When people think about cybersecurity, they often assume the biggest risks belong to companies with outdated systems, weak passwords, or no real IT support.

But the recent ADT cybersecurity incident is a reminder that even large, trusted, security-focused companies are still targets.

ADT reported that its cybersecurity systems detected unauthorized access to a limited set of customer and prospective customer data on April 20, 2026. According to ADT, the company immediately activated response protocols, terminated the intrusion, launched a forensic investigation with third-party cybersecurity experts, and notified law enforcement. 

The company said the information involved was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also included. ADT also stated that no payment information, bank accounts, credit cards, or customer security systems were affected. 

That last part matters. This was not reported as a compromise of customer alarm systems. But it still involved personal information, and personal information has value.

Have I Been Pwned lists the ADT breach as impacting 5.5 million unique email addresses, along with names, phone numbers, and physical addresses. 

For business owners, the lesson is not to panic. The lesson is to pay attention.

Cybersecurity is not only about stopping one dramatic attack. It is about reducing the number of ways someone can get in, limiting what they can access if they do, and responding quickly when something suspicious happens.

That matters for every business.

Your company may not be ADT, but you still have customer records, employee information, financial tools, cloud platforms, vendor accounts, email systems, and internal data that needs to be protected.

And attackers do not only care about company size. They care about opportunity.

A weak password is an opportunity.
An old employee account is an opportunity.
A shared login is an opportunity.
A missing MFA setting is an opportunity.
A cloud tool with too much access is an opportunity.
A vendor account no one reviews is an opportunity.

The ADT incident is a good reminder that trust does not replace security controls. Reputation does not replace monitoring. And having technology in place does not mean every risk has been addressed.

Businesses need to think about cybersecurity in layers.

The first layer is access. Who can get into your systems? Who still has access but should not? Which accounts have admin permissions? Are old users removed quickly when employees leave? Are shared passwords still floating around in browsers, spreadsheets, or documents?

The second layer is protection. Is multi-factor authentication enabled on critical accounts? Are passwords strong and unique? Are endpoint devices monitored? Are security updates being applied? Are backups running correctly?

The third layer is visibility. Would your business know if someone accessed a system they should not? Would unusual login activity be caught? Would suspicious behavior trigger a response?

The fourth layer is response. If something happened today, who would handle it? Who would contact vendors? Who would notify leadership? Who would restore systems? Who would communicate with customers?

A lot of businesses do not find these gaps until something goes wrong.

That is the problem.

Cybersecurity should not be a reaction after an incident. It should be part of how the business operates every day.

The ADT story also shows why protecting data matters even when financial accounts or core systems are not affected. Names, emails, phone numbers, and addresses can still be used for phishing, impersonation, scams, and social engineering. Once personal information is exposed, attackers can use it to make future messages look more believable.

For example, a scam email that includes a person’s name, address, or phone number feels more convincing than a random message. That is why data exposure can create risk long after the original incident is contained.

For small and midsize businesses, this is where practical cybersecurity makes the biggest difference.

You do not need to make security complicated. You need to make it consistent.

Start with the basics:

Review who has access to your systems.
Remove old users and unnecessary admin permissions.
Turn on MFA for critical accounts.
Use a password manager instead of shared or reused passwords.
Keep software and devices updated.
Monitor for suspicious activity.
Back up important data.
Have a response plan before something happens.

The companies that are best prepared are not the ones that assume they will never be targeted. They are the ones that know the risk is real and take steps to reduce it before it becomes a crisis.

The ADT incident is a reminder that cybersecurity is not just an IT issue. It is a business trust issue.

Customers trust businesses with their information. Employees trust businesses with their data. Partners trust businesses to keep systems running. That trust needs to be protected.

At Engler IT, we help businesses strengthen their cybersecurity foundation, review access, improve protection, and build smarter systems before small gaps become major problems.

Because if a trusted security company can become a target, every business should be asking:

Are we doing enough to protect the people who trust us?