Back to Blog

They Hit a Water Plant. Your Business Is Not Too Small to Be Next.

On March 14th, the water treatment plant in Minot, North Dakota got hit by ransomware.[1] The facility serves roughly 80,000 people. Operators showed up to work and found that their SCADA system, the industrial control software that manages how water gets treated and distributed, was compromised and largely locked down. They spent the next 16 hours doing their jobs the old-fashioned way: reading physical gauges by hand, running manual checks, and hoping nothing went sideways.

Water was never unsafe. The FBI got called in. No ransom was paid. In the grand scheme of cyberattacks, you could call it a near-miss. But I'd call it a wake-up call, because the Minot water plant is not a sophisticated, well-funded IT operation. It's a resource-constrained public utility with a small staff and a budget that doesn't have a lot of room for cybersecurity spending. Sound familiar?

The "I'm Too Small to Be a Target" Problem

I hear this from business owners all the time. "We're just a 12-person accounting firm." "We don't have anything worth stealing." "Why would anyone bother with us?" It's an understandable way to think, but it's wrong, and the numbers back that up pretty bluntly.

Ransomware was involved in 88% of all breaches affecting small and medium-sized businesses last year, compared to 39% for large enterprises.[2] Attacks on SMBs increased 34% year-over-year. More than two-thirds of ransomware attacks target organizations with fewer than 500 employees. The median cost of recovery is now $1.53 million.[3]

The reason small businesses get targeted more isn't because attackers have a grudge against them. It's because they're easier. Criminal groups running Ransomware-as-a-Service operations are essentially running automated campaigns. They scan the internet for known vulnerabilities, find the unlocked doors, and walk in. Big companies have security teams watching for exactly that. Small businesses usually don't.

What Actually Happened in Minot Matters

The attack came in through the SCADA system, which is specialized industrial control software. But here's the thing: the vector that attackers use to reach SCADA systems is almost always the same stuff that threatens every other business. Unpatched software. Weak or reused passwords. Phishing emails. Remote access tools left exposed. These aren't exotic, nation-state-level tactics. They're the same basic entry points we talk about every week.

The ransom note found on the server didn't even include a dollar amount. Nobody has claimed responsibility. That tells you something about who's doing this. It wasn't a targeted hit job on Minot's water supply. It was automated, opportunistic, and indiscriminate. The plant got caught in a net that was cast wide.

75% of small businesses say they could not continue operating after a ransomware attack.[4] I don't think most business owners sit with that number long enough. Three out of four would shut down. Not temporarily disrupt. Shut down.

Pittsburgh Has a Cybersecurity Community Worth Knowing About

On a more optimistic note, Pittsburgh is actually one of the better cities in the country to be in if you care about this stuff. The Pittsburgh Technology Council is hosting Cyburgh 2026 at Station Square later this month, gathering cybersecurity leaders and executives with regional ties.[5] Carnegie Mellon's CyLab has been doing serious security research here for decades. The talent and the conversation are here. Small businesses just rarely get looped in.

That gap is part of what we try to close at Caruso Tech Services. Cybersecurity awareness shouldn't be something only the big companies can afford.

What to Actually Do About This

I'm not going to give you a laundry list. Instead, three things that actually move the needle:

First, know what's exposed. Most businesses don't know what devices and services are visible on the internet. A basic external scan takes an hour and will show you exactly what an attacker sees when they look at your network from the outside.

Second, get multifactor authentication on everything that matters. Email, remote access, accounting software, banking. MFA doesn't stop everything, but it stops the most common attack path cold. This one is free or nearly free on most platforms you're already paying for.

Third, test your backups. Not just "we have backups." Actually restore something from them. Ransomware groups have gotten very good at finding and destroying backup copies before they deploy the encryption. If your backup is connected to the same network as everything else, it's probably not as safe as you think.

If you have an IT provider and you're not sure whether any of this is covered, ask them directly. If they can't answer clearly, that's worth knowing too.