Salvatore Verini Jr. ran National Public Data, a small background-check company in Coral Springs, Florida. In early 2024, attackers pulled 2.9 billion records from his servers. Nine months later the company was bankrupt, not because of the size of the breach, but because no one had built the defense that could have slowed it down.
"We'll handle cybersecurity when we get bigger." If you run a small operation, you have heard this line. You may have said it. It sounds like a plan. It is not a plan. It is a structural flaw, and the research shows it costs 50 to 60 times more to survive a breach than to prevent one.
The Gap with a Name
CrowdStrike's 2025 State of SMB Cybersecurity Report puts a label on the problem: the awareness-readiness gap. Ninety-three percent of small business owners say they know the risk. Only 36% are investing in tools to deal with it.
The gap is not about ignorance. It is about where operators file the expense. Sixty-six percent cite cost as the top reason they defer. In VikingCloud's 2026 survey, 42% said they chose to spend on hiring or raises instead of cyber defense. They filed security under "growth." It belongs under "operations." Growth expenses can wait. Operating costs cannot.
National Public Data is what happens when that filing error comes due. Breach, lawsuits, Chapter 11 by October, website dark by December. Verini's company, operating as Jerico Pictures, had a handful of employees. It did not survive long enough to get bigger.
Who Gets Hunted
The asymmetry here is worth sitting with. Verizon's 2025 Data Breach Investigations Report found that 88% of breaches at small and mid-size companies involve ransomware. At large firms, the number is 39%.
Attackers do not target the most valuable company. They target the least defended. A shop with no patch cycle, no training, and no backup plan is an open door. Forty-seven percent of businesses with fewer than 50 employees have zero cybersecurity budget. Not a small budget. Zero.
The Real Invoice
Sophos's 2025 research puts the average recovery cost for companies with 100 to 250 employees at $638,536. That does not include the ransom. VikingCloud found that for 40% of small businesses, a hit of just $100,000 could shut them down for good.
Set those figures against the cost of prevention: $5,000 to $15,000 per year. That is a ratio of 50 to 60 times. Fifty to sixty times cheaper to prevent than to survive. Most people treat this as a technology problem. It is a measurement problem.
Three Moves, Each Priced
Once the ratio is clear, three moves follow. Each one maps to one of the three most common entry points Sophos found in its 2025 data.
Patch the Software
Thirty-two percent of ransomware attacks start with a known flaw the company had not fixed. Managed patching runs $8 to $15 per device per month. For a 20-person shop with 30 devices, that is $240 to $450 a month.
This is the move that asks you to look at the tools you already own and admit they are not current. Most are not.
Lock the Credentials
Twenty-three percent of attacks start with stolen or reused passwords. A password manager and multi-factor login cost less than $5 per user per month. Add a training platform with simulated phishing tests at $3 to $8 per user, and 20 users run $160 to $260 a month.
The weak point is not the software. It is the habits of the people using it. Training shifts the habits. The tools enforce the shift.
Test the Backups
Backups that have never been tested are not backups. They are hopes. Tested backup services run $10 to $50 per device per month. A quarterly restore test is what turns storage into a real recovery system. Ransomware loses its grip when you can rebuild from a clean copy in hours, not weeks.
What the System Shows You
Running these three moves for 90 days does something the old approach never did. You see which devices miss every patch cycle. You learn which team members click the fake phishing links. You find out if your backups restore or just sit there burning money. And you get a real number for what defense costs per month, not a guess you push to next quarter.
At the end of 90 days, ask three things:
→ Which of the three moves closed the most gaps?
→ Did any tool you bought sit unused because no one was trained on it?
→ Which friction point showed up more than once?
That is the difference between advice that sounds right and a system that proves itself.
Where You Stand
National Public Data's website is still dark. A closure notice is the only thing left of a company that held billions of records. The defense that could have kept it running would have cost less than one bad quarter.
Verini never built it. The invoice came anyway.
