February 27, 2026

Cyber Insurance Requirements for Small Businesses in Grand Rapids (2026 Guide)

This article has been written by Greg Johnson


  • The short answer:

Cyber insurance carriers now require specific technical controls before approving coverage, including multi-factor authentication, endpoint detection, tested backups, and documented security policies. Without these in place, your application will likely be denied or result in significantly higher premiums.


If you own a small business in West Michigan, you've probably noticed your insurance provider asking more detailed questions than ever before: Do you use multi-factor authentication? What endpoint protection do you have? When did you last test your backups?


Cyber insurance is no longer a quick checkbox add-on. It's a formal underwriting process, and for healthcare practices, private schools, nonprofits, and service-based businesses in Grand Rapids and the surrounding area, getting it wrong has real financial consequences.


This guide covers exactly what carriers look for in 2026, why businesses commonly get denied, and how to get compliance-ready before you apply.



Why Cyber Insurance Requirements Have Changed in 2026


Cybercrime has become increasingly targeted at small and mid-sized businesses. Ransomware attacks, business email compromise (BEC), and credential theft now impact organizations with 10–50 employees just as frequently as enterprise companies.


Insurance carriers have responded by significantly tightening their underwriting standards. Today, most cyber insurance providers require all of the following before issuing a policy:


  • Multi-Factor Authentication (MFA) across all users and systems
  • Advanced email security filtering
  • Endpoint Detection & Response (EDR) software
  • Regular patch management
  • Documented backup and disaster recovery plans
  • Written access control policies
  • Security awareness training for staff


If these controls are not in place and documented, applications are denied — or premiums increase substantially.



What 'Compliance Ready' Actually Means for Small Businesses


Cyber insurance compliance is not a certification. It's proof that your systems actively reduce risk. For small businesses in Grand Rapids and West Michigan, this breaks down into five core areas.


1. Multi-Factor Authentication (MFA)


MFA must be enabled on all of the following, without exception:


  • Email accounts (Microsoft 365 or Google Workspace)
  • VPN access
  • Remote desktop connections
  • All administrator accounts


Many carriers will immediately decline coverage if MFA is not universally enforced. This is the single most common reason applications are rejected.


2. Endpoint Detection & Response (EDR)


Traditional antivirus is no longer sufficient. Most carriers now require:


  • Endpoint Detection & Response (EDR) software
  • Real-time threat monitoring
  • Automated containment capabilities


Common business environments such as Microsoft 365, Google Workspace, Windows 11 Pro, must be properly configured, not just installed. Configuration gaps are a leading reason for claim denial after a breach.


3. Secure Backup & Disaster Recovery


Carriers typically require all of the following:


  • Encrypted backups
  • Offsite or cloud-based replication
  • Regular, documented backup testing
  • Immutable storage (protection from ransomware deletion)


If you cannot prove your backups are secure and regularly tested, claims may be denied even after a qualifying breach.


4. Patch Management


Outdated systems are one of the most common reasons businesses fail underwriting. Carriers look for current patching across:


  • Operating system updates
  • Firmware updates
  • Firewall updates
  • Third-party software patches


Unpatched systems represent known, documented vulnerabilities — and underwriters treat them accordingly.


5. Email Security & Phishing Protection


Email remains the number one attack vector for small businesses. Carriers commonly ask:


  • Do you use advanced spam filtering?
  • Is phishing simulation training performed?
  • Are email attachments sandboxed before delivery?
  • Is domain spoofing protection (DMARC/DKIM/SPF) enabled?


Without layered email protection, your business will be flagged as high risk during underwriting.



Why Small Businesses Get Denied Cyber Insurance


These are the most common reasons we see applications rejected for West Michigan small businesses:


  • MFA is not enabled for all users...even one unprotected account can disqualify an application
  • Shared administrator credentials in use
  • No documented incident response plan
  • Backups that have never been tested
  • Outdated Windows versions (Windows 10 end-of-life, Windows 7)
  • No written information security policy


Many business owners assume their systems are fine because nothing has gone wrong. Underwriters assume the opposite, and they're thorough.


Important: The Risk of 'Checkbox Compliance'


Some businesses rush through applications by answering 'Yes' to requirements without verifying their actual systems. If a breach occurs and the insurer audits your environment, coverage can be reduced or denied entirely if your answers were inaccurate. Cyber insurance is a contract. Documentation matters.



Cyber Insurance Readiness Checklist for Small Businesses (2026)


Before submitting your application, confirm each of the following is in place and documented:


  • MFA enabled on all user accounts (email, VPN, remote access, admin)
  • EDR software installed and active on all endpoints
  • Backups encrypted, offsite, and tested within the last 90 days
  • Patch management automated and current
  • Firewall configured and firmware up to date
  • Administrator accounts limited and individually assigned
  • Security awareness training completed by all staff
  • Written incident response plan documented
  • Email security (spam filter, DMARC, sandboxing) active
  • Written access control and information security policy in place


If you cannot confidently check every item, remediation should happen before you apply, not after a denial.



How Managed IT Support Simplifies Cyber Insurance Approval


For small businesses with 10–30 workstations, meeting cyber insurance requirements quickly becomes complex. A managed IT provider simplifies this by:


  • Auditing your current infrastructure against carrier requirements
  • Identifying gaps before you submit an application
  • Implementing required technical controls
  • Documenting your security posture for underwriters
  • Coordinating with your insurance broker on technical questions


At IT Systems, LLC in Grand Rapids, we work with healthcare practices, private schools, nonprofits, and service-based businesses across West Michigan to prepare systems before they submit cyber insurance applications. The goal isn't just approval — it's genuine risk reduction.



