In mid-2024, a member of the hacking group UNC5537 typed a stolen username and password into a Snowflake login page. No second prompt appeared. That missing step was not a technology failure. It was a management decision, and it opened the databases of 165 companies, including AT&T and Ticketmaster.
Snowflake is a cloud data platform. Thousands of businesses store customer records on it. The attackers did not break through a wall. They walked through a door that had no second lock. The credentials came from malware that had already stolen them months before. The one control that would have stopped it, multi-factor authentication, costs nothing to turn on. AT&T paid $370,000 in ransom trying to get the stolen data back.
The breach was not sophisticated. It was a login.
Most operators who run businesses under 50 people have heard the same line for years: cybersecurity is an IT problem. Hand it to the tech person. Let the vendor sort it out. The research on this is worth reading, because it shows the opposite.
The Gap the Platitude Hides
The Verizon 2025 Data Breach Investigations Report studied over 22,000 security incidents, including 12,195 confirmed breaches. One finding stands out for small businesses: they faced roughly four times more confirmed breaches than large ones. This is not a big-company problem that sometimes drifts down. It hits smaller shops harder and more often.
Yet 47% of businesses with fewer than 50 employees have zero cybersecurity budget. Not a small budget. Zero. At the same time, 40% of those same businesses say a single incident costing $100,000 or less would end them.
Read those two numbers side by side. Nearly half spend nothing to prevent the thing that nearly half say would shut them down. The research is clear on this. The platitude does not fail people. It fails the system they are trying to run.
The Real Flaw
The gap between those numbers is not a tech problem. The problem is that owners file cybersecurity under IT overhead instead of cash-flow insurance. Most people treat this as a knowledge gap. It is a sorting error. That single wrong column shapes every budget choice that follows.
What Belongs Next to Payroll
Treat cybersecurity the way you treat rent: as a fixed cost that keeps the doors open. Once that is clear, three moves follow from it.
Move 1: Reclassify the Expense
A standard prevention stack for a 25 to 50 person business runs $12,000 to $30,000 per year. That covers monitoring, training, and backups. Downtime from a cyber incident costs $53,000 per hour, based on 2025 research from VikingCloud, a payments security firm that tracks breach costs across industries. Do the division: a full year of protection costs what 14 minutes of breach downtime costs.
That means the line item you have been putting off is cheaper than the first quarter-hour of the problem it prevents.
Move 2: Install the Minimum Stack
Start with multi-factor authentication on every account. This is the control that was missing in the Snowflake breach. It cuts credential attacks by 90% and costs close to nothing to turn on.
Add endpoint protection, software that watches each device on your network for threats. Pair it with automated backups. A bare-bones version of this layer runs $3,000 to $5,000 per year.
Backups deserve their own line. The 3-2-1 rule: three copies of your data, two storage types, one copy kept off-site. That setup costs under $500 a year and removes the power behind most ransom demands.
In the Verizon report, 19% of attacked small businesses faced bankruptcy. The ones with working backups had options. The ones without did not.
Move 3: Train the Humans
Employees who go through regular phishing simulations are seven times less likely to fall for the real thing, based on findings from Cofense, a phishing defense firm whose 2023 data is still widely cited across the security field. The cost runs $5 to $15 per employee per month. Only 9% of small businesses train their people on a quarterly cycle. That gap is where most breaches start. Small businesses get a targeted bad email at a rate of one in every 323 messages. That is the highest rate of any business size.
The training is not a lecture. It is a drill. And like every drill, it only works if it runs on a schedule.
What the System Shows You
Running this for one quarter does something the old approach never did:
You see which employees click on test phishing emails and how often. You see which accounts had no second factor turned on, and how long they sat that way. You find where the real gaps were hiding, not where you assumed they were. You learn whether your backups actually restore when you test them, or whether they just look like backups.
A line item buried in the IT column never shows you any of that.
The Three Questions
At the end of the first quarter, ask three things:
→ Which of the three layers, authentication, endpoint, or training, caught a real threat?
→ What looked like enough protection but left a gap once you measured it?
→ What friction showed up more than once, and is it a people problem or a setup problem?
That is the difference between advice that sounds right and a system that proves itself.
Where You Stand
The Snowflake login page did not ask for a second form of proof. That missing prompt cost 165 companies their data and one of them $370,000 in ransom.
Your own login pages either ask for that proof or they do not. The answer tells you which column that expense belongs in.
