What I’ve learned six months after creating Malcom Risk Advisors.

Written By David Malcom

It was six months ago today that I filed the paperwork necessary to launch my LLC, Malcom Risk Advisors. This opportunity has given me a front-row seat to see how small and mid-sized businesses (SMBs) actually get attacked - and what really works to protect them without the luxury of the budget of an enterprise corporation.

Our mission remains simple: make cybersecurity affordable and available to all organizations and turn security from being viewed as a luxury into plumbing that ‘just works’. That’s really all that’s remained simple. Today I want to provide you with my view of the current threat landscape in plain English, lessons I’ve learned over the past six months, and what I think the next six months will bring. I’ll also provide what I now consider ‘non-negotiable’ for SMBs.

The SMB threat picture: fast, noisy, and increasingly automated

  • As I lead with in almost all discussions I have regarding security (and some discussions where I just want to bore people out of their mind), SMBs are straight in the crosshairs of cyber criminals. Verizon’s 2025 DBIR highlights that SMBs are targeted nearly four times more than large organizations, and that ransomware shows up in 88% of SMB breaches (vs. 39% at larger firms).

  • Ransomware tactics keeps evolving. Sophos’ 2025 findings show high prevalence of encryption and a stubbornly high share of victims of paying at least something, even as backups improve. This demonstrates the significance of the human and operational impact for smaller teams. If your people don’t get your backups right, you won’t get backed up data. I know…it’s crazy.

  • Credential theft + Unpatched vulnerabilities = Toxic Disaster. The Verizon DBIR’s SMB snapshot ties many ransomware cases back to the use of credentials that were stolen or harvested by the attacker and unpatched edge devices/VPNs, with about 54% of SMB’s reporting a perimeter fully remediating from vulnerabilities, along with a median of 32 days to fix a vulnerability.

What this means: If you’re an SMB, attackers assume you haven’t fully adopted MFA, you’re late on patching your internet-facing tech, and that a soft spot can likely be found in a vendor connection. They’re often right.

Six lessons from the field, proven to move the needle:

  1. MFA first, then password hygiene. Enforce MFA everywhere - email, VPNs, admin portals, and SaaS - especially anything holding customer or payment data.

  2. Patch what faces the internet - fast. Make sure you know where all of your edge devices are located and track your firewalls, SSL VPNs, and remote tools. You can keep your ‘Tuesdays is for Windows’ mantra, but set a same-day SLA for actively exploited edge vulnerabilities.

  3. Backups you can actually restore. Make sure you have immutable backup copies (either offline or logically isolated) and perform quarterly test restorations.

  4. Least-privileged access (and no shared accounts). Keep an inventory of your service accounts, rotate keys and secrets, and kill all dormant privileged accounts.

  5. Security awareness, but with teeth. While email security tools that possess modern filtering capabilities are a necessity, short, role-based training tied to live phishing simulations are proven to build awareness amongst your staff.

  6. Vendor due diligence for everyone! No matter the size of your business, if you are relying on a vendor who will either be hosting or have access to your sensitive business data, at a minimum, ask for a SOC 2/ISO certification and evidence of rapid patching for remote tools. Document the individuals who can access your data and systems.

The Next Six Months (not making the list: Cubs lose in the Wild Card round, Bears fail to make the playoffs and move to Sweden, Bulls cancel season ‘just because’, also hockey?)

  • Threats: Expect more vulnerability intrusions and credential abuse against SMBs, with ransomware pressure remaining high. AI-generated social engineering attacks (convincing phishing, voice deepfakes) will continue to lower the skill barrier for baby cyber criminals to get their feet wet.

  • Compliance & Payments: PCU DSS 4.0.1 is now fully in effect (since March 31, 2025). If you accept credit cards, all of those ‘future dated’ requirements are no longer optional - MFA, logging, change control, and anti-phishing expectations are all tighter. Just like all my suits.

  • Insurance. After two years of volatility, cyber insurance pricing has generally stabilized for those with well-controlled risks. Better controls = better terms. Just a friendly FYI, having cyber insurance doesn’t mean you have security.

  • Regulatory watch. CISA’s incident-reporting (CIRCIA) rule has been pushed to 2026. While many companies will pretend to prep the rest of this year, there are no immediate new federal reporting requirements for most SMBs.

A Simple 30-Day Get Right Plan (what we’re doing with clients. Meal plan available by demand.)

  • Day 1-7: turn on MFA everywhere, remove shared accounts, revoke stale/dormant accounts, enforce basic device encryption.

  • Day 8-14: Patch all internet-facing systems; enable auto-updates on endpoints; set up alerting when a new admin account is created.

  • Day 15-21: Verify backups are immutable and perform a restore test. Document your incident contacts as part of your break-glass steps.

  • Day 22-30: Run a phishing simulation, fix gaps, and roll out brief training. Tighten email security (SPF/DKIM/DMARC) and SaaS tenant baselines. Get your security program back on the scale and see how we did.

Need a hand getting started? That’s exactly what our vCISO offering delivers - right-sized leadership, monitoring, and training without enterprise pricing

Final Thoughts

SMBs don’t require a 200-page cybersecurity policy manual. They require speed to execute the basics, discipline on identity and patching, and evidence that their controls actually work. That’s it. I’m not going to ask a lot from you, I promise. If you start there (and get back in the gym, bro), you’ll be able to outrun most cyber threats.

If you have any questions on the above or are interested in receiving a free cybersecurity assessment of your organization, don’t hesitate to reach out to david@malcomriskadvisors.com. Thank you to my loyal clients and partners for your trust and for the support you’ve provided me with over the last six months. For those of you who are still struggling to secure your business, send me an email. Don’t worry…your secret is safe with me.

David Malcom
Next

How ‘Small’ Is a ‘Small Business’, and does this mean we have a ‘Bigger’ cybersecurity problem than we thought?