vCISO Lite - No CISO, No Problem

The Uncomfortable Math

There's a persistent myth in the small business world: "We're too small to be a target." The 2025 Verizon Data Breach Investigations Report demolishes this completely.

Small and mid-sized businesses are now attacked at four times the rate of large enterprises. Why? Because attackers have figured out the economics. Hitting one Fortune 500 company is hard—they have SOCs, dedicated security teams, and mature defenses. Hitting 100 mid-market companies with ransomware is easy. Most have no incident response plan, no forensics capability, and will pay to make the problem go away.

That 88% number is staggering. In large enterprises, only 39% of breaches involve ransomware—attackers have other motives like espionage or data theft. But for SMBs? It's almost always ransomware. You're not interesting enough to spy on, but you're perfect for extortion.

2024-2025: Breaches Hitting Companies Your Size

Forget the Fortune 500 headlines. Here's what's actually happening to mid-market companies, professional services firms, and their vendors:

Recent SMB & Mid-Market Breaches

April 2024

Young Consulting (Connexure)

Software / Insurance Services

BlackSuit ransomware hit this software vendor serving Blue Shield of California. A single phishing email gave attackers access to unencrypted Social Security numbers, dates of birth, and insurance claim data. The company refused to negotiate—attackers leaked everything. Now facing class action lawsuits.

954,000+ individuals exposed, 1M+ by mid-2025

December 2024

200+ Companies via Cleo Software

Manufacturing / Logistics / Retail

Zero-day vulnerability in Cleo file transfer software (used by ~4,000 mid-market companies). CL0P ransomware gang exploited it before anyone knew it existed. Victims include companies in food, trucking, consumer products—businesses that rely on supply chain data exchange. Most had no idea they were exposed until attackers contacted them.

350+ victims on leak site, average ransom $2.73M

January 2025

Manpower (Lansing, MI)

Staffing / HR

Attackers had access for two weeks before anyone noticed. 140,000 employees and contractors had personal data stolen—Social Security numbers, bank details, everything needed for identity theft. The staffing firm now has to explain to workers why their data was compromised through their employer.

140,000 individuals, weeks of investigation

Ongoing 2024-25

Wojeski CPA Firm

Accounting

Two ransomware attacks in two years. First breach: 5,881 clients exposed when a single employee clicked a phishing link. SSNs weren't encrypted. New York Attorney General investigated, firm settled. Then it happened again. Now facing regulatory scrutiny and client trust issues that may never recover.

6,000+ clients, AG settlement, reputation damage

These aren't targeted attacks on high-value intelligence targets. These are opportunistic hits on organizations with valuable data and weak defenses. Your 50-person company with customer PII and payment data looks exactly the same to an attacker.

The attacker doesn't care how many employees you have. They care whether you'll pay $115,000 to get your systems back. The answer for most mid-market companies without an IR plan is yes.

Incident Response AnalystVerizon DBIR Team

The Third-Party Problem Is Getting Worse

Here's what should really worry you: the 2025 DBIR found that third-party involvement in breachesdoubled year-over-year, now accounting for 30% of all incidents.

What does that mean? Your vendor got breached, and your data came with it. The Hertz breach in early 2025 is a perfect example—a zero-day vulnerability in the Cleo file transfer software exposed over a million customers' personal data. Hertz wasn't attacked directly; their vendor was.

The Supply Chain Reality

30% of breaches now involve third parties. You can have perfect security and still get breached through your payroll provider, your file transfer tool, or your SaaS vendor. An incident response plan isn't just about YOUR breach—it's about what you do when a vendor breach exposes YOUR customers' data.

Why Most SMBs Fail at Incident Response

The statistics on SMB incident response preparedness are grim:

Preparedness Gap

Impact

75% lack any incident response plan

Chaos in the first 24 hours when every minute counts

67% of executives admit they're not prepared

Leadership makes panic decisions under pressure

70% never test their IR plans

Plans that look good on paper fail in reality

68% feel unprepared for a cyber incident

Delays in notification lead to regulatory fines

The cost difference is stark. Organizations with an incident response team and regularly tested plans pay an average of $2.66 million less per breach than those without. For a mid-market company, that's the difference between surviving and shutting down.

