Cybersecurity and Ransomware Basics for Small Business

Cybersecurity and ransomware basics for a small business come down to this: the law treats "reasonable" data security as a duty you owe your customers, not an optional upgrade for companies big enough to have an IT department. If you hold customer or employee personal information, prepare taxes, arrange financing, or just run email and a bank account, you already have exposure if you get breached and hadn't done the basics. This guide covers the legal hooks most owners never hear about, then the practical steps that stop the vast majority of small-business attacks.

Several different rules can reach you, and they don't require you to think of yourself as a "tech company." Which ones apply depends on what you do and whose data you hold:

  • The FTC can treat weak security as an unfair practice. The Federal Trade Commission has long taken the position, under its general authority over unfair and deceptive practices, that a business with unreasonably weak data security — no encryption, no access controls, ignoring known vulnerabilities — can be violating federal law even without a specific security statute naming its industry. This position has been applied to small operations, not just large corporations. Separately, if you make promises about security in a privacy policy or to customers and don't keep them, that's the "deceptive" half of the same authority.
  • The FTC Safeguards Rule reaches businesses that don't think of themselves as "financial." This rule (16 CFR Part 314), issued under the Gramm-Leach-Bliley Act, applies to "financial institutions" — but that term is defined far more broadly than banks. The FTC has applied it to businesses significantly engaged in financial activities, such as auto dealers who arrange financing for customers, mortgage brokers, tax return preparers, collection agencies, and financial advisors. If any of that describes you, you're expected to have a written security program with a named person responsible for it — not just antivirus software. Covered businesses also have a duty to report certain security events to the FTC; the rule sets both the trigger and the deadline, so confirm the current specifics on ftc.gov rather than assuming state law is the only notice you owe.
  • Paid tax preparers are required by law to have a written security plan. This one surprises solo preparers constantly. The requirement comes from the FTC Safeguards Rule — the "financial institution" definition includes professional tax preparers — and the IRS amplifies it rather than owning it. IRS Publication 4557, Safeguarding Taxpayer Data, explains the duty, and Publication 5708 is a template for building the plan itself (often called a "WISP"). The IRS made this hard to miss: the PTIN application and renewal form asks you to check a box acknowledging awareness that paid preparers are required by law to create and maintain a written information security plan. Checking that box doesn't create the duty — the duty already existed — and the IRS notes that failing to comply can draw an FTC investigation.
  • State breach-notification law follows the affected PERSON, not you. All 50 states have a breach-notification law, as do the District of Columbia and the U.S. territories — but that's where the uniformity ends. The trigger is usually the residency of the person whose data was exposed, not where your business is located or incorporated. So if you have even a handful of customers or employees who live in other states, a single breach can trigger duties under several states' laws at once — and what counts as covered "personal information," how fast you must give notice, what the notice must say, and whether that state's attorney general must be told all differ sharply from state to state and change over time. Confirm the current rules with each affected state's attorney general's office; do not assume the state you know applies to everyone on your list.
  • Some sectors carry their own rules on top. If you handle protected health information as a HIPAA covered entity or business associate, federal breach-notification duties administered by HHS apply in addition to state law — check hhs.gov for the current thresholds and timing. And if you take payment cards, note the distinction: PCI DSS is a contractual standard imposed by your card agreements and processor, not a federal statute. Falling short can mean contractual penalties and losing your ability to accept cards — and if a breach follows, the FTC and state law still reach you on top of that.

None of this means you need a compliance department. It means the basic habits below aren't just good practice — they're the difference between "we had reasonable safeguards" and "we didn't," which matters enormously if something goes wrong.

The practical core: what actually stops most attacks

Most small-business breaches aren't sophisticated. They're a reused password, an unpatched laptop, or someone clicking a convincing email. A short list of habits closes most of that gap.

