Last month, a manufacturing shop about forty minutes up the coast had a near-miss. A supplier invoice was rerouted, and a wire transfer was nearly sent to an account in another country. The bank caught it, but the owner didn’t.
Asked what cybersecurity he had in place, he said, word for word: “We’ve got that covered. We have a firewall and antivirus.”
That was true, as far as it went. What he hadn’t thought about was his email traffic, the lack of separation between his office network and his production floor, training for his team on fake vendor requests, or backups tested recently enough to rely on. Four of the five layers that should have been standing between his business and that wire request were either missing or silent.
What “covered” actually means
Small businesses tend to describe cybersecurity in the singular: as one thing, a product, or a service. But in practice, it’s five things layered on top of each other, each doing a different job. Attackers don’t care which layer is weakest; they only need one to be weak enough.
Here’s what the five layers are and what happens when each one fails:
Layer 1: The perimeter
The perimeter is the front door of cyber protection. Firewalls, VPNs, and the network equipment that decides what traffic gets in and out of the building. It’s the layer most business owners already understand, which is why it’s usually in the best shape of the five.
It’s also the layer that has changed most in the last two years. According to Verizon’s 2025 Data Breach Investigations Report, exploitation of known vulnerabilities as an initial attack rose 34% year over year, with much of that growth driven by zero-day exploits against perimeter devices and VPNs. Set-and-forget is over.
A well-maintained perimeter means the firewall is under active management, firmware is current within days of a release, and every remote-access login goes through multi-factor authentication.
Layer 2: The network
Behind the firewall, the internal network is what attackers see once they’re in. If everything lives on one flat network (workstations, the accounting server, the shop-floor PCs, the printer, that smart thermostat installed a few years back) a compromise on any one device becomes a compromise on all of them.
The technical word is “segmentation.” To put it simply, the office network shouldn’t be able to reach the payment terminal, which shouldn’t share a subnet with the guest Wi-Fi or the backup server. CISA’s #StopRansomware Guide calls out segmentation specifically as a defense that limits lateral movement, which, in practice, is the difference between losing a laptop and losing the whole company.
A properly segmented network keeps production, admin, guest, and connected-device traffic in separate zones, with rules controlling what can talk to what.
Layer 3: The endpoint
This layer is the devices themselves: laptops, desktops, phones, servers. Antivirus was the whole story a decade ago. Today’s endpoint protection must do more.
Modern tools watch for behavior. They notice when a user’s account logs in from two states in an hour, or when file encryption starts moving through a shared folder. Attackers increasingly live off legitimate tools like signed software and built-in admin commands, so a signature-based product will often see nothing wrong until the ransom note appears.
What a small business should have in place is Endpoint Detection and Response (EDR) with 24/7 monitoring by someone whose job it is to respond. If nobody is watching the alerts, the alerts don’t matter.
Layer 4: The human
The same Verizon report found that human involvement in breaches remains high, with significant overlap between social engineering and credential abuse. That pattern hasn’t moved much in years, and it won’t change on its own.
Attackers have figured out that the fastest way past technology is to ask someone to open the door. In the moment, the owner was busy. A vendor email looked right, and the layer that should have caught it (a trained eye, a verification call, a written policy on payment changes) wasn’t there.
A healthy human layer comes from short, regular training, phishing simulations the team can learn from rather than be punished by, and a written rule that no banking detail ever changes without a phone call to a known number.
Layer 5: The data
The last layer is the one a business only notices when everything else has failed: backups and recovery.
Based on the 2025 Verizon Data Breach Investigations Report Executive Summary, ransomware now appears in 44% of all breaches and 88% of confirmed small-business breaches, compared with 39% at larger organizations. The gap between those numbers says a lot about who attackers prefer.
Ransomware stops being a crisis the moment clean data can be restored faster than the attacker can negotiate. CISA’s guidance for small businesses is that backups should be offline or otherwise isolated, encrypted, and regularly tested.
In practice, that means multiple backup copies, at least one offline, and a documented restore test completed in the last 90 days. That’s what business continuity looks like on the ground.
Want to walk through your own layers?
Thinking in layers makes the problem tractable. Rather than trying to fix cyber protection all at once, a business owner can look at the five layers and ask where the gaps are.
We’re hosting Layers of Protection on Thursday, June 25, from 4:30 to 6:30 PM at The Training Facility in Brunswick. There’ll be coffee from The Facility’s shop, light snacks, some shooting, and a conversation with other local business owners about gaps and how to close them before an attacker finds them first. Reserve your spot today.