What an Incident Response Plan Actually Does

Let's be concrete about why having a plan matters:

Without a Plan

Hour 1

Someone notices systems are down. Calls the IT person. IT person panics, starts Googling. CEO finds out 3 hours later via angry customer email.

Hour 4

Everyone argues about what to do. Someone power-cycles the infected server, destroying forensic evidence.

Hour 12

Legal asks who's been notified. Answer: nobody knows. Finance asks about insurance. Answer: nobody knows the policy number.

Day 3

Customers find out via Twitter before receiving an official notification. Regulatory clock has been ticking. Forensics firm engaged at 5x rush pricing.

With a Plan

Hour 1

Alert triggers. On-call person follows the runbook: document, contain, escalate to incident commander.

Hour 2

Leadership briefed. Legal notified. Insurance carrier called (claim number was in the plan).

Hour 4

Pre-identified forensics firm engaged. Evidence preserved per protocol. Regulatory notification timeline tracked.

Hour 24

Customer notification drafted (from template), reviewed by legal, sent. Regulators notified within window. Forensics underway at contracted rates.

The difference isn't just speed—it's cost, legal exposure, and reputation damage.

The Minimum Viable IR Plan

You don't need a 50-page playbook. You need answers to these questions before 3am on a Saturday:

Who makes decisions?

Name one incident commander. This person has authority to shut down systems, engage vendors, and approve spending during an incident. No committees, no "let's loop in the board first."

Who do you call?

Have a one-page contact sheet with personal cell numbers: leadership, IT, legal counsel, insurance broker (with policy number), and a pre-identified forensics firm. Print it. Put it somewhere offline.

What are the first 3 steps?

Document what you see. Contain the affected systems (isolate, don't destroy). Call the incident commander. That's it. Three steps anyone can follow at 3am.

When do you notify?

Know your regulatory deadlines: GDPR is 72 hours, most US state laws are similar. Your cyber insurance policy probably requires notification within 24-48 hours. Write these down.

The 2-Hour Tabletop That Saves $2M

Once a year, spend 2 hours walking through a scenario: "It's Tuesday morning. All your file servers are encrypted. The ransom note demands $150K in Bitcoin. Go." Work through who does what. Find the gaps. Update the plan. Companies that do this pay millions less when the real thing happens.

The Ransomware-Specific Reality

Given that 88% of SMB breaches involve ransomware, your plan needs specific guidance for this scenario:

Do

Isolate affected systems immediately (unplug network cables). Take photos of ransom notes. Document the Bitcoin address. Call your insurance carrier before making any payment decisions. Engage law enforcement—FBI's IC3 or local field office.

Don't

Don't power off systems (memory evidence is valuable). Don't pay immediately—there may be decryption tools available. Don't communicate with attackers without guidance. Don't assume paying will get your data back (only 65% do). Don't destroy evidence your insurance claim will need.

The Ransom Decision

This is a business decision, not a moral one. Some factors: Do you have working backups? How critical is the encrypted data? What's your cyber insurance coverage for ransom payments? What's the regulatory and reputational risk of data being published? Have the attackers been known to provide working decryptors? Your incident response plan should identify WHO makes this decision and what factors they'll consider.

What Your Insurance Actually Covers

Most SMBs have cyber insurance but have never read the policy. Common surprises:

Coverage Area

Check Your Policy For

Ransom payment

Coverage limit, sub-limit, whether Bitcoin is covered

Forensics

Whether you can choose your own firm or must use their panel

Business interruption

Waiting period before coverage kicks in, daily limits

Notification costs

Credit monitoring, notification services, call center

Regulatory fines

Whether fines are covered (varies by jurisdiction)

Your incident response plan should include your policy number, carrier's 24/7 claim line, and a summary of key coverage points. Finding this out during an incident is too late.

The Bottom Line

The 2025 DBIR makes it clear: small and mid-sized businesses are the primary targets now. Four times more likely to be attacked. 88% of those attacks are ransomware. Median ransom of $115K—which doesn't include the forensics, legal fees, notification costs, business interruption, and reputation damage.

Companies with incident response plans pay $2.66 million less per breach. That's not a nice-to-have—that's survival math.

You don't need a Fortune 500 security team. You need a one-page contact sheet, three clear first steps, and two hours of tabletop practice per year. The attackers are betting you won't do even that.

Prove them wrong.

Why Your 50-Person Company Needs an Incident Response Plan