Cyberattacks aren't a distant enterprise problem — the cost of cybercrimes against the small business community reached $2.9 billion in 2023 according to the FBI's Internet Crime Report. In Medford, where healthcare practices, tourism operators, law firms, and retail businesses form the backbone of the local economy, that exposure lands close to home. Most breaches don't start with sophisticated hacking — they start with the seven preventable gaps below.

"We're Too Small to Be a Target" — That's Not How Attacks Work

Running a lean business, it's easy to assume hackers focus on larger, more lucrative targets. Smaller companies hold less data, generate less revenue — the logic feels solid.

Automated attack tools don't sort by size. CISA warns that no business is too small to be a target, noting that in 2024 the FBI reported over $2.7 billion in losses from business email compromise alone. Scanners probe for unpatched software and weak credentials, not revenue figures. A Jackson County medical practice or a Medford professional services firm holds exactly the kind of data — patient records, financial information, client files — that commands value regardless of headcount.

The right question isn't "are we big enough to be worth targeting?" — it's "how easy are we to breach?"

Bottom line: Automated attacks filter for vulnerability, not company size — your exposure depends on your controls.

Unpatched Software and Weak Network Configurations

Unpatched software — applications or operating systems missing available security updates — is among the most common attack vectors for small businesses. Every published patch inadvertently signals where the old vulnerability existed, giving attackers a roadmap to systems that haven't been updated.

Network security belongs in the same conversation. Default router credentials, unsegmented guest Wi-Fi, and shared network access are entry points that cost nothing to close. Enable automatic updates and segment your guest network from the network your business runs on — two low-cost, high-impact fixes.

Passwords and Document Security: A Medford Example

Most businesses have a password policy. Whether employees follow it is a different matter. Imagine a Medford professional services firm with a dozen staff, each managing access to email, billing software, a client portal, and cloud storage — often with reused or shared passwords, because memorizing unique credentials for every account isn't realistic. One compromised credential cascades to every system connected to it.

A password manager solves this: it generates and stores unique, complex credentials for every account, removing the memory burden and making the policy actually workable. For sensitive documents shared externally, password-protected PDFs add a layer of access control that email attachments don't provide on their own. Adobe Acrobat is an online tool that handles PDF encryption as well as adding pages to PDFs — you can also reorder, rotate, or delete pages when a document needs revising before it goes out.

"We Have SMS Two-Factor — We're Covered"

Enabling a second authentication factor is a real improvement over passwords alone. The assumption that SMS-based two-factor means your accounts are secure is where this gets tricky.

Not all MFA protects equally: NIST cautions that SMS-based codes and one-time pins remain susceptible to phishing and recommends phishing-resistant FIDO authenticators for the most sensitive accounts. For a small business, that means hardware keys or authenticator apps for email, banking, and payroll — the accounts where a breach does the most damage. SMS-based MFA is a meaningful first step; it just isn't the finish line.

In practice: Upgrade your highest-risk accounts to a phishing-resistant authenticator first — SMS is a floor, not a ceiling.

Employee Training: What a Single Missed Click Actually Costs

Consider the scenario: a phishing email arrives mimicking a vendor your team works with regularly. It looks legitimate — same logo, similar sender address. An employee clicks a link and enters credentials. Within hours, attackers have access to your email and, through it, connected cloud accounts.

Employees and work-related communications are the leading cause of data breaches for small businesses, making them direct pathways into business systems. Regular training changes the outcome. Phishing simulations — test emails designed to mimic real attacks — help employees recognize threats before they act on them. Many cybersecurity platforms offer this feature at low or no cost, and a brief monthly reminder outperforms a one-time annual all-hands.

Backup, Mobile Devices, and Security Audits

Three gaps that reliably end up on next quarter's to-do list:

            • Data backup: A backup that hasn't been tested is an assumption, not a safeguard. Run a restoration drill at least once a year to confirm recovery is actually possible when it matters.

            • Mobile device security: Employees accessing business email or cloud storage on personal phones extend your threat surface beyond your office network. MDM (mobile device management) software enforces encryption and enables remote wipe if a device is lost or stolen.

 • Security audits: Only 21% of small businesses run regular assessments — even as 43% reported at least one cyberattack in the past year. An annual audit with a local IT provider or SCORE advisor costs a fraction of what breach response does.

Your Cybersecurity Readiness Checklist

Before your next cyber insurance renewal, confirm each item is addressed:

            • [ ] Automatic updates enabled for all operating systems and key applications

            • [ ] Unique passwords for every account, stored in a password manager

            • [ ] MFA enabled on email, banking, and payroll accounts — authenticator app or hardware key for the highest-risk accounts

            • [ ] Phishing awareness training completed in the past 12 months

            • [ ] Backup restoration tested in the past 12 months

            • [ ] Guest Wi-Fi segmented from internal business network

            • [ ] Mobile devices accessing business accounts secured or enrolled in MDM

 • [ ] Security audit or assessment scheduled for this calendar year

Bottom line: Run this checklist before an incident forces the conversation — most items cost nothing but time.

Taking the Next Step in Medford

Cybersecurity doesn't require a full IT department — it requires consistent habits applied to the right controls. The Chamber of Medford & Jackson County connects its 1,000-plus member businesses with educational programs, professional development events, and a peer network where cybersecurity expertise is accessible. If you're not sure where to start, the Chamber's network and referral connections are a practical first call.

Frequently Asked Questions

How much should a Medford small business budget for cybersecurity?

Many foundational controls — password managers, authenticator apps, automatic updates, network segmentation — are available free or at minimal cost. Paid endpoint protection and managed security services make sense for businesses handling medical records or large volumes of customer payment data. Start with the free controls and layer in paid tools based on the sensitivity of what you hold.

The baseline is free; additional investment should match your data risk profile.

Does Oregon have data breach notification requirements?

Yes. Oregon's Consumer Information Protection Act requires businesses to notify affected individuals when personal information is compromised, generally within a reasonable timeframe. This obligation applies regardless of business size or industry. Strong cybersecurity practices are the most direct way to avoid triggering that notification obligation in the first place.

Oregon law requires breach notification — good practices reduce the chance you'll ever need to send one.

What if we've never had a formal IT conversation and don't know where to start?

SCORE volunteers offer free mentorship to small businesses, including IT and cybersecurity guidance. The Chamber of Medford & Jackson County connects members with SCORE through its educational and professional development programming. A single conversation with an experienced advisor often surfaces the most pressing gaps without the cost of a formal audit.

Start with a free SCORE consultation — a structured conversation surfaces more than you'd expect.

Does cyber insurance cover all breach-related costs?

Coverage varies significantly by policy. Most cyber insurance covers notification costs, legal fees, and some business interruption losses — but policies typically require evidence of basic security controls (MFA, backup policies) before they'll issue coverage, and claims can be disputed if documented practices weren't followed. Review your policy terms carefully and treat insurance as coverage for residual risk, not a substitute for controls.

Cyber insurance covers what's left after good practices reduce your exposure — not instead of it.