Protecting Your Business from Cyberattacks

Cyber Attacks are no longer rare headlines reserved for large corporations; they happen every day, and small to mid‑sized businesses are prime targets. According to data from recent studies:

• Nearly 41% of small businesses experienced a cyber threat in the past year, while 43% of all attacks worldwide target organizations with fewer than 1,000 employees.
• Small businesses receive 3.5 times more phishing attempts than larger enterprises, yet half lack formal cyber training.
• Alarmingly, 1 in 5 small businesses would go out of business following a successful cyberattack, often from disruptions costing less than $50,000.

Even as technology safeguards like firewalls and antivirus tools remain essential, they’re only part of the defense. 

“One of the most important principles in cybersecurity is defense in depth. You can’t rely on a single solution. You need multiple layers of protection, and employees are a critical part of that strategy.”
– Dustin Swallow, IT Security & Compliance Director at Central Insurance.

Building a cybersecurity culture means training your team to spot threats before they become incidents. That means knowing how to recognize phishing, verify suspicious requests, question unexpected login prompts, and recognize when a cybercriminal could use publicly available details in a scam.

Read on to learn more about the current trends in cyberattacks and to discover the best practices you can implement within your team today to protect your business from a data breach. 

Cyberattacks in 2025: What to Look Out For

Cybercriminals are no longer just looking to steal credit card numbers or personal information. According to Swallow, many modern attacks focus on ransomware and extortion—locking down your systems or threatening public exposure to pressure a response. 

“It’s no longer just about identity theft. It’s about business disruption and public perception,” he explains.

Where once the fear of identity fraud was the root of all cyberattack prevention, today the threat is to a business’ finances and their reputation.

“Attackers today want to prove they can hack your company,” Swallow says. “And then you don’t want that bad publicity, so they use blackmail to prevent publicizing their win. It’s basically extortion.”

Today’s Most Vulnerable Target for Cyberattacks

The end goal of a cyberattack isn’t the only shift we’ve seen in cybercrime over the last few years. Where businesses’ digital systems previously were the most vulnerable part of an organization, hackers have identified a new, more fruitful entry point: employees.

“Historically, people thought attackers were trying to hack the outside of a company and go through a firewall,” Swallow explains. “Today, the number one tactic that pays off most is attackers trying to hack the employee.”

This approach might include a variety of behaviors designed to trick an employee into granting access to otherwise secure systems. 

Common Cyberattack Tactics in 2025

Here, Swallow outlines some of the most common ways cybercriminals are targeting employees today:

• Phishing Emails: Fraudulent emails that appear to come from a trusted sender and prompt users to click malicious links or share credentials
• Spear Phishing: Highly targeted phishing using specific personal or company details (like names, job roles, or recent activity) to seem more convincing
• Fake Login Pages: Links to realistic-looking websites that ask users to enter business credentials (e.g., Microsoft 365 login screens); attackers then harvest this data
• MFA Bypass Attacks: Hackers simulate legitimate login prompts to intercept one-time multi-factor authentication codes in real time
• Social Engineering: Posing as coworkers, vendors, or executives via email, phone, or messaging platforms to trick employees into transferring funds or sharing access
• SMS and Voice Spoofing: Attackers spoof legitimate phone numbers to send texts or make calls that appear to come from internal contacts or leadership
• Public Data Exploitation: Using publicly available info (like LinkedIn activity or company announcements) to tailor attacks that feel timely and credible
• Deepfakes and AI-Generated Content: Synthetic audio or video impersonations used to simulate real people—often used to validate fraudulent instructions
• Compromised Credentials from Other Breaches: Using usernames and passwords leaked from unrelated breaches (like retail or entertainment sites) to access work accounts
• Malicious Attachments or Links: Files that, when downloaded or opened, install malware, ransomware, or keyloggers on company devices
• Fake IT or Vendor Requests: Impersonating tech support, third-party vendors, or software providers to prompt action (“reset your password,” “install this update,” etc.)
• Urgency and Fear Tactics: Creating false time-sensitive situations to prompt immediate employee action without vetting the request (i.e., “Payroll failed—click here to fix”)

Learn More: How to Recognize and Avoid Phishing Scams

Current Trend: Cybercriminals Attacking by Industry

“There’s been recent trends where cybercriminal groups will do a big campaign and tackle a certain industry segment,” Swallow explains. Last month, for example, these groups were targeting insurance companies, though trends predict a possible shift in the coming months to airlines and transportation.

Keep Reading: How to Protect Your Construction Company from a Cyberattack

Cyberattackers Don’t Spare Small Businesses

Although small businesses may assume they’re too minor to be targeted, Swallow emphasizes that assumption is what might leave them vulnerable. Recent waves of organized crime have hit industries like retail and automotive dealerships.

“A lot of these attackers go after low-hanging fruit,” Swallow says. “If a business hasn’t patched its systems or lacks basic awareness training, it becomes a much easier target.”

This level of uncertainty—alongside the constant changing of tactics and targets—makes it more important than ever for businesses of all sizes to arm themselves with the training and tools they need to stay protected.

Read on to discover Swallow’s best advice for training your teams and protecting your data.