Multifactor authentication, especially on email and banking

Turn on multifactor authentication (MFA) — a code or app prompt in addition to a password — on every account that supports it, starting with email, online banking, and any accounting or payroll software. Email is the master key to almost everything else: someone who controls your inbox can reset your other passwords. Banking access is the most direct route to your money. MFA is the single highest-value control a small business can turn on, and it's usually free. Where you have the choice, an authenticator app or a security key is stronger than codes sent by text.

Backups you actually test by restoring

Keep backups that ransomware can't reach and delete along with your live files — an offline copy disconnected from your network, or cloud backup with "immutable" or version-locked storage that can't be overwritten by an attacker who gets into your systems. A backup you've never tried to restore from is a hope, not a plan. Periodically restore a file (or a full system) from backup to confirm it works before you need it in an emergency.

Patching and updates

Turn on automatic updates for your operating systems, browsers, and business software. Many ransomware and data-theft attacks exploit known vulnerabilities that a patch already fixed — the attacker is counting on you not having installed it yet.

Least privilege

Give each employee access only to the systems and data they actually need for their job — not full access to everything "to be safe." When an account is compromised, limited access limits the damage. Remove access promptly when someone leaves, and keep day-to-day work off accounts with administrator rights.

Phishing training that's short and repeated

Most break-ins start with a convincing email or text. Brief, repeated training — what a fake invoice, fake IT alert, or fake executive request looks like, and where to report a suspicious message — beats a single long annual session nobody remembers. Make it safe to report a mistake quickly; the employee who admits a click within minutes is doing you an enormous favor.

A written incident response plan

Write down, before anything happens: who makes the call to shut down affected systems, who you call first (your IT or managed service provider, your insurance carrier, an attorney familiar with data breaches), and who is responsible for notifying customers or employees if required. Deciding this during an actual attack, under pressure, is how mistakes happen and deadlines get missed.

Ransomware: what the law actually says about paying

Ransomware — malicious software that locks or encrypts your files and demands payment to restore them — has become one of the most common small-business cyber incidents. A few things owners consistently get wrong:

  • Paying a ransom is not, by itself, illegal under federal law. But it can violate U.S. sanctions law if the payment ends up going to a person, group, or jurisdiction on a U.S. sanctions list. Sanctions liability of this kind is generally strict — meaning you can be exposed even if you didn't know who was on the other end. The Treasury Department's Office of Foreign Assets Control (OFAC) has issued advisories warning businesses, insurers, and incident-response firms about exactly this risk.
  • Paying does not guarantee your data comes back, or stays private. Criminal actors don't always honor the deal, and many ransomware attacks now involve stealing your data before encrypting it — so even a successful decryption doesn't mean the information wasn't already copied, and it can still be leaked or sold. Federal guidance generally discourages paying, partly because it funds the next attack.
  • Paying doesn't erase your notification duties. If personal information was exposed, you may still owe notice to affected individuals and possibly regulators under the applicable state breach law — and under the Safeguards Rule or HIPAA if those cover you — regardless of whether you paid and regardless of whether you got your files back.

Before any ransom decision, involve law enforcement and, for anything beyond a trivial incident, an attorney experienced in breach response. Reporting to and cooperating with law enforcement is itself treated as a significant mitigating factor if a sanctions question later arises, and counsel helps you meet notification duties correctly instead of guessing.

Business email compromise and fake-invoice fraud

This is how most small businesses actually lose real money to cybercrime — not dramatic ransomware headlines, but a patient scam. An attacker who has quietly compromised or spoofed an email account — often a vendor's, a client's, or an executive's — sends what looks like a legitimate request to change a bank account or wire funds. The address looks right, the tone matches, and the invoice looks like every other one from that vendor.

The single most effective defense: verify any change to wiring instructions or bank account details by phone, using a number you already have on file — never a number provided in the email itself. Call the person you believe sent the request and confirm it verbally before moving money. This one habit defeats the overwhelming majority of these scams, because the attacker doesn't control your phone.

