In November 2020, hackers broke into Shirbit, one of the largest insurance companies in the country. They didn't steal money. They stole documents. Scanned ID cards. Marriage certificates. Financial records. Medical files. The kind of paperwork that sits in every accounting firm, law office, and HR department.

Shirbit's annual profits dropped 97%. Four class-action lawsuits piled up, totaling NIS 1.2 billion. The company was eventually acquired by Harel Insurance. A business built over decades, brought to its knees by stolen paperwork.

That was a company with a legal team, a cybersecurity budget, and insurance. Most small businesses have none of those.

The numbers nobody talks about

In 2025, the Israel National Cyber Directorate received 26,500 reports of cyber incidents. That's a 55% jump from the year before. The head of the Directorate disclosed that two petabytes of data have been stolen from citizens in recent years, roughly 100 times the digital holdings of the National Library.

According to multiple international reports, this country ranked as the #1 most attacked in the world for geopolitically motivated cyberattacks in 2025, surpassing both Ukraine and the United States.

And yet, 57% of small business owners believe they won't be targeted.

They're wrong. Small businesses account for 43% of all data breaches globally. Not because they hold more valuable data than large corporations. Because they're easier to break into.

What a breach actually costs?

IBM's 2025 Cost of a Data Breach Report puts the Middle East regional average at $7.29 million per incident. That figure is skewed by oil companies and major banks, so it doesn't directly apply to a 10-person accounting firm. But the breakdown is instructive.

According to Coveware's Q4 2024 report, the median ransom payment dropped to approximately $110,000, roughly NIS 400,000. That's the ransom alone, before you count legal fees, forensic investigation, client notification, lost business, and reputation damage.

IBM found that nearly half of total breach costs are incurred more than a year after the incident. The initial crisis is just the beginning. The lawsuits, regulatory fines, client departures, and remediation drag on for years.

Half of small businesses that suffer an attack take more than 24 hours just to get back online. For a firm that bills by the hour, every day offline is revenue that never comes back.

What Shirbit teaches every small business?

Look at what was actually stolen from Shirbit. Not source code. Not trade secrets. Scanned copies of ID cards. Marriage certificates. Financial documents. Medical records.

These are the exact same documents that sit in filing cabinets, desk drawers, and shared folders at every small accounting firm, law practice, and medical clinic. The only difference is scale. Shirbit had hundreds of thousands of clients. Your firm might have a few hundred. But to each of those clients, their personal data matters just as much.

Physical documents are the forgotten vulnerability. A digital system can log who accessed a file, when, and from where. A filing cabinet cannot. A stolen hard drive triggers alerts. A stolen file box triggers nothing. There's no encryption on paper. There's no access control on a drawer.

When attackers breached multiple companies through their service providers in 2025, the pattern was clear. It's not just your own security that matters. It's everyone who touches your data.

Amendment 13 changed everything

On August 14, 2025, Amendment 13 to the Privacy Protection Act went into effect. This is the most significant change to data protection law in decades, and most small businesses haven't heard of it.

The law introduced administrative fines that can reach hundreds of thousands of shekels, with multipliers for sensitive data. For smaller businesses, the annual cap is NIS 140,000 in fines. That alone could sink a small firm.

But fines are not the real threat. The real threat is civil liability. Under Amendment 13, individuals can sue for statutory damages of up to NIS 100,000 per person, without needing to prove they suffered any actual harm. They just need to show their data was mishandled.

Think about that. An accountant with 200 client files in an unsecured cabinet. If those records are compromised, even partially, each client can claim up to NIS 100,000. No need to prove financial loss. No need to prove identity theft. The exposure existed. That's enough.

Class actions are now explicitly possible under the amendment. The Privacy Protection Authority can issue binding orders, suspend databases, and publish the names of violators for four years. HOT Telecom was already fined NIS 70,000 in one of the first enforcement actions. The regulator is not waiting.

The disconnect

Small businesses sit at the center of a growing gap. On one side, attacks are surging. Phishing alone accounts for 52% of all reported incidents. Attackers are actively shifting toward softer targets because large corporations have hardened their defenses.

