails have shown up in data breaches (services like haveibeenpwned.com)

2. Human Mistakes and Phishing Emails

The “human element” — phishing, clicking malicious links, sending data to the wrong place — accounts for nearly 60% of breaches.

And it’s not just falling for Nigerian princes. Today’s phishing emails look like:

• Invoices from a vendor you actually use

• A Google Doc from someone on your team

• A “Dropbox” file that links to a fake login page

These are simple, scalable attacks — and they work because they’re believable.

What to do:

• Learn to spot consent phishing (where you grant app access instead of typing a password)

• Use email rules to flag impersonation or spoofing attempts

• Do a phishing simulation to test your (or your team’s) risk level

• Never rely on Gmail or Microsoft to “just filter this stuff out” — configuration matters

3. Misconfigured Devices

If you’re on a Mac, you already have solid built-in security — but it’s not automatic.

In my audits, I’ve seen devices where:

• FileVault encryption isn’t enabled

• iCloud backups are assumed to be full backups (they’re not)

• There’s no ability to remotely wipe lost laptops or phones

• Basic updates and patching are months out of date

Attackers don’t need to “hack” you if your device is stolen or lost and unprotected.

What to do:

• Turn on FileVault and automatic updates

• Use Find My + secure Apple IDs

• Set a real passcode, not “1234”

• Don’t rely on iCloud alone — have a backup system you control

Where do you go from here?

This stuff doesn’t require a full-time IT department — but it does require attention.

That’s why I created a Security Jumpstart Package for small businesses and remote professionals:

• Device + account audit

• Basic hardening (Mac, email, cloud)

• Recommendations and documentation

• A short training session so you’re not guessing

No ongoing contract. Just a clean, secure baseline — and peace of mind.