The effectiveness of last weekend’s attack by U.S. forces on three of Iran’s nuclear sites might be a matter of debate , but security experts fear the ramifications of the strikes are a little more certain. Officials are warning that Iran-linked hackers and other online groups affiliated with the Iranian government could focus attacks on U.S. targets, including businesses. The Department of Homeland Security, earlier this week, issued an alert from its National Terrorism Advisory System, saying attacks could go on through September. “The ongoing Iran conflict is causing a heightened threat environment in the United States,” the alert reads. “Low-level cyberattacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks.” Owners of small and midsize businesses have reason to be uncomfortable with that warning. A 2024 study from Microsoft found SMB cyberattacks are both frequent and costly. “Ninety-four percent of SMBs consider cybersecurity critical, but without the tools and internal expertise to keep people, data, and devices secure, SMBs are vulnerable,” it reads. The attacks may have already started on a small scale. Iranian-aligned hackers claimed responsibility last week for a denial of service attack on Trump’s Truth Social platform that made it inaccessible for a period of time. “Both hacktivists and Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks,” the DHS warning reads. A hacker’s goal in attacking a business can vary. Retail-facing companies can be targeted for the personal and credit card information of customers. Some businesses are hit with a malware attack that initially does nothing, but can transform a company’s systems into “zombie computers,” which can be used unwittingly in a larger attack. Some hackers use security lapses at smaller companies as backdoor entries into larger partner corporations. Ransomware demands, which force business owners to pay to retrieve locked data, remain an especially big threat to small and midsize companies. Ransomware reached a historic high in the first quarter of this year, according to a report from NordStellar, a London-based threat exposure management platform. Companies with $10 million to $50 million in annual revenue and about 51 to 200 employees were the most frequently attacked. “Many SMBs rely on third-party IT providers, cloud platforms, and managed services, creating multiple attack vectors,” says Vakaris Noreika, a cybersecurity expert at NordStellar. “Weaker cybersecurity defenses due to limited budgets and an ‘it won’t happen to us’ mindset make SMBs low-hanging fruit to cybercriminals.” So what can founders do to protect their businesses? Experts recommend to avoid using shared passwords and to change passwords every three months. Consider implementing multifactor authentication or using authentication software. Only give employees access to the specific data systems that they need for their jobs. And no workers outside of your IT department should be able to install software on company devices without permission. Also, to protect against ransomware, regularly back up the data on all computers, especially word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Keep that offsite or on a cloud server. Staff support is also critical, such as teaching employees to safeguard against phishing, spam, and malware attacks as well as how to secure their mobile devices. Eight in 10 business owners told Microsoft a lack of staff security awareness was a concern. That’s an easily solvable problem. Ensure, of course, that all of your systems are running the most recent software version. And never assume that you’re too small to get attacked or that just because you’ve been hacked before, you won’t be again (something a surprising 44 percent of the business owners told Microsoft they believed). Cybersecurity is not something businesses can afford to ignore. The average total cost of an attack, Microsoft found, is $254,445—but it can run as high as $7 million. The final deadline for the 2025 Inc. Power Partner Awards is Friday, July 25, at 11:59 p.m. PT. Apply now .