Hello World!

Written By Robert Masterson
b1-draft

Security globe smiling and waving

I’ve been planning to start this blog for the last six months or so, but I keep debating when is the opportune moment to start. It turns out that waiting for the perfect moment is, to paraphrase captain Malcolm Reynolds, like waiting for a train that ain’t never gonna come (if you haven’t watched the TV show Firefly, you are missing out).

So with that realization, I’m going to just dive right in. This blog is a work in progress, so things may be a bit rough around the edges as I figure things out — just a heads up!

Why a Blog?

Blogs are trendy (at least I think they still are?) but I’m a computer geek — I gave up on the dream of being trendy a long time ago. I started Blue Smoke Computers in response to the lack of cybersecurity products and resources for small businesses.

This blog is part of my response to that void: a space where I will publish articles about cybersecurity related news and developments (broadly speaking) that maybe of interest to small business owners.

For this inaugural post I am going to take a deep dive into the state of small business cybersecurity. It’s important to know that if you are a small business owner who feels overwhelmed by cybersecurity, you are not alone!

The State of Things

The UK National Cyber Security Centre (NCSC) has developed Cyber Essentials — a program that can help small businesses improve their cybersecurity.1 It’s a wonderful resource for businesses operating in the UK but unfortunately it’s not available to Americans and the US government doesn’t provide anything nearly as useful for American small businesses.

What we do have here in the US is the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Small Business Administration (SBA). Federal law has tasked NIST with developing cybersecurity standards to protect federal agencies, and while these standards are publicly available, they are intended for organizations with a dedicated IT staff, a separate cybersecurity team, and a large budget. Meanwhile the CISA is under the Department of Homeland Security (DHS) and is charged with protecting the operational security of civilian agencies and critical infrastructure.

That leaves the SBA to look after small businesses and they have partnered with the CISA to help small businesses with cybersecurity. That sounds good until you read the fine print.

The SBA Says: "No Soup For You!"

According to the SBA a “small business” typically has fewer than 500 employees or less than $1 million in revenue, but depending on the industry a small business can have almost $50 million in revenue or 1,500 employees.2 I don’t know many people who think the word small means what the SBA thinks it means, and it doesn’t apply to 90% of businesses in the United States, but it’s their definition which shapes virtually all of the discussions about small and medium size businesses (SMBs) in this country. 3 And it means that the SBA’s efforts to promote small business cybersecurity are directed at businesses making closer to $50 million in revenue than $51,816 which is the average revenue for a small business. 4

And in some cases the SBA’s efforts are even more narrowly tailored. Take for example the SBA’s partnership with the CISA, mentioned above. The SBA advertises that the CISA will provide free cybersecurity scanning and monitoring for small businesses. But according to the CISA to qualify you must be: a local government (not a business), a tribal government (still not a business), a state government (NOT. A. BUSINESS!!!) or a small business categorized as “critical to the national infrastructure.”5 So basically no one is getting free monitoring. No one running a small business, anyway. And to highlight how absurd this is, I actually had a student who worked for a natural gas company and their organization qualified for this program but no one at their company knew it existed!

The SBA is not along in overlooking small businesses. In the private sector most of the companies that sell security services, Managed Service Providers (MSPs), focus on larger organizations with big budgets. Which explains why they typically charge between $100 and $200 per device, every month — too much to be a viable option for small businesses. 6

So small businesses cybersecurity needs are being overlooked by both the public and private sector, which is scary when consider how vital they are to the American economy. Small businesses make up 99.9% of companies in the United States and produce 44% of our GDP while employing almost half of the private sector employees nation wide. 7 That’s impressive when you consider that the average small business has 11 employees and businesses less than two years old have six employees on average. Meanwhile soloprenuers (nonemployer companies run by the owner) make up 78.4% of all firms! 8

Nonemployee businesses by percentage

The average revenue for a small business is $51,816 while average revenue for soloprenuers is $44,000, but the majority actually earn less than $25,000 (got to love statistics).9

Small Business and Cybersecurity

The numbers above suggest, to me at least, that there are a lot of small businesses out there struggling to grow their revenue stream who don’t have a lot of money to throw at cybersecurity. In fact, it is estimated that almost half of small businesses have no budget for cybersecurity. 10

The next question is, why should small business owners invest in cybersecurity when their budgets are already stretched thin? According to the US Chamber of Commerce, 60% of small businesses list cyber threats as a top concern, while 41% of small businesses were the victim of a cyber attack in 2023, and the average cost of an incident was $8,300. 11

