-
March 18, 2026
Small businesses are not peripheral targets in today's cybersecurity landscape — they're the primary ones. The FBI's Internet Crime Report found that cybercrimes carried a $2.9 billion price tag for the small business community in 2023. For Evanston firms in oil and gas, ranching, and logistics — many exchanging contracts with larger regional partners along I-80 — a breach rarely stays contained. The gaps are common, and most are fixable.
"We're Too Small to Be a Target" — A Costly Assumption
If you run a small operation, it's easy to assume attackers focus on bigger fish. That assumption is exactly why small businesses get hit.
Attackers don't pick targets manually — they run automated tools that probe thousands of businesses simultaneously, and smaller firms are easier to breach. A Hiscox survey found that 41% of small businesses were attacked in 2023 and paid a steep median cost of $8,300 per incident. Volume and ease of access drive targeting, not the size of the prize.
Bottom line: Automation makes business size irrelevant to attackers — ease of access is what determines who gets hit.
Your Staff Are the Most Common Entry Point
Many owners invest in antivirus software and a firewall, then assume external threats are handled. That's the wrong threat model.
The U.S. Small Business Administration warns that employees drive most data breaches for small businesses — not outside hackers, but phishing emails impersonating vendors or local institutions. Small businesses experience social engineering attacks at far higher rates than large enterprises, and a single click can hand attackers access to every system that employee touches. A quarterly 30-minute session on recognizing suspicious emails closes more risk than most software upgrades.
In practice: Train staff before your next software or hardware purchase — the human gap is almost always larger than the technical one.
Seven Vulnerabilities to Close Now
Most common cybersecurity gaps don't require an IT department to fix. Work through this checklist to identify where your business has measurable exposure:
-
[ ] Software updates: All devices, apps, routers, and point-of-sale systems are set to auto-update
-
[ ] Password policy: All accounts use unique, strong passwords or a password manager — no shared credentials
-
[ ] Employee training: Staff received phishing and data-handling training in the past 12 months
-
[ ] Data backup: Business data is backed up weekly to an offline location, and recovery has been tested
-
[ ] Network security: Business and guest Wi-Fi run on separate networks; router firmware is current
-
[ ] Mobile device security: Company devices have screen locks, remote-wipe capability, and a written policy
-
[ ] Security audit: A formal review of accounts, access, and vendor connections completed in the past year
Three or more unchecked items means real, addressable exposure today.
Protecting Sensitive Files
Contracts, client records, and financial documents often move as PDFs — and an unprotected PDF is readable by anyone who intercepts it. Password-protecting sensitive files adds access control that limits exposure even when documents are forwarded or stored in shared drives.
Adobe Acrobat is an online PDF tool that lets you password-protect files and add pages to PDF documents without desktop software — useful when you need to insert updated terms or attachments into an existing file. The Federal Trade Commission also advises small business owners to assess vendor cyber risks before entering formal relationships, a step that matters especially for Evanston firms whose vendor connections reach larger regional operators.
What a Breach Actually Costs
Imagine a small bookkeeping firm in downtown Evanston — serving ranch operators and energy contractors across Uinta County — hit by ransomware on a Tuesday morning. Files are encrypted, payroll records are locked, and there's no tested backup. The choice: pay the ransom or lose everything.
Research shows that 60% of small businesses shut down within six months after a cyberattack. For businesses wanting a structured starting point, NIST's free six-function security roadmap — Govern, Identify, Protect, Detect, Respond, and Recover — walks you through a complete risk review even from scratch.
Build the Habit Before You Need It
The Evanston Chamber of Commerce hosts continuing education and business workshops through spring 2026, including sessions in late March and April. Cybersecurity isn't a one-time setup — threats evolve and systems drift. An annual review using the checklist above keeps your defenses current without a dedicated IT budget.
Frequently Asked Questions
What if I can't afford a formal cybersecurity audit?
A paid audit is valuable but not required to start. NIST's Cybersecurity Framework 2.0 Quick-Start Guide is free and walks you through a self-directed six-function review. An internal walkthrough once a year — checking account access, software versions, and backup integrity — covers more ground than most small businesses currently do.
Start with the free NIST framework before budgeting for a paid audit.
How do I handle employees using personal devices for work?
Personal devices create shadow IT — accounts and systems outside your visibility. Require screen locks and updated operating systems on any device accessing company accounts. A one-page written policy that employees acknowledge sets expectations even without technical enforcement.
A written device policy matters even when you can't enforce it technically.
Are oil and gas suppliers in Uinta County at higher risk?
Yes, in a specific way. Businesses exchanging data or contracts with larger energy companies can become the entry point for a supply chain attack — attackers compromise a small supplier to reach a larger partner's network. The FTC's guidance to assess vendor cyber risks before formalizing relationships applies directly here.
If your business serves larger regional companies, your security posture becomes their exposure too.
-