Cyber Insurance for Healthcare, Schools & Nonprofits in West Michigan


Certain industries face additional scrutiny during cyber insurance underwriting.


Healthcare Practices


Healthcare organizations must align with HIPAA security safeguards, require encrypted devices and strict access controls, and demonstrate that patient data is protected at every level. Insurers treat HIPAA-regulated environments as higher risk if controls are insufficient.


Private Schools


Schools handle sensitive student and family data, must protect staff credentials, and often manage a mix of devices including Chromebooks that require proper endpoint management policies.


Nonprofits


Nonprofits often operate with limited IT budgets, frequently lack documented security policies, and are increasingly targeted by ransomware specifically because attackers expect weaker defenses. Compliance readiness protects both insurability and organizational reputation.



The Cost of Waiting


Without cyber insurance coverage in place, a single incident can result in:


  • Ransom payments exceeding $100,000
  • Operational downtime lasting days or weeks
  • Legal costs and breach notification requirements that escalate quickly
  • Long-term damage to client trust and vendor relationships


Cyber insurance doesn't prevent attacks but it significantly reduces the financial impact when one occurs. For many small businesses in West Michigan, a single uninsured breach can threaten long-term viability.



Frequently Asked Questions About Cyber Insurance


Q: What happens if I fail a cyber insurance audit after a breach?


A: If an insurer audits your environment after a claim and discovers that your answers on the application were inaccurate, for example, you said MFA was enabled but it wasn't, the carrier can reduce or fully deny your coverage. Cyber insurance is a legal contract, and misrepresentation, even unintentional, has consequences.


Q: Does my small business in Grand Rapids actually need cyber insurance?


A: Yes. Small and mid-sized businesses are now targeted more frequently than large enterprises because attackers know smaller organizations often have weaker defenses. If you handle client data, process payments, or rely on computers to operate, cyber insurance is no longer optional, it's a financial safety net.


Q: How long does it take to become cyber insurance compliant?


A: It depends on where your systems stand today. For businesses with some controls already in place, a managed IT provider can typically close gaps within 30–60 days. Businesses starting from scratch may need 60–90 days to fully implement and document all required controls.


Q: Can I get cyber insurance if I've been denied before?


A: Yes. A previous denial doesn't disqualify you permanently. Most denials are due to specific, fixable gaps. Most commonly MFA, backup verification, or missing documentation. Once those are remediated and documented, reapplication is typically successful.


Q: What's the difference between cyber insurance and general liability insurance?


A: General liability insurance does not cover cyber incidents. Cyber insurance specifically covers costs related to data breaches, ransomware attacks, business interruption from a cyber event, and related legal and notification expenses. They are separate coverages and both are typically recommended for businesses that handle digital data.


Q: How does a managed IT provider help with cyber insurance in West Michigan?


A: A local managed IT provider like IT Systems LLC performs a gap assessment against carrier requirements, implements missing controls, creates the documentation underwriters need to see, and can answer technical questions from your insurance broker. This dramatically simplifies the application process and improves your chances of approval at a competitive premium.



Need Help Preparing for Cyber Insurance Approval in Grand Rapids?


If your organization is preparing to apply for cyber insurance, or has recently been denied, IT Systems LLC can perform a structured cybersecurity review and compliance readiness assessment.


We work with small businesses across Grand Rapids, Holland, Muskegon, and West Michigan to:


  • Close security gaps identified by underwriters
  • Implement required controls including MFA, EDR, and secure backup
  • Document your compliance posture for insurance applications
  • Prepare you for underwriting so approval isn't a guessing game


