
Cybercrime does not skip small businesses. It prefers them — and its favorite tool is not code. It is your trust, your busyness, and a Friday afternoon.
The Problem, Lived
“Michelle” runs a customs brokerage in Kingston — fourteen staff, twenty years of reputation, and a business that lives in its inbox: shipping documents, duty payments, client instructions, all day, every day. On a Friday afternoon in April, an email arrived from the accounts department of her largest client. Same signature block, same courteous tone, referencing a genuine pending refund — with one update: new banking details, effective immediately, and a polite note that the matter was time-sensitive. Her accounts clerk, efficient as always, processed it before the weekend.
The real client called on Tuesday, asking about the refund. The email address, examined at last, was one letter different from the genuine domain. The money had landed in a local account and left it within hours, hopping beyond recall. There was no virus, no dramatic breach, no hooded figure in a basement — just a spoofed address, a plausible story, and the exploitation of the most reliable software on earth: a helpful human under time pressure. Two weeks later, as if the universe were underlining the lesson, a staff member nearly opened an attachment that her email provider flagged as ransomware. Luck, not preparation, made the difference between a bad month and a lost decade of files.
Michelle’s deepest wound was not the money. It was the collapse of the sentence she had leaned on for years: “We’re too small for anyone to bother with.” She now understands the truth that regional cybercrime figures keep confirming: smallness was never protection. Smallness was the qualification — a business with real money flowing and no controls guarding it is not beneath the attacker’s notice. It is precisely the profile the attack was built for.
Why It Happens Here
The too-small-to-matter myth survives because owners imagine a human attacker choosing targets. Most attacks are automated and size-blind — scanning for weak sign-ins by the million — while the human-run frauds, like the one that found Michelle, deliberately hunt smaller firms because that is where the controls are thinnest: no dual approvals, no verification rituals, one overworked person handling payments. Add the standard small-firm exposures — passwords reused across a decade of accounts, business run partly through personal devices and chats, backups that do not exist or have never once been tested — and the target is not just soft. It is pre-packaged.
The regional context sharpens everything. Digitalization has sprinted ahead of security culture — businesses that moved online in five years are running on trust habits formed offline over fifty. Payment flows in hard currency make regional firms lucrative marks. Incident-response resources are thin, and — most corrosive of all — a shame culture keeps victims silent, so each business learns nothing from its neighbor’s disaster and the same fraud harvests the same street twice. Meanwhile the actual perimeter of a small firm is not its router. It is its people — and almost nowhere are the people trained, because training is assumed to be an IT department’s job, and there is no IT department.
| The Four Horsemen of the Fraudulent Email
Nearly every payment fraud rides on the same four signals: URGENCY (‘today, please’), AUTHORITY (the boss, the big client, the bank), SECRECY (‘handling this quietly’), and a CHANGE OF PAYMENT DETAILS. Teach every person who touches money one rule: any two horsemen together means stop and verify by phone — on a number you already had, never one from the email. This single discipline, costing nothing, defeats the most lucrative cybercrime on earth more reliably than any appliance ever sold. |
Why Generic Advice Fails
Enterprise security literature assumes an enterprise: security operations centers, chief information security officers, tool stacks with six-figure renewals. At the other pole sits fear marketing, selling boxes and dashboards to frightened owners without changing the behaviors that actually get exploited. The honest arithmetic of small-business security is this: the substantial majority of real-world protection comes from a handful of disciplines that cost little or nothing — and no product replaces them, because the attacks are aimed at your habits, not your hardware. What a small firm needs is not an IT department. It is five shields, installed and practiced.
The Framework: CARISK™ — The Five Shields™, Step by Step

Drawn from Dawgen Global’s CARISK™ cyber risk framework, sized for a business with no technical staff:
- Shield 1 · Shield the Sign-In — Email is the master key to your business — password resets, payment instructions, client trust all flow through it — so defend it like the vault it is. Turn on multi-factor authentication today for email, banking and cloud services: the single highest-value security act available to any business, typically free, done in an afternoon. Then retire the reused password with a password manager, so every account holds its own strong key. Most automated attacks simply end here, at a locked door that costs nothing to install.
- Shield 2 · Shield the Money — Technology did not fail Michelle; process did — so build the process. Two written rules, no exceptions, including for the boss: any change to payment or banking details is verified by a phone call to a number you already hold; and any payment above a set threshold requires two people. These controls are deliberately inconvenient — the inconvenience is the security — and they kill business email compromise, the region’s most expensive fraud, at the exact moment it strikes. Paper beats malware here. Install the paper.
- Shield 3 · Shield the Data — Run the 3-2-1 rule: three copies of your critical data, on two different types of storage, with one copy off-site or in the cloud — and, the step everyone skips, test a restore quarterly, because an untested backup is a rumor. Done properly, this converts ransomware from an existential event into a bad afternoon: the extortionist’s entire business model depends on your files existing in only one place. Refuse the premise, and the ransom note becomes junk mail.