The SBA estimates suggest that almost half of small businesses will be the victim of cyber attacks each year and a quarter of all small businesses who are victims of an attack close within 6 months of the incident.12 And even if those numbers seem high, other statistics suggest that 80% of small businesses will be the victim of cybercrime in the next five years.13

And then there is ransomware, which is still very much a threat. While headlines focus on large organizations being attacked by ransomware, the U.S. Chamber of commerce estimates that 74% of ransomware victims are small businesses and the average cost of a ransomware attack for a small business is $16,000, almost double the cost of other cybercrimes. 14 And ransomware is morphing: they’re no longer just holding your data ransom, instead they’re stealing your data, and your customer’s data, and then dumping it online if you don’t pay. How much would you lose if all of your Intellectual Property (IP) was dumped online? How liable are you if your customer data is disclosed? How does that affect your relationship to your customers? Forbes estimates that 65% of small business cease to be profitable for at least 3 months after a ransomware attack, and over 60% of them close permanently. 15

So the threats to small businesses are very real. Victims often express surprise when they are attacked. “I didn’t think we would be a target, we’re not worth much!” and “Why us, we’re nobody?” are common reactions to an attack. Unfortunately small and medium size businesses (SMEs) are increasingly being victimized by cybercriminals. 16 Cybersecurity is definitely one of those cases where an ounce of prevention is worth (more than) a pound of cure.

Some Good News

The last section may have sounded a lot like “the sky is falling! We’re all doomed!” And to be clear, the threats are real — even for small business owners. But the UK’s NCSC estimates that small businesses are 92% less likely to file a cyber insurance claim if they implement and maintain even a basic cybersecurity program. 17

That’s REALLY good news. Most cybersecurity attacks are not targeted. Attackers rely on automated scans to look for victims or they execute phishing campaigns where they cast a wide net. 18 This means that many threats can be mitigated by implementing relatively low cost solutions, adopting good cybersecurity habits, and maintaining those habits.

Wrapping Up

So that’s the state of small business cybersecurity. I’ve started this blog and company to help small business owners develop basic cybersecurity programs that don’t cost much but will significantly reduce the likelihood that they become victims of a cyber crime and ensure they can recover should the worse should happen.

The goal is to educate, inform, and empower. Educate you about the changing threat landscape, inform you about the range of options you have, and empower you to improve your security, either on your own or with assistance.

So let’s get your business secured: because everyone wins when more small businesses have strong cybersecurity, except for the criminals.

  1. https://www.ncsc.gov.uk/cyberessentials/overview↩︎

  2. https://www.sba.gov/document/support-table-size-standards and https://www.usatoday.com/money/blueprint/business/business-formation/small-business-statistics/↩︎

  3. https://www.usatoday.com/money/blueprint/business/business-formation/small-business-statistics/↩︎

  4. https://www.usatoday.com/money/blueprint/business/business-formation/small-business-statistics/↩︎

  5. https://www.cisa.gov/cyber-hygiene-services under “FAQ”Who can receive services”↩︎

  6. https://cybercommand.com/how-much-does-managed-it-services-cost/↩︎

  7. https://www.usatoday.com/money/blueprint/business/business-formation/small-business-statistics/↩︎

  8. https://www.census.gov/library/stories/2025/07/nonemployer-business-growth.html↩︎

  9. https://www.usatoday.com/money/blueprint/business/business-formation/small-business-statistics/↩︎

  10. https://www.techradar.com/pro/security/many-companies-are-still-failing-to-budget-for-cybersecurity↩︎

  11. https://www.sba.gov/blog/2024/2024-10/todays-economy-cyber-safety-critical-small-business-success↩︎

  12. https://www.sba.gov/blog/2024/2024-10/todays-economy-cyber-safety-critical-small-business-success↩︎

  13. https://www.coalitioninc.com/blog/security-labs/small-business-cybersecurity-study-june↩︎

  14. https://www.uschamber.com/co/run/technology/small-businesses-ransomware and https://www.hiscox.com/documents/Hiscox-Cyber-Readiness-Report-2023.pdf↩︎

  15. https://www.forbes.com/councils/theyec/2019/09/18/the-state-of-cybersecurity-pertaining-to-small-business/ and https://www.forbes.com/councils/forbestechcouncil/2025/02/27/the-ransomware-epidemic-why-smes-are-the-new-primary-target/↩︎

  16. https://www.forbes.com/councils/forbestechcouncil/2025/02/27/the-ransomware-epidemic-why-smes-are-the-new-primary-target/↩︎

  17. https://www.ncsc.gov.uk/cyberessentials/overview↩︎

  18. https://www.forbes.com/councils/forbestechcouncil/2025/02/27/the-ransomware-epidemic-why-smes-are-the-new-primary-target/↩︎

Robert Masterson