Cybersecurity Starts With Awareness

Firewalls, antivirus software, and endpoint protection are important first steps—but they’re only part of the picture. As cyber threats become more sophisticated, businesses must adopt a layered defense strategy including both technology and people.

“Cybersecurity is getting more and more important as technology evolves,” Swallow says. “Hackers aren’t just going after firewalls anymore—they’re going after people. The human element is the number one attack factor, and that’s where most bad actors get in.”

A strong cybersecurity culture empowers employees to play an active role in your company’s defenses. That means equipping them with the knowledge to recognize and report threats—before they lead to disruption.

Practical awareness training should include guidance on how to:

• Recognize phishing emails or suspicious login pages that mimic legitimate platforms
• Verify unusual requests—especially those involving money transfers or credential updates—through a second trusted method
• Question texts or calls that appear to come from coworkers or executives, particularly if the tone or urgency feels off
• Understand the risks of oversharing online, such as posting company details or personal milestones that can be used in social engineering attacks

Hackers increasingly rely on publicly available information, AI-generated content, and social tactics to craft compelling messages. Teaching your team how to spot these red flags—and feel confident hitting pause before clicking or replying—is one of the most cost-effective ways to reduce your cyber risk.

Get insights like this right in your inbox. Subscribe to the Central Blog below.

Scaling Efforts By Business Size and Scope

As Swallow sees it, the way a company addresses cybersecurity with their employees may vary depending on a business’s size and the infrastructure they have set up. For instance, larger organizations might employ an entire team of cybersecurity professionals whose job it is to monitor systems, protect against threats, and, perhaps most importantly, train employees on warning signs of an attack.

Smaller businesses, on the other hand, might not have the capacity to do their own phishing campaigns, but can instead rely on insights and advice from experts who are dedicated to protecting businesses facing these risks everyday.

“While small businesses might not be able to dedicate a ton of resources to this kind of training, circulating a tip sheet or even sharing recent examples of cyberattacks and how the attacker breached the system can make a big difference in your company,” Swallow says. “Pair that with your device security efforts—like patching devices, updating Windows, installing malware protection, etc.—and you have taken the first step toward protecting your systems.”

IN SUMMARY:
Here are four steps any organization can take to increase its cybersecurity:

1. Circulate a tip sheet with examples of common phishing tactics
2. Host a brief, all-hands training session with core do’s and don’ts
3. Run occasional internal tests or simulated phishing emails
4. Keep devices and software up to date with patches and updates

Tips for Launching a Cybersecurity Team

Many companies today are investing in more elaborate cybersecurity efforts in response to the increased number and severity of attacks. If your organization falls in this category, Swallow recommends “educating yourself about what tools are out there and what other businesses in your industry are doing to raise security awareness training.” 

Next Steps: Consider leveraging third-party platforms like KnowBe4 and resources from organizations like NIST and CISA that offer scalable employee training tools.

Cyber Insurance as a Backstop

Even with strong cybersecurity awareness and technical safeguards, no system is completely immune to risk. That’s why having cyber insurance isn’t just a “nice to have”—it’s a vital piece of your risk management strategy.

Central’s Cyber Suite policy, for instance, is designed to help small and mid-sized businesses respond effectively to cyber events. Whether your organization experiences a data breach, ransomware attack, or system disruption, this coverage provides financial protection and access to professional recovery services.

Coverage may include support for:

• Data compromise response: Assistance with breach response, including notification costs, credit monitoring, and legal review
• Computer attack restoration: Costs to restore lost data and repair systems after malware or other attacks
• Cyber extortion response: Negotiation assistance and potential reimbursement if your business is held for ransom
• Network security liability: Coverage for lawsuits alleging harm to others due to a data breach or system failure
• Electronic media liability: Defense for claims related to defamation, copyright infringement, or other risks tied to online content
• Business income and extra expense: Reimbursement for lost income or added costs while operations are disrupted
• Identity recovery services: Support for individuals whose personal information was compromised

Central also partners with a trusted third-party cybersecurity firm that offers resources before and after a breach—at no additional cost to policyholders. These resources include access to preventive tools, expert guidance during an incident, and recovery assistance to help your business get back on track.

“Our policyholders have access to resources at every step of the way,” Swallow explains. 

> Before an Attack: Policyholders are given access to loss control tools that address how to protect their company before an event occurs.

> During an Attack: Policyholders receive expert guidance and support to help navigate the immediate steps to recovering data and systems.

> After an Attack: Policyholders receive expert advice and insight into navigating the reputational and financial fallout of the attack, including help communicating with customers, notifying authorities, and more.

Whether your business has a dedicated IT team or relies on a managed provider, a Cyber Suite policy helps ensure that expert support is within reach when it matters most.

The Central Difference

At Central, we believe strong cybersecurity is a shared responsibility. We provide resources and insights that help businesses of all sizes stay ahead of evolving threats—and we back our cyber coverage with support that goes beyond the policy.

Your business doesn’t need to face cyber risk alone.

Talk to your independent Central agent to learn how we can help you build a culture of cybersecurity—from training and awareness to coverage and recovery.