Other practical steps: require a second person's sign-off on any wire transfer or change to vendor payment details; be suspicious of any request that manufactures urgency ("send today," "don't call, I'm in a meeting"); and check the sender's actual email address, not just the display name. If you do send a fraudulent wire, report it immediately — the FBI has a process for attempting to freeze recent fraudulent transfers, and speed is the whole game.

One more thing worth knowing: your business bank account does not carry the consumer protections you may be thinking of. The consumer rules that cap your personal liability for unauthorized electronic transfers generally do not apply to business accounts. Your recourse depends largely on your deposit agreement and how fast you catch it — which is why the phone-verification habit and prompt reconciliation matter so much more on the business side.

Cyber insurance

A standard business owner's policy or general liability policy typically does not cover data breaches, ransomware, or business email compromise losses — those usually require separate cyber coverage or an endorsement. If you hold customer payment data, health information, or handle significant wire transfers, ask your agent specifically about cyber coverage, and read what it actually covers: breach notification costs, forensic investigation, ransom negotiation and payment, business interruption, and funds-transfer fraud can each be covered separately, sublimited, or excluded entirely depending on the policy. Insurers increasingly require basic controls like MFA before they'll write a policy or pay a claim, so the practical steps above also protect your ability to collect if something happens.

What to do: reporting and getting help

  1. If you're currently under attack: follow your written incident plan — isolate affected systems, preserve evidence rather than wiping machines, and contact your IT/security provider and your insurer immediately. Many policies require prompt notice and the use of approved vendors, so calling the insurer early protects the claim.
  2. Report the incident. File a report with the FBI's Internet Crime Complaint Center at ic3.gov — this covers ransomware, business email compromise, and most cyber fraud. Reporting can help with recovery efforts, is often expected by insurers, and is the step that makes law-enforcement involvement count if a sanctions question comes up later.
  3. Use free federal guidance to build your defenses. The Cybersecurity and Infrastructure Security Agency publishes free, plain-language small-business security guidance at cisa.gov, and the joint federal ransomware hub at stopransomware.gov collects prevention and response resources in one place. The FTC's cybersecurity materials for small business on ftc.gov are also free and written for non-specialists.
  4. Confirm your notification duties. If personal information was or may have been exposed, identify which states the affected people live in and check each state's current requirements — deadlines, required content, and whether the attorney general must be notified all vary and change. Confirm with each state's attorney general's office rather than relying on what another state requires. If the Safeguards Rule or HIPAA covers you, check ftc.gov or hhs.gov for those separate duties.
  5. Loop in an attorney for anything beyond a minor incident. Multi-state notification duties, potential sanctions exposure, and insurance claims are exactly the kind of overlapping, deadline-driven situation where experienced counsel earns the fee. Free help with the prevention side is available from SBA resource partners, SCORE, and your state's Small Business Development Center.

For the broader picture of what "personal information" means and how state breach laws generally work, see our guide to data privacy and breach basics.

Key takeaways

  • Weak security isn't just an IT risk — the FTC's unfairness authority, the Safeguards Rule, the written-plan requirement for paid tax preparers, and state breach-notification laws can all create real legal exposure for a small business.
  • Multifactor authentication on email and banking, tested offline or immutable backups, patching, least-privilege access, and a written incident plan stop most attacks and most damage.
  • Paying a ransom isn't automatically illegal, but it can carry strict-liability sanctions risk, doesn't guarantee your data back, and doesn't erase your notification duties.
  • The most common way small businesses lose money to cybercrime is fake wire or invoice fraud — always verify payment changes by phone using a number you already have, and remember business accounts lack consumer protections.
  • Report incidents to ic3.gov, use the free resources at cisa.gov and stopransomware.gov, and confirm notification duties based on where affected people live — not where your business is.

Frequently asked questions

Do I really have to worry about the FTC Safeguards Rule if I'm not a bank?

