Small businesses are a preferred target for cybercriminals — not because of what they have, but because of what they lack. 47% of businesses under $10 million in revenue were hit by ransomware last year, and for those who paid, the average ransom reached $2 million in 2024. For Stockton's logistics, agriculture, and port-connected businesses — where vendor contracts and shipping invoices flow daily through the Central Valley's supply chain — a single breach can sever partnerships that took years to build. The mistakes that allow these attacks are preventable. Here's where most businesses fall short.
Unpatched Software: The Unlocked Door
Unpatched software — applications or operating systems that haven't received the latest security fixes — is one of the most exploited entry points attackers use. When a vendor releases a patch, they also publish a record of what was broken. Delay the update, and you've left that window open for anyone who reads the release notes.
The same logic applies to your network. Routers, firewalls, and Wi-Fi access points need periodic review. If your network configuration hasn't been touched since setup, it was designed for a different threat environment.
Passwords Without a Policy Are Just Wishes
Weak passwords aren't a personal failing — they're a policy gap. When there are no requirements, people default to what they can remember, which tends to be what an attacker can guess.
A practical path forward:
If you have no password requirements: Set a 12-character minimum with mixed character types and require annual changes.
If requirements exist but no MFA: CISA identifies MFA as a top-priority control — requiring it for all users, especially those with privileged or remote access, is one of the highest-impact, lowest-cost steps a small business can take immediately. Start with email and financial accounts.
If MFA is partial: Audit which accounts still lack it. Any account touching customer data or finances needs it now.
Bottom line: One account without MFA is an unlocked door into everything that account can reach — and email accounts can reach almost everything.
Your Employees Face the Hardest Attack Surface
Technology blocks known threats. People face the novel ones.
68% of breaches involve a human error or social engineering attack, and phishing catches employees off guard — often within 60 seconds of an email arriving. Imagine a freight broker near the Port of Stockton receiving what looks like a routine invoice update from a regular shipping partner. One click on a malicious attachment, and the network is compromised. It's not carelessness — it's a well-engineered attack.
Employee error drives most small business breaches, which makes quarterly training the most direct line of defense. Sessions don't need to be formal — a 20-minute walkthrough at a Lodi Chamber educational workshop covers the essentials for your whole team.
In practice: Run a simulated phishing exercise before your next training session — seeing which emails fooled people is more instructive than any slide deck.
Two Outcomes from the Same Ransomware Attack
With a tested backup: A Stockton wholesale distributor's files are encrypted. They restore from a recent offsite copy, verify the restoration, and are back up within 48 hours. Ransom paid: $0.
Without a backup: Same attack, same business. The choices are now: pay the ransom with no guarantee of file recovery, rebuild from scratch over weeks of downtime, or close permanently.
Data backup and recovery means keeping current copies in a location separate from your primary systems — ideally both cloud and physical offsite — and testing restoration every quarter. A backup you've never tested is a false assurance, not a safety net.
Bottom line: A recovery plan built before a breach costs almost nothing; one assembled during a breach costs everything.
Locking Down Documents and Mobile Devices
Phones with access to company email or customer records need the same protections as desktop computers: strong screen lock passcodes, and enrollment in a mobile device management (MDM) platform that allows a device to be remotely wiped if it's lost or stolen.
Documents deserve equal attention. Password-protected PDFs are a reliable way to keep contracts, proposals, and financial reports from being accessed by the wrong person. Adobe Acrobat is a PDF page management tool that also lets you reorder, delete, and rotate pages — useful when updating compliance packages or assembling client-facing documents without starting from scratch.
Run the Audit Before Someone Else Does
When a breach happens, just 1 in 7 small businesses has a formal incident response plan — meaning most are deciding what to do in real time, under pressure, with no rehearsal. A security audit is a structured review of your controls, accounts, and policies that lets you find the gaps before an attacker does.
Use this checklist to assess where you stand:
-
[ ] Software and firmware updated within the last 30 days
-
[ ] MFA enabled on all email, financial, and cloud accounts
-
[ ] Employee cybersecurity training completed in the last 6 months
-
[ ] Data backups tested within the last 90 days
-
[ ] Mobile device management policy in place and enforced
-
[ ] Sensitive documents stored with access controls
-
[ ] Security audit or vulnerability scan completed this year
If you're not sure where to start, the FTC points small businesses to a free cyber risk framework: NIST's Cybersecurity Framework 2.0 organizes your approach around six functions — Govern, Identify, Protect, Detect, Respond, and Recover — and costs nothing to use.
Start With Your Two Biggest Gaps
Cybersecurity isn't a one-time project — it's a maintenance habit. The Lodi District Chamber of Commerce connects you with 600+ business owners who face the same risks, and its workshops are a practical place to share what's working and hear what threats others are seeing. Take the checklist above, identify your two most critical open items, and address those first. Progress beats perfection every time.
Frequently Asked Questions
Are Stockton small businesses really being targeted, or is this mostly a risk for large companies?
Automated attack tools scan millions of businesses without filtering by size — your revenue doesn't protect you. Small businesses are often preferred targets precisely because they're assumed to have weaker defenses. A compromised small business is also frequently used as a stepping stone to attack its larger clients or freight partners.
Size is not a defense — exposed credentials and unpatched systems are what attract automated attacks.
What's the minimum a very small business (under 5 employees) should put in place right now?
Enable MFA on all accounts immediately — it's free, takes under 10 minutes, and blocks the most common attack path. Then turn on automatic software updates and set up a cloud backup service for critical files. These three steps address the majority of common attack vectors before you spend a dollar.
MFA, automatic updates, and cloud backup are the minimum viable security foundation for any small business.
How do we train employees on cybersecurity if there's no formal training budget?
CISA and the SBA both offer free training materials designed for small businesses. Brief monthly reminders about current phishing tactics — shared via email or discussed at a team meeting — are more effective than annual formal sessions because they keep employees current with how attacks actually look today.
Consistent informal training outperforms occasional formal sessions when budgets are tight.
What should we do in the first hour after discovering a breach?
Disconnect affected devices from the network immediately to stop lateral spread. Preserve logs and screenshots before taking any action that might overwrite evidence. Report to the FBI's Internet Crime Complaint Center (IC3) and notify your cyber insurance carrier if you have one. Do not pay a ransom without first consulting law enforcement — free recovery may be available.
Isolate first, document second, notify third — that sequence limits damage and preserves your recovery options.
This Hot Deal is promoted by Lodi Chamber of Commerce.