By Greg Johnson July 15, 2026
Article Summary: Most ransomware operations target small businesses at volume, running through dozens of prospects per month. A 22-person company can be researched in 40 minutes using public records, attacked using session-token theft after a single phishing click, and ransomed within a week. What follows is a step-by-step walkthrough of how that attack unfolds, written from the attacker's perspective, plus the five specific controls that would have stopped it. Each control is included in security tools small businesses already pay for. Small businesses are the most common ransomware target by volume of incidents, even though many small business owners assume hackers focus on larger organizations. A 22-person company has enough revenue to be worth attacking, no dedicated security team to defend it, and a publicly traceable footprint that takes about an hour to research. What follows is a step-by-step walkthrough of how a small business gets attacked, written from the attacker's side. The company in this account is composite, but the methods are accurate to current threat intelligence reporting. After the walkthrough, you'll see five specific points where the attack would have been stopped by controls that come bundled with security tools most small businesses already pay for. Monday: You Become the Target I work regular hours and run a small volume operation. My spreadsheet has about 40 prospects per month, and I prefer businesses between 10 and 50 staff. The reason for that range is economics. Large enterprises have security teams, incident response contracts, and lawyers who make recovery expensive on my end. At the other end of the scale, sole traders rarely have enough at stake to bother with. A 22-person commercial services company sits in the right zone: payroll, customer database, project files, supplier relationships, and an owner who will pay to get the lot back. The return per hour is better at this size than at either extreme. I did not find you through a breach or a tip. I found you on a public business records portal. State business registries, federal contract awards, and county-level licensing databases publish enough detail for me to identify your company, look up your name, estimate your revenue, and pick the most useful person inside the business. One search told me your company name, your registered agent, the contract value of a recent municipal job, and the named contact on the submission. The fact that nothing has gone wrong at your company yet is the strongest signal I get. It tells me your credentials are probably still valid, your staff has not been trained to spot anything, and nobody has had a reason to change a password. A clean record is the first indicator I look for. Tuesday: I Learn Your Org Chart I spend about 40 minutes researching your company today using only a browser. LinkedIn gives me eight of your current employees with their job titles listed. Your office manager has been there for six years and lists “accounts payable, payroll, and supplier invoicing” in her profile summary. Your second admin joined 14 months ago. You list yourself as director, with a sparse profile and a low connection count, which tells me you are unlikely to notice when someone unusual starts engaging with your profile or your company's social media. Public business filings confirm your registered business name and your full legal name. A “meet the team” post from two years ago on your Facebook page lists first names and photos, including someone described as helping out in the office a couple of days a week. One of the commenters shares your surname. I now know who handles your money, what their name is, how long they have been there, what software they probably use (I will check your job ads on Indeed for the phrase “experience with QuickBooks or Sage”), and who in your business has the authority to approve a payment without a second signature. That last person is my primary target. You are harder to reach and probably more cautious. Your office manager has system access, handles supplier payments, and is busy enough that one more email in her inbox does not get scrutinized the way it might if she had nothing else to do. I have not spent a dollar yet. Wednesday: I Buy Your Credentials for $14 Stealer logs are credential packages harvested by infostealer malware that infected someone's personal device, often months or years earlier. The malware records every username and password typed into the machine, then bundles the data for sale. Marketplaces on Telegram channels and forums let buyers search these logs by company email domain. I search for your company's email domain. Two results come back. One is your office manager's work email, with a password that looks like it was saved in her browser. The other is a personal Gmail address that appears to belong to a family member of yours, probably from a device that shared a home network. I pay $14 for the package. It takes four minutes. Your office manager's password follows a common pattern: a pet or child's name combined with a year and an exclamation mark. I check it against HaveIBeenPwned, which is the same free database security professionals use, and find that it appeared in a credential dump from a retail loyalty program breach three years earlier. The password has not been changed since. Your family member's credentials are more interesting than they look at first. The same password, with minor variations, shows up across a streaming service, a gaming account, and your company's Microsoft 365 login. The password works. The only thing standing between me and the inbox is the second factor. Total spend so far: $14. Thursday: I Get Past Your MFA Multi-factor authentication stops a lot of attacks, but the implementation matters more than the checkbox. Simple push-notification fatigue does not work against your office manager's account. Microsoft enabled number matching by default for all Microsoft Authenticator push notifications in May 2023, which means she would have to type a code from her login screen rather than just tap approve. Push bombing fails against that configuration. What still works is adversary-in-the-middle (AiTM) phishing. I send your office manager an email designed to look like a routine Microsoft 365 password reset notification, citing the breach that her password appeared in (the same breach I found her credentials in earlier in the week). The link in the email takes her to a page that mirrors the real Microsoft sign-in screen. That page is a proxy I control. When she enters her password and approves her MFA prompt, my proxy forwards both to the real Microsoft login server. Microsoft validates the credentials, completes the MFA challenge, and issues a session token back to my proxy. I capture the token. She sees a normal login experience on what she thinks is the real Microsoft site, then a “password updated successfully” message. I am now signed in as her. The MFA prompt succeeded, and the session token sits in my browser instead of hers. Microsoft sees a valid authenticated session and treats my activity as legitimate. I had a backup plan in case the email did not get clicked. Earlier in the day, I called your office posing as your IT support company, using a name I found in a Google review you had left 18 months earlier. I told your receptionist that we were seeing unusual login activity on the office manager's account and that I would need her to approve a verification push in the next few minutes. She said the office manager was not at her desk. I said no problem, I would try again later. The call cost me nothing. By Thursday night, I am inside your office manager's Microsoft 365 account. I set up an inbox forwarding rule so her emails copy to an address I control without notifying her, then I wait. Friday 2:47pm: Time to Encrypt I spend 36 hours reading email before I encrypt