2019 Year in Review: The IT Headlines That Should Change How Miami Small Businesses Plan for 2020

As 2019 closes, it is worth stepping back from the individual incidents and news cycles to look at the full picture of what the year revealed about technology risk for small and mid-size businesses. Several significant trends crystallized in 2019 that should directly shape how Miami business owners think about technology investment and risk management heading into 2020. Here is our team's reading of the year's most important lessons.

The 5 Most Important IT Stories of 2019 for Small Business Leaders

1. Municipalities Became Ransomware's Favorite Target

The City of Baltimore spent $18 million recovering from a ransomware attack that began with a single phishing email and a single vulnerable open RDP port. New Orleans declared a state of emergency after Ryuk ransomware hit its systems in December 2019. Riviera Beach, Florida (population 35,000) paid a $600,000 ransom in June. The lesson for private businesses is not "this only happens to governments." It is the opposite: attackers that refined their techniques on under-resourced government networks are now applying those same techniques to private sector targets with similar security maturity. Municipalities are a proxy for where small business attacks are headed.

2. Capital One Proved That Cloud Misconfiguration Is the New Perimeter Breach

In July 2019, a former AWS employee exploited a misconfigured web application firewall in Capital One's AWS environment to extract over 100 million customer records. Capital One paid $80 million in regulatory fines and faced class-action litigation. The vulnerability was not a sophisticated zero-day — it was a configuration error that any experienced cloud security professional would have flagged. The lesson: moving to the cloud does not inherently make you more secure. A misconfigured cloud environment is as dangerous as a misconfigured on-premise one. Cloud security requires active management, not just migration.

3. Third-Party Vendor Breaches Became the Dominant Attack Vector for SMBs

The AMCA healthcare breach, the Citrix breach (exposing 6TB of sensitive files), and dozens of smaller incidents demonstrated that attackers increasingly target vendors to gain access to their client organizations. For small businesses, this translates directly: your IT provider, your payroll vendor, your accounting software, and your CRM are all potential breach vectors. Vendor risk management — previously considered an enterprise concern — is now a baseline SMB security practice.

4. CCPA Passed, Signaling a U.S. Privacy Regulatory Wave

California's Consumer Privacy Act (CCPA) takes effect January 1, 2020 — the most significant U.S. privacy regulation since HIPAA. While it primarily applies to businesses with over $25M revenue, 50,000+ California consumer records, or 50%+ revenue from selling personal data, its passage signals a direction for state-level privacy legislation that will affect smaller businesses as similar laws pass in other states. Florida privacy legislation is already being discussed in Tallahassee. Businesses that built GDPR-ready data governance in 2018 are well-positioned. Those who have not need to start.

5. 5G Deployment Began — With Significant Security Implications Not Yet Resolved

Major U.S. carriers began 5G deployment in 2019, with broader rollout expected through 2020–2022. For businesses, 5G's relevance in the near term is primarily in IoT (Internet of Things) expansion — more connected devices at higher speeds create a larger attack surface. The security architecture for 5G has unresolved questions that NIST and major cybersecurity researchers have flagged. Businesses planning significant IoT deployments in the next 2–3 years should include 5G security considerations in their planning now.

The 5 IT Investments That Will Pay Off Most in 2020

1. 1Immutable offsite backup: The single most important control against Ryuk-style ransomware. Every business should enter 2020 with a tested, cloud-based, immutable backup that ransomware cannot reach or delete.
2. 2MFA on all accounts: Still not universal in small businesses, still the highest-ROI security control available. Enter 2020 with MFA enabled on every email account, cloud service, and line-of-business application.
3. 3Endpoint Detection and Response (EDR): Legacy antivirus does not detect the behavioral patterns of modern ransomware and account compromise tools. EDR does. This is the security tool that most deserves to replace basic antivirus in 2020.
4. 4Vendor risk review: Before Q1 2020 is over, know which vendors have access to your systems and data. Ask each one about their security posture. Revoke any access that is no longer needed.
5. 5Windows 10 migration (before January 14th): Windows 7 end of life is January 14, 2020. If you have not completed this migration yet, it is your most urgent IT action item entering the new year.

A Note from Our Team

Every year, we write a version of this piece, and every year the conversation is roughly the same: the threats are evolving faster than defenses, small businesses are disproportionately exposed relative to their ability to absorb the consequences, and the gap between what is technically possible and what most businesses actually have in place is wider than it should be. What changes each year is the stakes. The average cost of a breach for a small business in 2019 is three times what it was in 2015. The average ransom demand is up 200% year over year. The trends do not suggest this pressure will relent. What it suggests, for us, is that getting businesses properly protected is more urgent than it has ever been.