We sat down with Josh Axelrod, President of Aldrich Solutions, to unpack the cyber threat landscape for small and mid-sized businesses (SMB) leaders and discuss practical steps companies can take to strengthen their defenses.

Q: Owners of private companies often think they are too small to be the focus of cyberattacks. Is that true?

Josh: That is one of the biggest misconceptions I hear. The idea that bad actors only go after large enterprises is outdated. Attackers use automated tools that scan thousands of companies each day, looking for weak spots. If you have an internet connection, email, a customer portal, or systems connected to partners or vendors, you are visible.

Organized crime groups and even state-affiliated threat actors look for easy opportunities, especially within companies that lack mature cybersecurity practices.

A practical tip is to ask your IT team. “If a ransomware hit us tomorrow morning, how long could we operate?” If the answer is unclear, start by documenting a simple incident response and recovery plan.

Q: What kinds of weaknesses do you see most often when you assess SMB environments?

Josh: It is rarely a single catastrophic failure. More often, it is a series of small gaps. Unpatched software, outdated equipment, overly broad access permissions, and cloud services configured without proper security controls are common issues.

Many companies rely on capable IT professionals who handle multiple responsibilities. Security requires consistent focus and governance. Without regular review, vulnerabilities accumulate over time.

Start by conducting a review of administrative access across your systems. Remove unnecessary privileges and deactivate accounts that no longer need elevated access.

Q: When you talk about an information security program, what does that look like for a smaller company?

Josh: An information security program is simply a structured way to manage cyber risk. It includes documented policies, defined responsibilities, regular risk assessments, and executive oversight. Too often, companies purchase security tools without integrating them into a broader strategy.

Security is not just about technology. It is about accountability, visibility, and alignment with business objectives.

I often suggest to company leaders that they add cybersecurity as a standing item on leadership meeting agendas. Even a short quarterly discussion reinforces accountability and visibility.

Q: Some leaders struggle to view cybersecurity as a business risk. How do you reframe that conversation?

Josh: I encourage leaders to think in terms of operational and financial impact. What would one week of downtime cost? What happens if client data is exposed? How would a regulatory investigation affect revenue and reputation?

When cybersecurity is translated into business impact, the conversation becomes clearer and more actionable.

By working with your finance team, you can come up with an estimate of the financial impact of one day of downtime. That number helps anchor strategic discussions. 

Q: With so many regulations and frameworks emerging, how should SMBs approach compliance?

Josh: Compliance can feel overwhelming, but it should not be viewed as a checklist exercise. When approached correctly, compliance frameworks strengthen overall security maturity.

The most common mistake is waiting until an audit is imminent. Preparing early, identifying gaps, and building a remediation road map make the process far more manageable.

Start by identifying which frameworks may apply to your organization over the next few years and conduct a basic gap assessment before you are required to certify compliance.

Q: Business owners themselves can be high-value targets. How should they think about protecting their personal digital lives?

Josh: This is an area that does not get enough attention. Owners and executives are often targeted personally because of their wealth, visibility, and access. Attackers may attempt account takeovers, SIM swapping, identity theft, or even use personal accounts to pivot into business systems.

Threat actors conduct open-source intelligence research on executives and their families. Social media posts, public records, and data broker sites can reveal more information than most people realize.

Protecting your company starts with protecting yourself. That means securing personal email accounts, financial accounts, mobile devices, home networks, and even your family’s online presence.

A great first step is to enable multi-factor authentication on all personal email and financial accounts across your household. Then search your name on major data broker sites and request removal where possible. Reducing your digital footprint lowers your personal risk significantly.

Q: You emphasize assessments and testing. Why are those so critical?

Josh: Because assumptions create risk. Many organizations believe their controls are effective because they have invested in technology. However, until systems are tested, there is no confirmation that those controls will withstand real-world attacks.

Vulnerability assessments, penetration testing, cloud configuration reviews, and security architecture assessments all provide objective insight into weaknesses that might otherwise go unnoticed.

Ask when your last independent security assessment was performed. If it has been more than a year, consider scheduling at least a vulnerability assessment to identify current exposure.

Q: Social engineering and phishing continue to drive breaches. How should leaders respond?

Josh: Attackers increasingly focus on people because technical defenses are improving. Spear phishing emails and impersonation attempts are now highly personalized, often built using publicly available information.

Security awareness is not about assigning blame. It is about building resilience through education and testing. Something as simple as conducting a phishing simulation and sharing the results constructively with your team can make an impact. Regular testing combined with training significantly reduces risk.

Q: If you had to give SMB leaders three priorities for the next year, what would they be?

Josh: Cybersecurity maturity does not happen by accident. It requires intentional strategy, ongoing oversight, and regular validation. I would suggest starting with these three areas:

1. Understand your risk profile. Identify the systems and data that matter most to your organization.
2. Build governance and accountability at the leadership level. Cybersecurity should have clear executive ownership.
3. Validate your defenses. Use assessments and testing to ensure your controls are functioning as intended.

We also encourage you to review 5 Cybersecurity Steps Every Business Owner Should Take Today.