anything. That dwell time is how I size the ransom correctly. In those 36 hours, I find your cyber insurance policy attached to an email from your broker, with a cyber liability sub-limit of $250,000. A bank reconciliation your office manager sent you two weeks ago shows your business account at around $180,000 at month end. Your customer list sits in a quote template she emailed to herself, and a message thread with a municipal project manager mentions a job starting in three weeks with a hard deadline you cannot afford to miss. I set my ransom at $65,000 in cryptocurrency. That figure is low enough that you will pay rather than fight it, high enough that it is worth my time, and well within what I know you can access. Ransoms set above 10 percent of visible liquid assets tend to get contested. The figure I picked sits below that line. I deploy the encryption payload at 2:47pm on Friday. The timing is deliberate. Your bookkeeper finishes at 3pm on Fridays, which I know from an out-of-office reply I saw in the forwarded emails. You are on a job site, with your calendar synced to the shared inbox. The person most likely to notice something wrong and call for help is already gone, and the person with the authority to make decisions is unreachable. By the time anyone understands what has happened, it is a Friday evening, every file on your shared drive is encrypted, and a ransom note sits on every screen in your office. Total cost to me: $14 for credentials and about six hours of work spread across the week. Five Places This Attack Would Have Died The attack on your business worked because five ordinary things were not in place. None of them were expensive. Most were already bundled into security tools you already pay for. 1. The credential purchase on Wednesday. HaveIBeenPwned is free. Microsoft Entra password protection can detect and block reused or commonly-compromised passwords across your accounts. Enforcing unique passwords per account, through a password manager and through Entra's policies, makes a stolen credential purchase useless for me. 2. The MFA bypass on Thursday night. Microsoft already blocks the simpler push-bombing attack, because number matching has been enabled by default for all Microsoft Authenticator push notifications since May 2023. The current dominant credential-based bypass is adversary-in-the-middle phishing. Defenses include phishing-resistant MFA (FIDO2 hardware keys, passkeys, or Windows Hello for Business), Conditional Access policies that require a compliant or hybrid-joined device, and anti-phishing protection in Microsoft Defender for Office 365. Any one of these would have either prevented the session token capture or made the captured token unusable from my IP address. 3. The inbox forwarding rule. Microsoft 365 allows admins to block external email forwarding rules at the tenant level. With that block in place, the inbox forwarding rule I used to read 36 hours of email would not have worked. I might have encrypted anyway, but I would have been guessing on the ransom size. 4. The 36-hour dwell time. Microsoft Defender for Business, included in Microsoft 365 Business Premium, generates an alert when a new inbox forwarding rule is created. If anyone had been watching those alerts, or if the alerts had been routed somewhere visible, it would have been detected on Thursday night. The most impactful change for a business your size is rarely a new product purchase. The improvement comes from someone reviewing the security alerts that the tools you already pay for are already generating. 5. The public business records. You cannot unpublish a state contracting registry or a federal contract award. That data will stay public. What you can control is what your team chooses to post about their specific responsibilities. Your office manager's LinkedIn profile listed her financial responsibilities in enough detail to make her the obvious target. That detail is worth a conversation with your team, framed as practical security awareness rather than a rule about what people can post. Three Questions to Send Your IT Provider These three questions cover most of where the example attack failed. Each one corresponds to a control that comes bundled with security tools you most likely already pay for. Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins? Is external email forwarding blocked at the tenant level? Are our security alerts going somewhere, and is someone reviewing them? Article FAQs Do hackers target small businesses? Yes. Most ransomware operations target small and mid-sized businesses because the ratio of payout potential to defensive resources is higher than at either extreme of company size. The volume sweet spot is roughly 10 to 50 staff, where there are assets worth encrypting but no dedicated security team to defend them. What is adversary-in-the-middle (AiTM) phishing? AiTM phishing is a technique where the attacker hosts a proxy page that mirrors a real login screen, such as Microsoft 365 or Google Workspace. When the user enters credentials and approves the MFA prompt, the proxy captures the resulting session token. The legitimate service treats the login as successful, but the session token ends up in the attacker's browser. AiTM has become the dominant credential-based attack vector against Microsoft 365 tenants after the default rollout of number matching ended simpler push-bombing attacks. What is a stealer log? A stealer log is a package of credentials harvested by infostealer malware from an infected personal device. The logs include browser-saved passwords, session cookies, and stored authentication tokens, and they are sold on underground markets for $10 to $20 per package. The malware that creates them typically infects personal computers through pirated software or malicious browser extensions. How much does it cost an attacker to compromise a small business? In the example walkthrough above, the total spend was $14 for stolen credentials and about six hours of work. Costs vary, but the threshold to attempt the kind of attack described in this post sits well below $100. Are there free tools that would have stopped this attack? Several of the controls referenced in the walkthrough come bundled with Microsoft 365 Business Premium licenses that businesses in this size range typically already hold. External forwarding restrictions and Defender for Business alerts are configuration changes rather than new purchases. HaveIBeenPwned is a free check available to anyone. Phishing-resistant MFA hardware keys are a small per-user cost compared with the cost of a successful ransomware incident. Article used with permission from The Technology Press .
By Greg Johnson July 7, 2026
Article Summary: Immutable backups are backup copies that nobody can change or delete during a fixed retention period, including administrators and attackers using stolen credentials. Cyber insurance carriers ask about them on renewal applications because ransomware operators routinely destroy backups before encrypting production systems. A backup sitting on your network under regular admin credentials does not qualify. Cyber insurance applications include a question that catches a lot of small business owners off guard: “Do you maintain immutable, air-gapped, or offline backups of your critical business data?” Carriers added that question to renewal forms because ransomware operators worked out that the fastest way to force a payout is to wipe the backups first and encrypt everything else after. CISA, the FBI, and the Internet Crime Complaint Center have all documented this pattern as one of the most common moves in current ransomware playbooks. A business whose backup copies can be deleted using the same admin credentials an attacker just stole has no recovery path other than paying the ransom. This post covers what immutable backup means, three common backup setups that do not qualify, the questions to send your IT provider before you sign the form, and what to do if your honest answer is no. Immutable backup, defined An immutable backup is one that cannot be modified or deleted for a fixed period of time, including by you, by your IT provider, and by anyone using stolen admin credentials. The stolen credentials piece is what carriers care about. