Nobody is Coming to Save You. That is the First Thing to Understand.
When a large company gets hacked, they have an IT department. They have a security operations center. They have incident response protocols and cyber insurance and a team of people whose entire job is to contain the damage.
When you get hacked, you have you.
That asymmetry is exactly what attackers are counting on. According to Verizon’s 2025 Data Breach Investigations Report — the most comprehensive breach dataset available — SMBs experienced ransomware in 88% of their breaches — more than twice the rate of large organizations — and are being targeted nearly four times more frequently. Not because small businesses were specifically targeted in sophisticated operations. Because they are connected enough to be valuable and, attackers assume, unprotected enough to be easy.
he median ransom payment across breaches in 2025 was $115,000 — a figure that can be devastating for a one-person business with no IT infrastructure to absorb the recovery cost. That is often more affordable to pay than rebuilding from scratch — which is precisely why ransomware targeting solopreneurs has become more aggressive, not less, as AI lowers the cost of launching attacks at scale.
This is not a scare piece. It is a checklist. Work through it once. Then stop thinking about it.
1. Your Password is the Problem (And You Already Know It)
According to Verizon’s breach data, approximately 61% of breaches targeting small businesses start with compromised credentials. Not sophisticated hacking. Not zero-day exploits. Someone’s password got stolen or guessed.
Credentials get compromised in three ways. Data breaches at other services expose passwords you reuse. Phishing emails trick you into entering your password on a fake login page. And brute-force attacks systematically try common passwords until one works.
The fix for all three is the same: a password manager and unique passwords for every account.
A password manager — 1Password, Bitwarden, or Dashlane are the established options — generates and stores a unique, complex password for every service you use. You remember one master password. The manager handles the rest. This single change eliminates the credential reuse problem entirely.
If you are currently using any variation of a word, name, or date as a password for any business-critical account — email, banking, hosting, domain registrar, accounting software — change it today. Not this week. Today.
2. Multi-Factor Authentication is Non-Negotiable
A strong, unique password is necessary but not sufficient. Without multi-factor authentication (MFA), one stolen password unlocks your entire business.
MFA requires a second verification step — a code from an authenticator app, a hardware key, or a biometric confirmation — before granting access. Even if an attacker has your password, they cannot log in without the second factor.
Enable MFA on every account that offers it, in this priority order: email (your email account controls password resets for everything else — it is the master key), banking and payment accounts, hosting and domain registrar, cloud storage, and any SaaS tools that hold client data.
Use an authenticator app — Google Authenticator, Authy, or Microsoft Authenticator — rather than SMS-based codes wherever possible. SMS verification is better than nothing, but SIM-swapping attacks can intercept text messages. An authenticator app cannot be intercepted remotely.
3. Backups: The One Thing That Saves You When Everything Else Fails
Ransomware works by encrypting your files and demanding payment to restore access. The only reliable defense is a backup that exists outside the encrypted system.
The rule is called 3-2-1: three copies of your data, on two different types of media, with one stored offsite.
In practice for a solopreneur: your working files live on your laptop (copy one), automatically backed up to a cloud service like Backblaze or iCloud (copy two, offsite), and periodically backed up to an external drive that you store somewhere other than your desk (copy three, physical offsite).
The critical detail that most people miss: test your backups. Set a quarterly calendar reminder to restore a file from your backup. Backups that have never been tested have a troubling tendency to fail exactly when you need them. A backup you have never restored is a backup you cannot trust.
4. Software Updates Are Security Updates
When a security vulnerability is discovered in your operating system or software, attackers start exploiting it within hours — sometimes within minutes of public disclosure. Patches close those vulnerabilities. Delayed updates keep them open.
Enable automatic updates for your operating system, browser, and any software you use for client work. The only exception: specialized software where an unexpected update could break a critical workflow. For those, schedule manual weekly checks rather than relying on memory.
The pattern that leads to breaches is consistent: a vulnerability is disclosed, a patch is released, a small business delays the update for weeks because it feels inconvenient, and an attacker exploits the known vulnerability during that window.
5. The Phishing Problem Is Getting Worse
AI-generated phishing emails are now effectively indistinguishable from legitimate communications. The broken-English scam emails that were easy to spot five years ago are gone. Modern attacks replicate writing styles, impersonate specific vendors you work with, and are grammatically flawless.
In 2026, Security researchers documented triple-digit growth in credential-targeting attacks in 2025, driven largely by AI-enhanced phishing operating at previously impossible scale.
The defense is behavioral, not technological. Develop the habit of verifying unexpected requests through a separate channel. If your bank sends an email asking you to log in and verify your account, do not click the link — open a new browser tab and navigate directly to your bank’s website. If a vendor sends an invoice that looks slightly different from their usual format, call them to confirm before paying.
The single most dangerous moment in a solopreneur’s digital life is when they are busy, slightly distracted, and receive an urgent-seeming email from a trusted source asking for credentials or payment. Slow down at that exact moment.
6. Your Cloud Storage Is Not Automatically Secure
Moving to cloud-based tools like Google Workspace or Microsoft 365 does not mean your data is secure by default. It means your data is protected by whatever security settings you have configured — and for most solopreneurs, that means the defaults.
Review the security settings on your cloud storage and email provider. Enable MFA (covered above). Review which third-party apps have access to your Google or Microsoft account — revoke anything you do not recognize or no longer use. Disable access for apps that no longer need it.
Cloud storage also creates a specific vulnerability: shared credentials. If you have ever shared a login with a contractor, collaborator, or former client, and never changed the password after the relationship ended, that person still has access. Audit your shared access quarterly and revoke anything that is no longer active.
7. The Backup Plan for When It Happens Anyway
Even with every precaution in place, breaches happen. What separates recoverable incidents from catastrophic ones is having a plan before you need it.
Write down — on paper, stored somewhere other than your laptop — the following: the phone numbers for your bank’s fraud department, your domain registrar’s support line, and your primary cloud provider’s security team. The email addresses for your top five clients, stored somewhere other than your email account, so you can notify them if your email is compromised. The location of your most recent backup and how to access it.
This is your breach response kit. You hope to never open it. You will be glad it exists if you do.
The Uncomfortable Truth
Most solopreneurs treat cybersecurity the way most people treat smoke detectors: they know they need them, they intend to deal with it, and they never actually do until something goes wrong.
The attacks are automated. They do not require a hacker to specifically target you. They scan millions of accounts simultaneously, looking for the ones with weak passwords, no MFA, and unpatched software. If your accounts match that profile, the attack finds you whether you are notable or not.
The checklist above takes an afternoon to implement. The breach it prevents could cost you weeks of recovery, thousands of dollars, and the trust of every client whose data was stored on your compromised systems.
One afternoon now. Or weeks of damage control later.
Explore more in this series:
[The AI Tool Trap: Why Using More AI is Making You Less Productive]
[You Don’t Need a Developer Anymore: The Solopreneur’s Guide to Vibe Coding in 2026]
[Build in Public: Why Solopreneurs Who Share Their Work Are Winning]