As a small business owner in Columbia, Pa., I have always paid my taxes on time each and every year. My family started Susquehanna Glass in 1910 when my grandfather installed a cutting machine in a shed behind his house. I joined the business in 1975 and spent five dcades growing it into a company that serves customers across the country.
Three generations built something worth protecting. Then, an unexpected ransomware attack shut down our business one morning.
It was the first Tuesday in December, during our busiest season. We came in at nine o’clock and strange messages began popping up on screens across the building. An overseas group of criminals had found its way into our server and encrypted everything: financials, inventory, customer records, employee files with Social Security numbers and bank information. The software that runs our company froze. The machinery in the shop stopped. We shut down the factory and sent 40 employees home while I scrambled to wrest back control from criminals demanding a fortune.
The criminals demanded a million dollars to give me my own business back.
We were lucky in the strangest sense of the word. We had cyber insurance and backup hard drives the hackers deleted but did not encrypt. We overnighted those drives to a recovery company in California, and by Friday they had recovered virtually everything.
But while we never paid a dime of ransom, the cleanup still cost over $100,000: attorneys, forensic investigators, data recovery, and IT. While being a responsible, tax-paying citizen, these costs resulting from the ransomware attack essentially became a new, unsolicited tax — something I won’t forget as we pay our annual taxes this year.
We offered identity theft protection to every employee whose information was exposed and ran overtime to fulfill Christmas orders guaranteed for holiday delivery. If the recovery had not come through, my 116-year-old business would have closed forever.
My experience is not unusual. It is the norm for American small business owners. A national survey commissioned by the Public Private Strategies Institute found that nearly three in four small businesses (72%) were hit by fraud, scams, or ransomware last year. Average losses were nearly $60,000 for payment fraud and more than $90,000 for email compromise. Across small businesses in the US, the toll reached $131 billion last year.
This is a hidden tax on Main Street that no one voted for. As Tax Day arrives, millions of owners are calculating what they owe the government. What they will not see on any form is the other tax they paid last year, collected not by the IRS but by criminals. This theft is a loss for the entire economy. That $131 billion could have funded new hires, new equipment, and new locations. Instead, it went to scammers who impersonate vendors, hijack email accounts, and hold data for ransom.
Fraud does not merely drain revenue, it slows growth. Forty-three percent of affected businesses say fraud makes it harder to accept payments. Forty percent say it undermines their ability to attract customers. Thirty-nine percent say it interferes with developing new products. These are jobs not created, customers not served, communities that don’t reap the benefits of expanding local business.
The threat is accelerating. Seven in ten small business owners believe AI will make attacks more frequent. Among businesses already targeted, 76 percent say AI was used against them. The next generation of attacks will be worse.
Yet preparedness lags awareness. Fewer than half of small business owners feel ready for the most common attacks, and the tools that work best are the least widely adopted. Multifactor authentication is used by just 48% of businesses, though 70% of users call it very effective. Cyber insurance covers only 24%, though 61% of policyholders call it effective.
Fraud is getting more attention from policymakers, and protections are beginning to take shape. That momentum must include protections for small businesses. The 33 million firms that employ nearly half the American workforce cannot be an afterthought when fraud prevention policies are written. And federal enforcement resources should match the scale of a $131 billion problem.”
In the meantime, here is what I would tell every business owner reading this: do not think you are too small to be a target. Get a good IT partner who talks to you, not just to your servers and buy the cyber insurance. Ours costs about $3,000 a year. The attack cost over $100,000, and that was the lucky outcome.
Tax Day is a useful reminder that small businesses already pay their share. They should not have to pay the criminals, too.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