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces the lock at the storage layer, and no credentials, however privileged, can override it during the retention window. Some platforms call this object lock, write-once-read-many, or WORM storage. The terminology varies between vendors, but the underlying control is the sam. Three common backup setups that do not qualify Three setups come up regularly that don't satisfy the immutability question, even though business owners often assume they do. A NAS or external drive in your office A network-attached storage device sitting in your server room is reachable from your network by design. If ransomware spreads across your environment, it can reach the NAS. An attacker with domain admin credentials can wipe what's on it. An external drive that someone plugs in once a week and leaves connected has the same exposure. These devices have a role in a broader backup strategy. On their own, they do not satisfy the immutability question. Microsoft 365 retention treated as a backup Microsoft 365 includes data retention features, and some businesses use them as their backup solution. They are not a backup in the sense the form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds. Under Microsoft's shared responsibility model , customers retain responsibility for backup and protection of their own data, separate from what Microsoft provides at the platform level. If your only protection for Microsoft 365 data is what Microsoft provides natively, the honest answer to the immutability question is no. A cloud backup with immutability switched off This is the most common gap. Many reputable backup platforms include immutability as a feature, but the setting is not always enabled by default. The capability exists, and someone needs to turn it on. Your business may be paying for a backup solution that looks credible on paper while the immutability toggle sits in the off position. You cannot tell from the outside without checking. Three questions to send your IT provider before you sign the form Copy these into an email and send them before you check the box. Question one: “Are our backups immutable, and if so, how long is the immutability window?” Carrier guidance has tightened in the past two years. Most insurers want a window of at least 14 days as a floor, with 30 days increasingly cited as the preferred minimum. Attackers sometimes sit in a network for weeks before triggering ransomware, which means a backup from yesterday may already be compromised. The window needs to be long enough to give you clean restore points from before the attacker arrived. Question two: “If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?” The correct answer is no. If the answer is yes, or if your provider is not sure, your backups are not immutable in the way the form means. Question three: “Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?” A provider who can send something concrete has done the work. If they come back with verbal reassurance and nothing to show, treat that as a no until they can demonstrate otherwise. What a qualifying setup looks like For your backup to honestly satisfy the question on the form, a few things need to be true at the same time. The backup platform needs immutability turned on, not only available as a feature. Several major vendors including Veeam, Datto, Rubrik, and Acronis offer the capability, along with most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice does not, by itself, answer the question. The setting has to be turned on, scoped properly, and tied to credentials that aren't shared with the rest of your environment. The backup credentials need to sit outside your regular administrative accounts. If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. A qualifying setup uses isolated credentials outside your day-to-day identity environment. The retention window needs to be long enough. A 24-hour backup that overwrites itself daily does not help if an attacker has been in your environment for a week. CISA's #StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now align with that position. Restores also need to be tested. A backup nobody has tried to restore in the past 12 months is not something you can rely on when it matters. Most carriers now ask for the date of your last successful restore test, and they want to see one. What to do if your honest answer is no Declare what you have on the form, and use the renewal process as the reason to fix what isn't there. The first step is to ask your IT provider whether immutability can be enabled on your existing platform. In many cases the platform already supports it, and turning it on is a configuration change rather than a new product purchase. If the platform supports it and nobody has switched it on, that conversation can usually be resolved in a few days. If your provider does not know what you're asking, or cannot give a clear answer to the three questions above, that response is itself important information. This area needs attention before your next renewal date, even if other parts of your IT setup are handled well. One thing to avoid: do not check yes on the form to dodge a premium hike. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups did not match what you declared, the carrier can rescind the policy. Coverage is then treated as if it never existed, and any prior payouts under the same policy term can be clawed back. Misrepresentation discovered after a claim is one of the most expensive mistakes a small business can make on an insurance form. Checking no on the form will likely cost you something at renewal, either in premium or in coverage terms. That's a known cost, and it's manageable. Take the hit on the application, and use the months between now and your next renewal to close the gap. Article FAQs What does immutable backup mean, in plain English? A backup that nobody can change or delete for a set period of time, even with administrator credentials. The storage platform enforces the lock at the system level, so user permissions cannot override it. Is Microsoft 365's built-in retention a backup? No. Native retention can be bypassed by a global admin or by anyone who steals one. Microsoft's shared responsibility model places backup of your data on the customer, separate from retention. How long should the immutability window be? Most insurers and security frameworks point to a minimum of 14 days. 30 days is increasingly the preferred floor, and some carriers want longer. A longer window gives you more confident recovery if an attacker has been inside your environment for an extended period. Can my IT provider just turn immutability on? Often, yes. If your backup platform supports the feature and it has not been enabled, this is a configuration change rather than a new purchase. Ask for written confirmation once it's done. What happens if I check yes on the form when I shouldn't? The carrier can rescind the policy after a claim, which voids coverage retroactively. Any prior payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber claims are denied. Article used with permission from The Technology Press.
A person sits at a desk with their head in their hand, frustrated by a computer, with the text:
By Greg Johnson April 4, 2026
Is your Grand Rapids medical or dental practice truly HIPAA compliant? Learn why "calling when it breaks" leads to massive data breach risks and how proactive managed IT saves your reputation and your budget.
Show More
By Greg Johnson July 15, 2026
