Most advice on this still ends with "it is possible, but you probably will not be a target." That was
true for a long time. It stopped being true recently, and the reason is worth about five minutes.
What changed: you do not get targeted anymore, you get swept up
For decades a restaurant your size was safe mostly because a skilled attacker's time was worth more than
anything they could get from you. Attacks had to be chosen, and you were not worth choosing. AI removed the
choosing. The work of finding a way in, writing the convincing email, and breaking in can now be automated
and run against millions of small businesses at once, at almost no cost per business. Nobody decides to come
after you. A machine runs a list, and you are on it.
This is not a someday problem. It is roughly a one-year horizon.
In 2026 Anthropic demonstrated an AI model that found tens of thousands of previously unknown security holes
across everyday software, close to three hundred in a single web browser alone. Their own reading of it: the
cost of finding a way in is collapsing toward zero, and within roughly six to eighteen months the same
capability lands in tools that ordinary criminals can run start to finish. In plain terms, the expensive,
skilled attack becomes cheap and automatic on about a one-year clock.
What is actually at stake here
This is not abstract. The things worth money in your business are exactly what these automated attacks
harvest:
- Your customers' card and personal information, which carries real cost and legal exposure the moment it leaks.
- Your own logins, the ones tied to money: bank, Toast, Google, email, payroll, and your domain.
- Your ability to operate. Ransomware on the back office or point of sale is not data theft, it is your doors closed until you pay or rebuild.
"I use reputable software" is not the shield it feels like
The largest breach of student records in the country did not happen because schools were careless. It
happened because a trusted, reputable vendor that thousands of them relied on was broken into with one
stolen password, and every school's kids were exposed through it. You are on solid platforms, and that
genuinely protects you at the infrastructure level, which is good. But the part that is yours to guard, your
accounts and your people, is where almost every small-business breach actually happens, and no vendor guards
that for you.
The good news, and the math a business owner will care about
The measures that stop the large majority of this are cheap and mostly not even technical:
- Two-step login on everything that touches money or customers: bank, Toast, Google, email, payroll, social, your domain.
- A password manager, so one leaked password does not open ten doors.
- Email authentication on your domain, so no one can send "official" emails as you.
- Backups you can actually restore, kept offline, so ransomware is an inconvenience instead of a closure.
- Ten minutes with your staff on what a fake email looks like now, because that is the way in more often than anything technical.
- A small-business cyber insurance policy.
None of that is expensive. The reason to do it is not fear, it is the arithmetic: the cost of putting it
in place is a rounding error next to the cost of a single breach, and unlike most business risks, this
one gets cheaper for the attacker every month while the price of ignoring it goes up.
Nothing on this page is for sale. These are things any owner can put in place with a competent IT hour or a
weekend. The only real mistake left is the old assumption, that it will not reach you, because the one
thing that used to make that assumption safe just stopped being true.