- Shield 4 · Shield the Humans — Your people are the perimeter, so train the perimeter: fifteen minutes a quarter — real phishing examples, the Four Horsemen, and a pause protocol for any request combining money with pressure. Pair it with the rule that makes all of it work: reporting a suspicious click or a near-miss is praised, never punished, because the employee too ashamed to report is the breach that runs for weeks. A team that spots, pauses and reports is worth more than any device on the market — and costs an hour a year.
- Shield 5 · Shield the Recovery — Assume a bad day anyway, and pre-decide it: one page, printed, reachable without a computer — who calls the bank (in wire fraud, the first hours decide whether recall is possible), who calls your advisors, who talks to affected clients, where the backups live and how to restore them. Review whether cyber insurance fits your exposure and what its conditions require of you in advance. Then walk the team through the page once a year. A practiced bad day is an incident. An unpracticed one is a story your competitors tell.
The Framework in Action: A Worked Scenario
The following scenario is a fictional composite created for this series to illustrate the framework. It does not depict any actual business or client of the firm.
Michelle rebuilds in the order of the shields. Multi-factor authentication goes onto email and banking the same week — an afternoon, exactly as advertised. The two money rules are written, laminated, and announced with the sentence that gives them teeth: ‘These apply to me first.’ The 3-2-1 backup is configured and, a month later, deliberately tested with a mock restore that surfaces — and fixes — a folder nobody had included. The quarterly drills begin, built around her own fraud, anonymized: her staff study the actual email that cost them, and the Four Horsemen stop being abstract.
The framework’s proof arrives three months later, on another Friday. Another email, another supplier, another polite change of banking details — and the same accounts clerk who processed the first fraud is the one who catches the second, because now there is a rule where there used to be only judgment under pressure. The callback takes ninety seconds; the fraud dies quietly. In this illustration, the original loss is never recovered — most are not, which is the entire argument for the shields — but the firm’s trajectory changes in a way Michelle did not predict: she tells the story, plainly, at an industry association meeting, breaking the silence that had protected only the attackers. Within a season, the callback rule is spreading through her broker network. The most valuable thing she installed turned out to be the willingness to say it happened.
Self-Diagnostic: How Wide Open Is the Door?
One point for every “no”:
- Is multi-factor authentication active on your email, banking and cloud accounts — everyone’s, not just yours?
- Does a written callback rule govern every change to payment details, using numbers you already hold?
- Do your critical files follow 3-2-1 — and has a restore been tested in the last quarter?
- Has every staff member had fraud-spotting training in the past year, with shame-free reporting?
- Does a printed one-page plan say who calls the bank, the advisor and the client on the bad day?
Two or more points means the door is open and the street is being scanned. The repairs cost almost nothing. The delay is the only expensive part.
When to Call In Help
Bring in professional support when the exposure outgrows the checklist: when you handle client funds or sensitive data and need the controls independently assessed; when regulators, insurers or large customers begin asking security questions you cannot yet answer; when an incident has already happened and quiet, competent response matters more than anything; or when you simply want the five shields installed, tested and drilled by people who do it weekly. Cyber risk is not an IT topic. It is a business survival topic that happens to involve computers — which is exactly why it belongs in your risk framework, not your someday list.
| REQUEST A CARISK™ CYBER HEALTH CHECK
Dawgen Global’s Cybersecurity team, through the CARISK™ framework, delivers a Cyber Health Check built for businesses without IT departments: your sign-in, payment, backup and human defenses assessed against the Five Shields™, the gaps closed in priority order, your team drilled on the Four Horsemen, and your one-page bad-day plan written and rehearsed — with incident response standing behind you if the bad day has already arrived. Contact us today, in confidence, to request your Cyber Health Check. 📩 [email protected] | 📞 876-929-3670 / 876-665-5926 | 🇺🇸 855-354-2447 | 🌐 dawgen.global GET THE FULL PLAYBOOK This is Article 18 of The Caribbean Entrepreneur’s Playbook™ — 20 problems, 20 how-to frameworks, one system. Pre-register at dawgen.global to receive the complete Playbook e-book on release, free. |
About Dawgen Global
Dawgen Global is an independent, integrated multidisciplinary professional services firm headquartered at 47 Trinidad Terrace, New Kingston, Jamaica, serving more than 15 territories across the Caribbean. Founded and led by Dr. Dawkins Brown, Executive Chairman, the firm is independent and not affiliated with any international network. It delivers a full suite of professional services under one roof: audit and assurance; tax advisory; IT and digital transformation; risk management; cybersecurity; actuarial and insurance regulatory advisory; HR advisory; mergers and acquisitions; corporate recovery; business advisory and strategy; accounting BPO and virtual CFO services; and legal process outsourcing.
The proposition is simple: big-firm capability without the big-firm price. Dawgen Global’s integrated approach is built for the specific complexities and opportunities of the Caribbean market, helping organizations make sharper, better-informed decisions that drive measurable progress.
To explore a partnership, reach out:
- Website: dawgen.global
- Email: [email protected]
- WhatsApp (Global): +1 555-795-9071
- Caribbean offices: +1 876-665-5926 | +1 876-929-3670 | +1 876-926-5210