Article Summary: Most ransomware operations target small businesses at volume, running through dozens of prospects per month. A 22-person company can be researched in 40 minutes using public records, attacked using session-token theft after a single phishing click, and ransomed within a week. What follows is a step-by-step walkthrough of how that attack unfolds, written from the attacker's perspective, plus the five specific controls that would have stopped it. Each control is included in security tools small businesses already pay for. Small businesses are the most common ransomware target by volume of incidents, even though many small business owners assume hackers focus on larger organizations. A 22-person company has enough revenue to be worth attacking, no dedicated security team to defend it, and a publicly traceable footprint that takes about an hour to research. What follows is a step-by-step walkthrough of how a small business gets attacked, written from the attacker's side. The company in this account is composite, but the methods are accurate to current threat intelligence reporting. After the walkthrough, you'll see five specific points where the attack would have been stopped by controls that come bundled with security tools most small businesses already pay for. Monday: You Become the Target I work regular hours and run a small volume operation. My spreadsheet has about 40 prospects per month, and I prefer businesses between 10 and 50 staff. The reason for that range is economics. Large enterprises have security teams, incident response contracts, and lawyers who make recovery expensive on my end. At the other end of the scale, sole traders rarely have enough at stake to bother with. A 22-person commercial services company sits in the right zone: payroll, customer database, project files, supplier relationships, and an owner who will pay to get the lot back. The return per hour is better at this size than at either extreme. I did not find you through a breach or a tip. I found you on a public business records portal. State business registries, federal contract awards, and county-level licensing databases publish enough detail for me to identify your company, look up your name, estimate your revenue, and pick the most useful person inside the business. One search told me your company name, your registered agent, the contract value of a recent municipal job, and the named contact on the submission. The fact that nothing has gone wrong at your company yet is the strongest signal I get. It tells me your credentials are probably still valid, your staff has not been trained to spot anything, and nobody has had a reason to change a password. A clean record is the first indicator I look for. Tuesday: I Learn Your Org Chart I spend about 40 minutes researching your company today using only a browser. LinkedIn gives me eight of your current employees with their job titles listed. Your office manager has been there for six years and lists “accounts payable, payroll, and supplier invoicing” in her profile summary. Your second admin joined 14 months ago. You list yourself as director, with a sparse profile and a low connection count, which tells me you are unlikely to notice when someone unusual starts engaging with your profile or your company's social media. Public business filings confirm your registered business name and your full legal name. A “meet the team” post from two years ago on your Facebook page lists first names and photos, including someone described as helping out in the office a couple of days a week. One of the commenters shares your surname. I now know who handles your money, what their name is, how long they have been there, what software they probably use (I will check your job ads on Indeed for the phrase “experience with QuickBooks or Sage”), and who in your business has the authority to approve a payment without a second signature. That last person is my primary target. You are harder to reach and probably more cautious. Your office manager has system access, handles supplier payments, and is busy enough that one more email in her inbox does not get scrutinized the way it might if she had nothing else to do. I have not spent a dollar yet. Wednesday: I Buy Your Credentials for $14 Stealer logs are credential packages harvested by infostealer malware that infected someone's personal device, often months or years earlier. The malware records every username and password typed into the machine, then bundles the data for sale. Marketplaces on Telegram channels and forums let buyers search these logs by company email domain. I search for your company's email domain. Two results come back. One is your office manager's work email, with a password that looks like it was saved in her browser. The other is a personal Gmail address that appears to belong to a family member of yours, probably from a device that shared a home network. I pay $14 for the package. It takes four minutes. Your office manager's password follows a common pattern: a pet or child's name combined with a year and an exclamation mark. I check it against HaveIBeenPwned, which is the same free database security professionals use, and find that it appeared in a credential dump from a retail loyalty program breach three years earlier. The password has not been changed since. Your family member's credentials are more interesting than they look at first. The same password, with minor variations, shows up across a streaming service, a gaming account, and your company's Microsoft 365 login. The password works. The only thing standing between me and the inbox is the second factor. Total spend so far: $14. Thursday: I Get Past Your MFA Multi-factor authentication stops a lot of attacks, but the implementation matters more than the checkbox. Simple push-notification fatigue does not work against your office manager's account. Microsoft enabled number matching by default for all Microsoft Authenticator push notifications in May 2023, which means she would have to type a code from her login screen rather than just tap approve. Push bombing fails against that configuration. What still works is adversary-in-the-middle (AiTM) phishing. I send your office manager an email designed to look like a routine Microsoft 365 password reset notification, citing the breach that her password appeared in (the same breach I found her credentials in earlier in the week). The link in the email takes her to a page that mirrors the real Microsoft sign-in screen. That page is a proxy I control. When she enters her password and approves her MFA prompt, my proxy forwards both to the real Microsoft login server. Microsoft validates the credentials, completes the MFA challenge, and issues a session token back to my proxy. I capture the token. She sees a normal login experience on what she thinks is the real Microsoft site, then a “password updated successfully” message. I am now signed in as her. The MFA prompt succeeded, and the session token sits in my browser instead of hers. Microsoft sees a valid authenticated session and treats my activity as legitimate. I had a backup plan in case the email did not get clicked. Earlier in the day, I called your office posing as your IT support company, using a name I found in a Google review you had left 18 months earlier. I told your receptionist that we were seeing unusual login activity on the office manager's account and that I would need her to approve a verification push in the next few minutes. She said the office manager was not at her desk. I said no problem, I would try again later. The call cost me nothing. By Thursday night, I am inside your office manager's Microsoft 365 account. I set up an inbox forwarding rule so her emails copy to an address I control without notifying her, then I wait. Friday 2:47pm: Time to Encrypt I spend 36 hours reading email before I encrypt anything. That dwell time is how I size the ransom