Possibly yes. The rule's definition of "financial institution" is much broader than banks and has reached businesses significantly engaged in financial activities — auto dealers who arrange financing, mortgage brokers, tax preparers, and collection agencies among them. If that might describe you, check whether you're covered on ftc.gov rather than assuming you aren't.

I prepare tax returns from home. Do I really need a written security plan?

Yes — the requirement doesn't have a small-shop exception, and it applies to solo preparers. It comes from the FTC Safeguards Rule, because the "financial institution" definition includes professional tax preparers, and the PTIN application and renewal form asks you to check a box acknowledging that paid preparers are required by law to maintain one. IRS Publication 4557 explains the duty and Publication 5708 is a template for writing the plan.

Is it illegal to pay a ransomware demand?

Not automatically, under federal law. The legal risk is that payment reaching a sanctioned person, group, or jurisdiction can violate U.S. sanctions law, and that liability generally doesn't require you to have known who the attacker was. Involve law enforcement and, for anything significant, an attorney before deciding.

Which state's breach notification law applies to us?

Generally the law of the state where the affected person lives, not where your business is based. A breach affecting people across several states can trigger several states' duties at once, each with its own definitions, deadlines, and regulator-notice rules. Confirm current requirements with each affected state's attorney general.

We're a two-person business — do we really need a written incident response plan?

Yes, and it can be short. Even one page listing who calls whom (IT provider, insurer, attorney) and what gets shut down first saves critical time and reduces mistakes during an actual incident, and insurers increasingly expect to see one.

What's the fastest thing I can do today to reduce risk?

Turn on multifactor authentication for your business email and online banking. It's free, takes minutes, and closes the door on the majority of account-takeover attacks.

This article is general information, not legal, tax, or financial advice, and does not create an attorney-client or accountant-client relationship. Data security rules and state breach-notification requirements change; confirm current requirements with the official source or a qualified attorney or CPA. Free help is available from the IRS, SBA, SCORE, and your state's Small Business Development Center.

Frequently asked questions

Do I really have to worry about the FTC Safeguards Rule if I'm not a bank?

Possibly yes. The rule's definition of “financial institution” is much broader than banks and has reached businesses significantly engaged in financial activities — auto dealers who arrange financing, mortgage brokers, tax preparers, and collection agencies among them. If that might describe you, check whether you're covered on ftc.gov rather than assuming you aren't.

I prepare tax returns from home. Do I really need a written security plan?

Yes — the requirement doesn't have a small-shop exception, and it applies to solo preparers. It comes from the FTC Safeguards Rule, because the “financial institution” definition includes professional tax preparers, and the PTIN application and renewal form asks you to check a box acknowledging that paid preparers are required by law to maintain one. IRS Publication 4557 explains the duty and Publication 5708 is a template for writing the plan.

Is it illegal to pay a ransomware demand?

Not automatically, under federal law. The legal risk is that payment reaching a sanctioned person, group, or jurisdiction can violate U.S. sanctions law, and that liability generally doesn't require you to have known who the attacker was. Involve law enforcement and, for anything significant, an attorney before deciding.

Which state's breach notification law applies to us?

Generally the law of the state where the affected person lives, not where your business is based. A breach affecting people across several states can trigger several states' duties at once, each with its own definitions, deadlines, and regulator-notice rules. Confirm current requirements with each affected state's attorney general.

We're a two-person business — do we really need a written incident response plan?

Yes, and it can be short. Even one page listing who calls whom (IT provider, insurer, attorney) and what gets shut down first saves critical time and reduces mistakes during an actual incident, and insurers increasingly expect to see one.

What's the fastest thing I can do today to reduce risk?

Turn on multifactor authentication for your business email and online banking. It's free, takes minutes, and closes the door on the majority of account-takeover attacks.

This article is general legal information, not legal advice, and may not reflect the most current law or the law in your jurisdiction. Laws vary by state and change over time. For advice about your specific situation, consult a licensed attorney.

Knowing your rights is the first step

Join thousands committing to calmly and consistently exercise their constitutional rights.

Take the Pledge