This isn’t an IT Problem. It’s a “can we make payroll next week” problem.
Look, hackers don’t care that you’re in Birmingham instead of Manhattan. They hit mid-sized Alabama companies just as hard as the Fortune 500s—actually harder, because you’re easier. They’re using AI now, so attacking you costs them next to nothing.If you run payroll, keep customer lists, or wire money to vendors, congratulations: you’re on their shopping list.
Section 1: You’re Already On Their List
The Reality:
Tarrant got hit. Gardendale got hit. Florence got hit. All with ransomware. All in the last few years. The idea that Alabama flies under the radar? That died about five years ago. If you’re a manufacturer, clinic, bank, accounting firm, construction company, or government office, you’ve got what they want: money, data, and the keys to both.
Here’s the thing about being mid-sized: you have valuable systems worth stealing, but you don’t have a $50 million security operation center watching everything 24/7. That makes you the perfect target.
Questions to Ask Your IT Team or Security Provider:
“Show me our last security audit. What were the three biggest problems?”
If they can’t pull this up in about 30 seconds, you don’t have one. Get one.
“When was the last time someone tried to break in—that we caught?”
This tells you if you’re actually watching, or just hoping for the best.
“Walk me through what happens if someone clicks a bad link tomorrow.”
If the answer is “uh…” you’re running on hope, not a plan.
“Which system would hurt us most if we lost it for a week?”
Makes them prioritize what actually needs protecting versus what’s just nice to have.
Section 2: The Fakes Look Perfect Now
The Reality:
Remember those hilarious phishing emails full of typos? “Dear valued costumer, your account has been suspendid”? Yeah, those are gone.
AI-generated emails now look perfect. No typos. Perfect grammar. They sound exactly like your CFO or your biggest vendor. Deepfake voices can clone your CEO so accurately that people are wiring six figures to criminals without blinking.
The FBI says business email scams alone have cost tens of billions worldwide in the last few years. Not millions. Billions. And your employees—even the trained, careful ones—are getting fooled because the fakes are that good.
Questions to Ask:
“Show me the last five emails our system flagged. Were any legit?”
This tells you if your filters work, or if they’re just annoying everyone.
“If our CFO emails me to wire $50K today, what’s the process?”
If the answer is “just call them back,” push harder: “What if the email says don’t call, urgent, client waiting?”
“Show me what a fake login page for our bank actually looks like.”
If they can’t demonstrate this, they can’t spot it.
“What’s our rule for any payment over $X that comes by email?”
If there isn’t a rule, create one today. Right now. Before you finish this article.
Section 3: Ransomware Is a When, Not If
The Reality:
Ransomware locks up your files and demands payment to get them back. Sometimes they steal everything first and threaten to publish it online. Either way, you’re in a corner.
U.S. cybercrime losses hit $16.6 billion last year. The average ransomware attack takes 21 days to recover from. A lot of companies don’t survive that.
Questions to Ask:
“If ransomware hit us tonight, how long until we’re back to normal?”
The honest answer is usually “we don’t really know” or “weeks.” Both are bad.
“Show me our backups. When did we last test restoring from them?”
Untested backups aren’t backups. They’re wishes.
“Do we have cyber insurance? What does it cover and what’s the deductible?”
A shocking number of companies have it and have no idea what it actually covers.
“Who has admin access to our critical systems? Why?”
Limiting who can access what is cheap and incredibly effective. Most places hand out admin rights like candy.
“If we get hit, who decides whether to pay? What info do they need?”
Figure out the decision framework now, not at 2 AM on a Saturday during a crisis.
Section 4: AI Can Work For You Too
The Reality:
The same AI that’s making attacks better can also defend you. AI tools now detect weird login patterns, flag sketchy emails before anyone clicks, and help small IT teams punch above their weight.
The tools are getting cheaper and easier to use. You don’t need a PhD in computer science anymore.
Questions to Ask:
“What security tools are we using with AI? What do they actually do?”
Separate real capability from vendor marketing BS.
“If someone logs into our system from Moscow at 3 AM, do we know? How fast?”
Tests whether you have basic monitoring or not.
“What would it cost to add AI-based email security? What’s the return?”
Usually pretty cheap with high payoff. If they haven’t researched it, ask why.
“Are we using multi-factor authentication everywhere? If not, why not and when?”
MFA stops 99% of automated attacks. It’s not optional anymore. It’s just annoying enough that people skip it.
Section 5: The First Hour After You Get Hit
The Reality:
Your response in the first 60 minutes determines whether this is a bad week or a company-ending disaster. Panic causes mistakes. Having a plan means you can think clearly when everyone else is losing their minds.
Questions to Ask (Build Your Plan Now):
“Who do we call first? Write down names and actual phone numbers.”
IT leader, security provider, cyber insurance company, FBI (if it’s major), Alabama Fusion Center. Have the list printed and in a drawer.
“What should we absolutely never do in the first hour?”
Common mistakes: shutting everything down randomly, paying immediately without thinking, hiding it from leadership because you’re scared.
“Do we have a plan for talking to customers and employees? Who writes it?”
Silence breeds rumors. Honesty builds trust. Have a template ready.
“What’s our emergency plan if normal communication is down?”
If your email is compromised, how are you coordinating? Carrier pigeon?
“Have we ever practiced this?”
Schedule a tabletop exercise this quarter. Two hours. You’ll discover every gap in your plan.
Section 6: This Belongs in the Boardroom
The Reality:
Cyber risk can’t live in the IT closet anymore. It belongs in board meetings, budget discussions, and executive strategy sessions. It’s business continuity, customer trust, and competitive advantage all rolled into one.
Questions for Leadership:
“What revenue do we lose if we’re down for a week? A month?”
This number justifies your security budget instantly. Do the math.
“Show me this year’s cyber budget. How’s it compare to insurance, legal, or facilities?”
Most companies spend more on coffee than cybersecurity. That’s insane.
“If we had a breach tomorrow, who do we report it to and how fast?”
Legal requirements vary by industry. Know yours before you need to.
“What does ‘good enough’ security look like for our size and industry?”
You don’t need perfection. You need competent. Define the standard.
“What are our competitors doing about cyber? Are they ahead or behind us?”
Competitive intelligence matters here too. If they get breached and you don’t, you win customers.
The Bottom Line
You don’t need perfection. You need to not be the easiest target on the block.
- Start with these basics:
- Multi-factor authentication everywhere it’s available
- Regular backups that you actually test
- Email filtering that catches the obvious stuff
- A response plan that people have read
- Cyber insurance that covers your actual risks
The Ultimate Question:
“If we got hit tomorrow, could we honestly tell customers and employees we did everything reasonable?”
If the answer makes you uncomfortable, you know what to do.
Your Homework This Week
Don’t just read this and feel anxious. Do something.
Monday: 30-minute meeting with your IT lead. Ask three questions from Section 1.
Tuesday: Call your insurance broker. Ask about cyber coverage.
Wednesday: Get your last security audit or schedule one if you’ve never had one.
Thursday: Pick one system. Test restoring from backup. See what happens.
Friday: Schedule a tabletop exercise for next month. Put it on the calendar before you forget.
This Month: Turn on multi-factor authentication everywhere you can. Yes, it’s annoying. So is going out of business.
The companies that survive cyber attacks aren’t lucky. They just asked better questions before things went sideways.
Be one of those companies.
