The Criminal in the Mirror: Why Cyber Liability Isn’t Just for the Big Guys

You probably think cybersecurity lawsuits are something that only happens to the big dogs. 

You know, the MGMs of the world. The Targets. The Equifaxes. You see those names in the headlines, and you think: “Well, good thing I’m not them.” 

But here’s the catch—you’re not in the news because you’re not a big name. You’re not safe. You’re just not interesting. That’s right—small businesses don’t make great news stories. 

But they make great lawsuits. 

Let me take you down memory lane. A few years ago, I got called into a ransomware incident. A small law firm. Two employees. Two. 

They’d been hit with a fake QuickBooks update. Classic move. The employee clicks the link, thinks they’re being helpful, and oops—Backups? Gone. Workstations? Encrypted. Business? Dead in the water. 

They paid the ransom. Do you know how much it was? Exactly what they had in their checking account. Why? Because the hackers had done their homework. They had the financials. They had the client data. They even had a ransomware playbook just for attorneys. 

Now let me ask you: 

What kind of sensitive information do you think a law firm has? Do you think the attackers tried to blackmail their clients? You bet. Do you think a lawsuit was on the table? Of course. 

And here’s the twist: If you try to sweep it under the rug and it comes out that you knew…You’re not just a victim anymore. You’re a criminal. 

It goes from “breach” to willful negligence. 

And if anyone on your team knew, and didn’t say anything? That’s your liability now. 

Still think you’re too small to matter? Let me introduce you to Gunster, Yoakley & Stewart, PA. Big firm. Big breach. Settled for $8.5 million. They’re being ordered to pay up to $35,000 per individual affected. 

Do you think that settlement only happens to them? Nope. Small firms and small businesses too.  

Because when the lawsuits come—and they will—the only thing that matters is what you can prove. 

So ask yourself: 

• Did you train your team? Do you have evidence?
• Did you give them the rules? Do you have proof they understood?
• Did you implement a standards-based security program? Can you show your work?
• Did you have someone check it? Is there a record?
• Did you follow your incident response plan? Was it even documented?

If you don’t have evidence, you don’t have a defense. 

You just have a mess. But there’s good news. You don’t have to wait until the lawsuits show up to get your act together. 

Start now. Schedule a Cyber Liability Assessment. 

We’ll show you where your gaps are and exactly what you need to do about them. 

Because once the breach happens, it’s too late. And the last thing you want is to be looking at a courtroom full of angry lawyers…with nothing to defend yourself.