For decades, business leaders have repeated a familiar truth: every business is a people business. That statement remains true. People create value, build culture, and fuel innovation. Yet the reality of the 21st century adds another layer of responsibility that leaders can no longer afford to treat as secondary. Every business today is also a technology business, and every business is a “data” business, regardless of industry and product category.
That reality once felt limited to financial institutions and software companies. Today, it reaches far beyond those sectors. HVAC companies, manufacturing operations, physical therapy clinics, real estate firms, equipment dealerships, and professional services organizations all operate on digital rails. Transactions move through CRMs and point-of-sale systems. Payroll, customer records, vendor data, e-commerce gateways, and intellectual property live in shared networks. Commerce now flows through data, and with that flow comes responsibility and liability.
Recent headlines reinforce this truth. In New Zealand, the patient portal Manage My Health suffered one of that country’s most significant cybersecurity incidents in history. Hackers claiming responsibility said they exfiltrated hundreds of thousands of medical documents belonging to over 120,000 patients, prompting an ongoing government review, legal action, and widespread concern about how such systems protect highly sensitive health information.
Meanwhile, a class-action lawsuit made headlines in New York after at least 22 patients of a Manhattan plastic surgeon alleged that hackers breached the practice’s systems and posted highly sensitive personal information, including Social Security numbers and private medical images, on a Russian-hosted website, and that the office failed to notify them promptly as required by law.
These realities illustrate a simple truth. Cyber risk is no longer an abstract “IT issue.” It directly affects trust, stewardship, and integrity. Customers entrust businesses with personal information. Employees rely on organizations to protect payroll and benefits data. Vendors assume financial systems are secure. Communities expect responsible leadership. When data is mishandled or exposed, the damage extends far beyond balance sheets.
Leaders today face widespread fatigue from constant breach notifications. Each new headline reinforces a shared vulnerability and a collective desire for stronger prevention. While no organization can eliminate risk entirely, leaders can choose intelligent prevention over complacency.
Unfortunately, it’s often lower–middle market companies that are most vulnerable. 43% of cyberattacks target small businesses, and 94% of small- and medium-sized businesses (SMBs) faced at least one cyberattack in 2024. With fewer internal resources and thinner margins, these organizations are often less equipped to absorb the impact.
Proactive organizations respond accordingly. They invest in third-party cybersecurity firms to test systems, encrypt sensitive data, and identify weaknesses before criminals do. They build layered defenses that include firewalls, access controls, alerts, monitoring, and incident response planning. They train teams to recognize social engineering and phishing tactics, which 61% of SMBs report as the most common attack vector they faced in the last year.
They also prepare leadership for rapid, transparent response when incidents occur, knowing that human error contributed to 95% of data breaches in 2024, driven by insider threats, credential misuse, and user-driven errors.
Preparation matters because cyber incidents follow a predictable pattern. An intrusion, attempt, or breach eventually arrives. The variable leaders control is readiness. Nearly 1 in 5 SMBs that suffer a successful cyberattack would be forced to close their doors, and 78% of SMBs fear that a major incident could put them out of business.
Organizations that fail often do so not because the attack occurred, but because containment, communication, and response failed. Organizations that prepare before a crisis are far more likely to preserve trust—and continuity—during it.
From a governance standpoint, data security now sits squarely within fiduciary responsibility. Small and midsize businesses are the principal targets of cybercrime, a reality echoed by regulators and insurers alike. Boards and executive teams that overlook cyber preparedness expose their organizations to unnecessary and foreseeable risk. In today’s environment, passive hope carries consequences. Leaders who roll the dice on cybersecurity jeopardize their people, customers, and future.
For values-driven leaders, the issue carries even greater weight. Stewardship requires foresight. Caring for people includes protecting the information entrusted to the organization. Building a business for a greater purpose demands diligence in the systems that sustain it. Data integrity supports relational integrity.
It’s time to move beyond awareness toward action. That action includes assessing vulnerabilities, investing in expertise, strengthening internal controls, and cultivating a culture of digital discernment. It also includes acknowledging risk honestly while committing to excellence in prevention and response.
The leaders who will thrive in the coming decade are those who treat data protection as a core expression of trust. They recognize that technology enables growth, and discipline preserves it. They lead with humility, preparation, and resolve.
Every business remains a people business. Today, every business also bears the responsibility of safeguarding the data that enables modern commerce. Leadership in this era calls for nothing less.