On the other side, the legal consequences of a breach have never been higher. Amendment 13 turned client data protection from a best practice into a legal obligation with real penalties.

In the middle sits the average small business. 23% use no device security at all. 32% rely on free consumer-grade tools. More than a quarter have no security plan of any kind.

99.8% of all businesses in this country are small or medium-sized. They generate 62% of economic output and employ nearly 69% of the private workforce. They are the economy. And they are the least prepared.

What this means in practice?

The filing cabinet in the corner of your office is not just furniture. It's a database under the law. The client documents inside it, ID copies, financial statements, contracts, medical records, are regulated data. If they're stolen, lost, or accessed by someone unauthorized, you're liable.

This isn't about buying expensive security software. It's about basic document hygiene. Knowing what data you hold. Knowing where it lives. Controlling who can access it. Having a record of that access. Keeping sensitive documents off the open internet, away from unencrypted email attachments and free online conversion tools.

Shirbit was a large company with resources. They survived, barely, through acquisition. A 5-person accounting firm in a regional town doesn't have that option. When client data walks out the door, the business walks out with it.

The question for small business owners is not complicated. It's just uncomfortable: do you know where all your client documents are right now, and who has access to them?

If you can't answer that with certainty, the problem already exists.

Sources

[1] Asero Consulting, "The Implications of the Cyber Breach Against Shirbit Insurance Company." https://asero.com/case-studies/the-implications-of-the-cyber-breach-against-shirbit-insurance-company/

[2] Times of Israel, "Hackers breach Israeli insurance company, steal client data," November 2020. https://www.timesofisrael.com/hackers-breach-israeli-insurance-company-steal-client-data/

[3] Calcalist, "Shirbit analysis," 2020. https://www.calcalistech.com/ctech/articles/0,7340,L-3903077,00.html

[4] Israel National Cyber Directorate, "2025 Annual Summary." https://www.israeldefense.co.il/en/node/67966

[5] Israel National Cyber Directorate, "2024 Annual Summary." https://www.gov.il/en/pages/booklet_yearly_summary_2024

[6] CyberExpress, "Israel Data Breach: INCD Head Reveals Two Petabytes of Data Stolen from Citizens." https://thecyberexpress.com/israel-data-breach-incd-head/

[7] Times of Israel / Radware 2026 Global Threat Analysis Report, "Israel ranks #1 among countries targeted by geopolitical cyberattacks in 2025."

[8] Verizon, "Small Business Cyber Security and Data Breaches." https://www.verizon.com/business/resources/articles/small-business-cyber-security-and-data-breaches/

[9] IBM, "Cost of a Data Breach Report 2025." https://www.ibm.com/reports/data-breach

[10] IBM, "Cost of a Data Breach Report 2024." https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs

[11] Coveware, "Quarterly Ransomware Report, Q4 2024." https://www.coveware.com/blog/2025/1/24/q4-2024-quarterly-ransomware-report

[12] Jerusalem Post, "Iran and Russia-linked ransomware attacks targeting Israeli businesses," 2025. https://www.jpost.com/defense-and-tech/article-872075

[13] Safetica, "Israel's Amendment 13: What the New Data Protection Law Means for Your Business." https://www.safetica.com/resources/guides/israel-s-amendment-13-what-the-new-data-protection-law-means-for-your-business

[14] IAPP, "Israel Marks a New Era in Privacy Law: Amendment 13 Ushers in Sweeping Reform." https://iapp.org/news/a/israel-marks-a-new-era-in-privacy-law-amendment-13-ushers-in-sweeping-reform

[15] BigID, "What Israel Amendment 13 Means for Businesses in 2025." https://bigid.com/blog/what-israel-amendment-13-means-for-businesses-in-2025/

[16] Calcalist, "SMBs comprise 99.8% of all businesses in Israel" (Hebrew). https://www.calcalist.co.il/articles/0,7340,L-3711954,00.html