Lessons from Hamilton's Ransomware Attack: What SMB Owners Can Learn

When the City of Hamilton first called it a "cyber incident" back in February 2024, most of us shrugged and went back to work. Then the word ransomware started appearing in the updates, and the price tag climbed into the millions.

That's when a lot of local business owners I talk to started asking the same question: "If they can nail the City, what chance do we have?"

Fair question. But here's the thing: the Hamilton attack is actually a really good playbook for what to do and what not to do as a smaller business.

What Actually Happened (In Simple English)

Here's the bare-bones version of the story:

• Attackers got in through an internet-facing server.
• They poked around quietly, learned how things were set up, then encrypted a pile of systems.
• The City refused to pay an eight-figure ransom demand.
• They leaned on backups and a long, painful recovery process that's cost millions so far.

You don't run a city, but you do rely on:

• Invoices going out on time
• Payroll files actually opening
• Supplier and client data staying put

Same game, smaller bench.

5 Blunt Lessons for SMB Owners

1. "We're too small to be a target" is fiction

Insurance groups and federal reports have been saying for years that small businesses get hit regularly; they just don't always make the news. If criminals will take on a municipality, they'll happily encrypt a 15-person construction firm that's easier to crack.

2. Your backups are either ready… or useless

Hamilton's attackers tried (and failed) to destroy all the City's backups. The reason you're reading about an expensive recovery instead of a total collapse is that at least some backup strategy held.

For you, that means:

• Don't rely on a single USB drive in the office.
• Use a proper 3-2-1 style backup (more on that in the June post).
• Test restores. A backup you've never restored is just hope in a box.

3. Old servers and "temporary" setups come back to haunt you

These attacks rarely start on the shiniest, newest system. They sneak in through:

• Old remote access tools
• Unpatched on-prem servers
• Forgotten websites or portals

Do a quick inventory: if you can't list what's exposed to the internet, that's your first risk.

4. Communication matters more than you think

The City got hammered in the comments section for how they communicated, how long things took, and which services came back first.

If you ever get hit, your staff, customers, and maybe the press will ask:

• "What happened?"
• "What are you doing about it?"
• "Can we trust you with our data?"

You don't need a PR agency, but you do need a plain-language plan.

5. Incident response isn't just for "big guys"

The federal government has had a formal cyber incident response plan and guidance for smaller organizations for years now. That's because when something breaks, you don't want to improvise under stress.

What This Means for a Business on the Mountain or Along the QEW

Here's how I'm telling local clients to respond to Hamilton's wake-up call:

Do a 60-minute risk review

Sit down with your IT person (or MSP) and ask:

• What systems are exposed to the internet?
• Where are our backups, and when were they last tested?
• Who has admin access, and do they really need it?

Lock down remote access

If staff can log in from home:

• Use a VPN or secure remote tool
• Turn on multi-factor authentication (MFA)
• Shut off anything that's no longer used

Patch the obvious stuff

Prioritize:

• Old servers
• Firewalls
• Remote desktop gateways
• Any software that handles payments or client data

Write a bare-bones incident plan

One or two pages that answer:

• Who do we call first?
• How do we isolate affected systems?
• Who talks to customers?
• Where are the backups and who can restore them?

Talk to your broker about cyber insurance

Cyber insurance isn't magic, but it can blunt the financial hit. Insurers now expect basic protections in place before they'll pay out.

"So What Should We Actually Do This Quarter?"

If you want a simple, Hamilton-style checklist:

• This month: inventory your systems and backups
• Next month: enable MFA on email, remote access, and key apps
• Next quarter: run a short incident-response tabletop with your leadership team
• This year: make sure your cyber insurance and your actual security setup line up

The City's bill is going to end up around what some folks spend on a small building. You don't want to learn these lessons at that price point.