correctly. In those 36 hours, I find your cyber insurance policy attached to an email from your broker, with a cyber liability sub-limit of $250,000. A bank reconciliation your office manager sent you two weeks ago shows your business account at around $180,000 at month end. Your customer list sits in a quote template she emailed to herself, and a message thread with a municipal project manager mentions a job starting in three weeks with a hard deadline you cannot afford to miss. I set my ransom at $65,000 in cryptocurrency. That figure is low enough that you will pay rather than fight it, high enough that it is worth my time, and well within what I know you can access. Ransoms set above 10 percent of visible liquid assets tend to get contested. The figure I picked sits below that line. I deploy the encryption payload at 2:47pm on Friday. The timing is deliberate. Your bookkeeper finishes at 3pm on Fridays, which I know from an out-of-office reply I saw in the forwarded emails. You are on a job site, with your calendar synced to the shared inbox. The person most likely to notice something wrong and call for help is already gone, and the person with the authority to make decisions is unreachable. By the time anyone understands what has happened, it is a Friday evening, every file on your shared drive is encrypted, and a ransom note sits on every screen in your office. Total cost to me: $14 for credentials and about six hours of work spread across the week. Five Places This Attack Would Have Died The attack on your business worked because five ordinary things were not in place. None of them were expensive. Most were already bundled into security tools you already pay for. 1. The credential purchase on Wednesday. HaveIBeenPwned is free. Microsoft Entra password protection can detect and block reused or commonly-compromised passwords across your accounts. Enforcing unique passwords per account, through a password manager and through Entra's policies, makes a stolen credential purchase useless for me. 2. The MFA bypass on Thursday night. Microsoft already blocks the simpler push-bombing attack, because number matching has been enabled by default for all Microsoft Authenticator push notifications since May 2023. The current dominant credential-based bypass is adversary-in-the-middle phishing. Defenses include phishing-resistant MFA (FIDO2 hardware keys, passkeys, or Windows Hello for Business), Conditional Access policies that require a compliant or hybrid-joined device, and anti-phishing protection in Microsoft Defender for Office 365. Any one of these would have either prevented the session token capture or made the captured token unusable from my IP address. 3. The inbox forwarding rule. Microsoft 365 allows admins to block external email forwarding rules at the tenant level. With that block in place, the inbox forwarding rule I used to read 36 hours of email would not have worked. I might have encrypted anyway, but I would have been guessing on the ransom size. 4. The 36-hour dwell time. Microsoft Defender for Business, included in Microsoft 365 Business Premium, generates an alert when a new inbox forwarding rule is created. If anyone had been watching those alerts, or if the alerts had been routed somewhere visible, it would have been detected on Thursday night. The most impactful change for a business your size is rarely a new product purchase. The improvement comes from someone reviewing the security alerts that the tools you already pay for are already generating. 5. The public business records. You cannot unpublish a state contracting registry or a federal contract award. That data will stay public. What you can control is what your team chooses to post about their specific responsibilities. Your office manager's LinkedIn profile listed her financial responsibilities in enough detail to make her the obvious target. That detail is worth a conversation with your team, framed as practical security awareness rather than a rule about what people can post. Three Questions to Send Your IT Provider These three questions cover most of where the example attack failed. Each one corresponds to a control that comes bundled with security tools you most likely already pay for. Are we using phishing-resistant MFA (FIDO2 keys, passkeys, or Windows Hello for Business) for finance, admin, and executive logins? Is external email forwarding blocked at the tenant level? Are our security alerts going somewhere, and is someone reviewing them? Article FAQs Do hackers target small businesses? Yes. Most ransomware operations target small and mid-sized businesses because the ratio of payout potential to defensive resources is higher than at either extreme of company size. The volume sweet spot is roughly 10 to 50 staff, where there are assets worth encrypting but no dedicated security team to defend them. What is adversary-in-the-middle (AiTM) phishing? AiTM phishing is a technique where the attacker hosts a proxy page that mirrors a real login screen, such as Microsoft 365 or Google Workspace. When the user enters credentials and approves the MFA prompt, the proxy captures the resulting session token. The legitimate service treats the login as successful, but the session token ends up in the attacker's browser. AiTM has become the dominant credential-based attack vector against Microsoft 365 tenants after the default rollout of number matching ended simpler push-bombing attacks. What is a stealer log? A stealer log is a package of credentials harvested by infostealer malware from an infected personal device. The logs include browser-saved passwords, session cookies, and stored authentication tokens, and they are sold on underground markets for $10 to $20 per package. The malware that creates them typically infects personal computers through pirated software or malicious browser extensions. How much does it cost an attacker to compromise a small business? In the example walkthrough above, the total spend was $14 for stolen credentials and about six hours of work. Costs vary, but the threshold to attempt the kind of attack described in this post sits well below $100. Are there free tools that would have stopped this attack? Several of the controls referenced in the walkthrough come bundled with Microsoft 365 Business Premium licenses that businesses in this size range typically already hold. External forwarding restrictions and Defender for Business alerts are configuration changes rather than new purchases. HaveIBeenPwned is a free check available to anyone. Phishing-resistant MFA hardware keys are a small per-user cost compared with the cost of a successful ransomware incident. Article used with permission from The Technology Press .
By Greg Johnson July 7, 2026
