Small Business Cybersecurity in Michigan: What Every Owner Should Know

Posted: 2 hours, 43 minutes ago

We'll let you in on something one of our hosts likes to say: "Survey says insurance isn't that exciting — but it is exciting to me." That's the spirit behind **Cybersecurity Chats**, our short video series where Christine breaks down the parts of cybersecurity that actually matter for everyday business owners, minus the jargon. Watch the series here

If you run a business in Northern Michigan, this is the plain-English overview of everything she covers — the risks worth knowing about, the simple habits that prevent most problems, and where insurance fits when something slips through. None of this is legal or technical advice; think of it as a friendly starting point from your neighbors at Top O' Michigan. What is cybersecurity, really — and why your people are the biggest risk.

When most owners picture a cyberattack, they imagine a hooded hacker breaking through firewalls. The reality is far more ordinary. As Christine puts it, the first cybersecurity risk most businesses still ignore is a simple one: **your employees — the human factor.** The person who clicks the attachment is almost always where trouble starts. That isn't a knock on your team. It means the most effective thing you can do is help your people recognize what a bad email or a risky link looks like. Technology helps, but a workforce that knows when to pause is your strongest defense. (Know where your data lives (and beware "shadow data")

Here's a question worth sitting with: do you actually know where your business's data lives? Christine calls out a sneaky culprit called **shadow data**. Picture this — someone downloads an Excel sheet for a project, the file has customer or financial details in it, and when the project wraps, that spreadsheet just quietly keeps living on a computer. Not password protected. Forgotten. And eventually a bad actor stumbles onto it like buried treasure.

The fix is simple and free: **data hygiene.** When was the last time you cleared out downloaded files and deleted information that's just sitting around unprotected? A regular cleanup habit closes a door most businesses don't even realize is open.

Passwords, passphrases, and the case for MFA.

Nobody loves passwords. The good news is the rules are moving toward something easier to live with.

Instead of a string of garbled characters you'll never remember, the trend is toward longer **passphrases** — something like "pink elephants dancing across the meadow," with a few symbols mixed in. It's long, it's strong, and you can actually remember it. A few ground rules from the series:

- Don't reuse the same password across every account. If one vendor is breached, you don't want that key to open every other door.
- Please don't use "password" as your password.
- Turn on **multi-factor authentication (MFA)** wherever you can. MFA means even if someone gets your passphrase, they still need a second code to get in — so a stolen password alone isn't enough.

The most common breach: business email compromise

If you remember one statistic from the whole series, make it this one. Christine notes that **61% of cybersecurity incidents last year came from business email compromise and funds transfer fraud.**

Here's how it works. A scammer sends an email that looks completely legitimate — and thanks to AI, the old tip-offs (typos, clumsy grammar, odd phrasing) are mostly gone. The message leans on two pressure points: **authority** (it looks like it's from your boss or a vendor you trust) and **urgency** ("I need this wire sent right now"). Put those together, add a dollar figure, and otherwise careful people send money to criminals.

The defense costs nothing: **stop and pause.** Urgency is itself a red flag. As Christine says, in just about every case, it is not a life-or-death situation. Pick up the phone and verify before you act. Even if pausing feels awkward, it beats becoming part of that 61%.

Small businesses are targets too — and the cost is real

A lot of small business owners assume they're too small to be worth attacking. Christine pushes back hard on that, and the data backs her up: cybercriminals are deliberately targeting smaller organizations, precisely because they tend to be less protected.

The cost is not small. She points to an average cyber insurance payout in 2025 of roughly **$228,000** — and that figure is just the covered claim, not the full cost of the disruption, the cleanup, and the lost trust. For most Michigan small businesses, an unexpected expense like that is the kind of thing you plan around, not absorb. The practical takeaways: keep your computers and software up to date, put basic cybersecurity policies in writing, and know who in your business has access to what.

Have a plan before the world is on fire

When something does go wrong, the businesses that recover fastest are the ones that already had a plan. Christine describes two documents worth having:

- An **incident response plan** — your step-by-step playbook for "what do I do when the world is on fire?" Who's on the internal team, who makes the decisions, and who communicates with the public (carefully — you don't want to cause panic).
- A **business continuity and disaster recovery plan** — the broader version that weighs the risks most likely to hit your business, from data incidents to the ice storms, floods, and tornadoes Michigan has seen more of lately.

One important Michigan note: breach-reporting requirements are a **patchwork** that varies by state and industry, sometimes with a ticking clock once an incident happens. Keep key regulatory contacts handy, and review these plans once a year so the information stays fresh. (And as Christine always reminds folks: she's sharing her opinions, not legal counsel — when in doubt, talk to a qualified attorney.)

A quick word on AI and the people behind the screen

The series also tackles the fear that technology and IT careers are drying up. Christine's take: the field is very much alive, and **AI is a tool** — a powerful one, like standing on the shoulders of giants — but the person using it is still responsible for the outcome. That same lesson applies to your business: the tools keep getting better, and so do the scams, which is exactly why human judgment still matters most.

Where cyber insurance fits

You can do everything right and still have something slip through — that's the nature of risk, and it's exactly what insurance is for. Christine describes cyber insurance as the friend you want when the world goes up in flames: after a breach, a great deal of work happens behind the scenes to figure out what actually happened, and a team of people handles that investigation and response. That support is a big part of what a cyber policy provides, beyond just a check.

Whether cyber liability coverage makes sense for your business — and what it would include — depends on your operations and is always subject to underwriting. The best next step is a conversation. Our local team at Top O' Michigan can walk you through your options, no pressure, just straight answers from people right here in Northern Michigan.

Want to talk it through? [Request a quote or give us a call at 800-686-8664.

National resources, locally sourced.

Frequently Asked Questions

**What is the most common cause of a small business cyber breach?**
Business email compromise and funds transfer fraud — scam emails that impersonate a trusted person and pressure someone into sending money or information. In the Cybersecurity Chats series, Christine notes these accounted for about 61% of incidents last year.

**Are small businesses really targets for cyberattacks?**
Yes. Cybercriminals increasingly target smaller organizations because they often have fewer protections in place. The average cyber insurance payout cited for 2025 was roughly $228,000, and that's only the covered claim — not the full cost of the disruption.

**What is "shadow data"?**
Shadow data is information sitting in forgotten, unprotected places — like a downloaded spreadsheet left on a computer after a project ends. It's an easy target, and regular data cleanup ("data hygiene") helps reduce the risk.

**How can I make my passwords more secure?**
Use a long passphrase you can remember, never reuse the same password across accounts, and turn on multi-factor authentication (MFA) wherever it's offered so a stolen password alone isn't enough to get in.

**Does my Michigan business need cyber insurance?**
It depends on your operations, and any coverage is subject to underwriting. The simplest way to find out is to talk with a Top O' Michigan agent about your specific situation.

*This article is a general overview for educational purposes and is not legal, technical, or insurance advice. Coverage is not bound or altered until confirmed by an authorized representative.*