When, not if...
The number of businesses through the nation is rather large. Many of these know they are regularly targeted. Too many of the remainder businesses are hoping that security by obscurity works. It does not. Small- and medium-businesses (SMB) are actively targeted by the attackers due to this lack of sufficient focus on Infosec. One symptom of this is a lack of a security policy, or one in place on the shelf with a large amount of dust due to a lack of any review for years.
This shows two issues plaguing the SMB. The attacks themselves advance so quickly that the policy itself does need to be reviewed periodically and updated as needed. As part of this endeavor, regular training to build and maintain an adequate level of security awareness is needed. This does not need to cost a mass amount, but be relevant and direct.
About the author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.