Article Summary: Immutable backups are backup copies that nobody can change or delete during a fixed retention period, including administrators and attackers using stolen credentials. Cyber insurance carriers ask about them on renewal applications because ransomware operators routinely destroy backups before encrypting production systems. A backup sitting on your network under regular admin credentials does not qualify. Cyber insurance applications include a question that catches a lot of small business owners off guard: “Do you maintain immutable, air-gapped, or offline backups of your critical business data?” Carriers added that question to renewal forms because ransomware operators worked out that the fastest way to force a payout is to wipe the backups first and encrypt everything else after. CISA, the FBI, and the Internet Crime Complaint Center have all documented this pattern as one of the most common moves in current ransomware playbooks. A business whose backup copies can be deleted using the same admin credentials an attacker just stole has no recovery path other than paying the ransom. This post covers what immutable backup means, three common backup setups that do not qualify, the questions to send your IT provider before you sign the form, and what to do if your honest answer is no. Immutable backup, defined An immutable backup is one that cannot be modified or deleted for a fixed period of time, including by you, by your IT provider, and by anyone using stolen admin credentials. The stolen credentials piece is what carriers care about. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces the lock at the storage layer, and no credentials, however privileged, can override it during the retention window. Some platforms call this object lock, write-once-read-many, or WORM storage. The terminology varies between vendors, but the underlying control is the sam. Three common backup setups that do not qualify Three setups come up regularly that don't satisfy the immutability question, even though business owners often assume they do. A NAS or external drive in your office A network-attached storage device sitting in your server room is reachable from your network by design. If ransomware spreads across your environment, it can reach the NAS. An attacker with domain admin credentials can wipe what's on it. An external drive that someone plugs in once a week and leaves connected has the same exposure. These devices have a role in a broader backup strategy. On their own, they do not satisfy the immutability question. Microsoft 365 retention treated as a backup Microsoft 365 includes data retention features, and some businesses use them as their backup solution. They are not a backup in the sense the form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds. Under Microsoft's shared responsibility model , customers retain responsibility for backup and protection of their own data, separate from what Microsoft provides at the platform level. If your only protection for Microsoft 365 data is what Microsoft provides natively, the honest answer to the immutability question is no. A cloud backup with immutability switched off This is the most common gap. Many reputable backup platforms include immutability as a feature, but the setting is not always enabled by default. The capability exists, and someone needs to turn it on. Your business may be paying for a backup solution that looks credible on paper while the immutability toggle sits in the off position. You cannot tell from the outside without checking. Three questions to send your IT provider before you sign the form Copy these into an email and send them before you check the box. Question one: “Are our backups immutable, and if so, how long is the immutability window?” Carrier guidance has tightened in the past two years. Most insurers want a window of at least 14 days as a floor, with 30 days increasingly cited as the preferred minimum. Attackers sometimes sit in a network for weeks before triggering ransomware, which means a backup from yesterday may already be compromised. The window needs to be long enough to give you clean restore points from before the attacker arrived. Question two: “If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?” The correct answer is no. If the answer is yes, or if your provider is not sure, your backups are not immutable in the way the form means. Question three: “Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?” A provider who can send something concrete has done the work. If they come back with verbal reassurance and nothing to show, treat that as a no until they can demonstrate otherwise. What a qualifying setup looks like For your backup to honestly satisfy the question on the form, a few things need to be true at the same time. The backup platform needs immutability turned on, not only available as a feature. Several major vendors including Veeam, Datto, Rubrik, and Acronis offer the capability, along with most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice does not, by itself, answer the question. The setting has to be turned on, scoped properly, and tied to credentials that aren't shared with the rest of your environment. The backup credentials need to sit outside your regular administrative accounts. If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. A qualifying setup uses isolated credentials outside your day-to-day identity environment. The retention window needs to be long enough. A 24-hour backup that overwrites itself daily does not help if an attacker has been in your environment for a week. CISA's #StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now align with that position. Restores also need to be tested. A backup nobody has tried to restore in the past 12 months is not something you can rely on when it matters. Most carriers now ask for the date of your last successful restore test, and they want to see one. What to do if your honest answer is no Declare what you have on the form, and use the renewal process as the reason to fix what isn't there. The first step is to ask your IT provider whether immutability can be enabled on your existing platform. In many cases the platform already supports it, and turning it on is a configuration change rather than a new product purchase. If the platform supports it and nobody has switched it on, that conversation can usually be resolved in a few days. If your provider does not know what you're asking, or cannot give a clear answer to the three questions above, that response is itself important information. This area needs attention before your next renewal date, even if other parts of your IT setup are handled well. One thing to avoid: do not check yes on the form to dodge a premium hike. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups did not match what you declared, the carrier can rescind the policy. Coverage is then treated as if it never existed, and any prior payouts under the same policy term can be clawed back. Misrepresentation discovered after a claim is one of the most expensive mistakes a small business can make on an insurance form. Checking no on the form will likely cost you something at renewal, either in premium or in coverage terms. That's a known cost, and it's manageable. Take the hit on the application, and use the months between now and your next renewal to close the gap. Article FAQs What does immutable backup mean, in plain English? A backup that nobody can change or delete for a set period of time, even with administrator credentials. The storage platform enforces the lock at the system level, so user permissions cannot override it. Is Microsoft 365's built-in retention a backup? No. Native retention can be bypassed by a global admin or by anyone who steals one. Microsoft's shared responsibility model places backup of your data on the customer, separate from retention. How long should the immutability window be? Most insurers and security frameworks point to a minimum of 14 days. 30 days is increasingly the preferred floor, and some carriers want longer. A longer window gives you more confident recovery if an attacker has been inside your environment for an extended period. Can my IT provider just turn immutability on? Often, yes. If your backup platform supports the feature and it has not been enabled, this is a configuration change rather than a new purchase. Ask for written confirmation once it's done. What happens if I check yes on the form when I shouldn't? The carrier can rescind the policy after a claim, which voids coverage retroactively. Any prior payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber claims are denied. Article used with permission from The Technology Press.
A person sits at a desk with their head in their hand, frustrated by a computer, with the text:
By Greg Johnson April 4, 2026
Is your Grand Rapids medical or dental practice truly HIPAA compliant? Learn why "calling when it breaks" leads to massive data breach risks and how proactive managed IT saves your reputation and your budget.
Show More

Share this article