Why your business should consider security — the data behind "it won't happen to me"

The most expensive sentence in small-business security is some version of "it won't happen to me." We hear it on intake calls every week. A Scottsdale restaurant owner with no after-hours coverage, a Tempe contractor with $200K of equipment sitting at a fenced jobsite, a Phoenix professional-services firm with a bookkeeper who has been with them for eight years and signs every check. The owner has done the math on what a real program would cost. They have not done the math on the alternative.

This post is the second-opinion version of that math. It uses real numbers from the FBI's Uniform Crime Reporting program, Phoenix Police Department open data, the Bureau of Justice Statistics, the ACFE's 2024 Report to the Nations, and small-business victimization studies published in 2024 and 2025. No editorializing — just what the data actually says about how likely an incident is for a Valley business, and where the risk is concentrated.

The headline: commercial burglary, commercial robbery, and employee theft each happen at materially higher rates than most owners assume, and a meaningful share of businesses experience at least one of the three in any given five-year window. If you operate in the Valley, the probability that nothing happens during a decade of operation is not as high as the gut says it is.

The Phoenix-specific numbers

Phoenix Police Department publishes its own crime data through the city's open data portal. The 2024 reporting period shows the following commercial-relevant counts:

• 892 commercial burglaries — a 14.3% decline from 2023, but still nearly three reported business burglaries every day, across the city's commercial corridors.
• 167 commercial robberies — down 8.7% year-over-year, but still roughly one every 53 hours.
• Overall burglary (residential and commercial combined) of 2,847 cases — a real decline of 18.4%, but still a base rate that puts Phoenix in the top quartile of US cities its size for property crime.
• Total robberies rose from 1,368 in 2023 to 1,503 in 2024 — a real increase of just under 10% even as burglary fell. Robbery is moving in the wrong direction.

NeighborhoodScout's analysis of FBI UCR data shows that in Phoenix, the annual probability of being a victim of a property crime is roughly 1 in 43 — or about 23 events per 1,000 residents. That number is for individuals, not businesses; the per-business rate runs higher because businesses present a larger attack surface (more entry points, longer unattended hours, more inventory and equipment to steal).

If you run a single commercial location in the Valley for five years, the math doesn't say you will be hit. It says the probability of at least one reportable incident is materially higher than the "it won't happen to me" intuition suggests. We covered the cost of a single incident in detail in last week's post; it typically lands between $25,000 and $250,000 all-in.

The national victimization picture

The national data shows the same shape. In 2023, the most recent year for which FBI UCR aggregate commercial data is fully available, 42,508 commercial properties or office buildings were burglarized in the United States. The most-targeted small-business categories were:

• Restaurants: 23,358 burglaries
• Construction sites: 12,979 burglaries
• Convenience stores: 12,397 burglaries
• Discount stores: 12,283 burglaries
• Hotels and motels: 6,808 burglaries
• Places of worship: 6,567 burglaries
• Gas stations: 6,335 burglaries
• Grocery stores: 5,459 burglaries

Two takeaways. First, the per-category counts are real volumes, not theoretical risk. Second, the categories overrepresented in this list — restaurants, contractors, retail, hospitality, and places of worship — are the same categories that disproportionately operate without dedicated security programs. The under-protected segments are also the most-targeted segments. That's not a coincidence; offenders allocate effort against the weakest defended targets.

The insider risk most owners refuse to model

Burglary and robbery are the events owners picture when they hear "security incident." They shouldn't be the events you worry about most. The data says insider theft happens more often, lasts longer, and costs more on a per-event basis.

According to recently published small-business risk research, 95% of businesses are affected by employee theft in some form during their lifecycle. The rate of employees engaging in some form of theft has been rising: roughly 1 in 50 in 2023, 1 in 40 in 2024, and 1 in 35 in 2025. Aggregate employee-theft cost is rising at approximately 15% per year.

The ACFE's 2024 Report to the Nations, which examined 1,921 real occupational-fraud cases across 138 countries, found that organizations with fewer than 100 employees suffered a median loss of $141,000 per fraud case — the second-largest median loss across all organization sizes. The median fraud lasted 12 months before detection. Corruption schemes — kickbacks, vendor steering, billing fraud — were the most common scheme type at small organizations, occurring in 44% of cases.

Put differently: by the time a small Phoenix business detects an internal theft scheme, the perpetrator has typically been at it for a year, the loss is usually six figures, and the perpetrator is usually a trusted manager or above. That doesn't match the mental model most owners walk around with.

Why the "it won't happen to me" frame is broken

Three cognitive errors keep this frame in place. They're worth naming because none of them survive contact with the numbers.

1. Confusing low base rate with low total probability

A 2% annual chance of a reportable incident sounds small. Over a ten-year operating window, the cumulative probability of at least one incident pushes well past 18%, even before you account for the fact that a business that has been hit once is statistically more likely to be hit again. Annual probability is the wrong unit.

2. Anchoring on the visible event

Owners visualize burglary because they remember the broken window in the news. They don't visualize twelve months of vendor kickbacks because there's nothing to see. The events that don't make a noise are the ones that compound the most damage.

3. Survivorship bias from peers

"My friend has run his shop for fifteen years and never had a problem." The friend has either been lucky, has unreported losses he doesn't know about, or is the statistical exception. None of those generalize to your situation. Underreporting in small-business victimization studies is well-documented: BJS data suggests roughly 30–40% of commercial property crime never reaches a police report at all.

What changes the risk profile in your favor

None of this is an argument for paranoia. It's an argument for proportionate, documented controls. The same data sources that show the risk also show what reduces it.

The ACFE's research consistently shows that organizations with active fraud-detection controls — segregation of duties, surprise audits, anonymous reporting hotlines, vendor-master reviews — catch fraud roughly twice as fast and lose about half as much as organizations without those controls. The marginal cost of those controls is far less than the marginal cost of a single incident.

For property crime, Phoenix PD's published reductions in commercial burglary correlate with two operational factors: improved lighting and verified camera coverage. These aren't expensive interventions. They are, however, frequently overlooked because the "old camera that may or may not be recording" is in place and no one has checked.

For the workplace-violence and active-aggressor scenarios that don't show up in property-crime statistics but do show up in BLS workplace-injury data, the cheapest preparation dollar an Arizona owner can spend is a tabletop exercise — running a scenario with the team in advance so they know what's expected of them. STRAPT's risk consulting work includes tabletop exercises as a default deliverable for this reason.

How to think about the spend

The frame that works for most owners we talk to is "what is the smallest credible program that materially reduces my actual risk profile?" That's a very different question from "what's the cheapest vendor I can hire?" — and it produces very different answers.

For most small and mid-size Valley businesses, the smallest credible program looks like four things. Working, monitored surveillance with retention. Documented access control with named keyholders and an off-boarding procedure for departing employees. A vendor-master review and segregation-of-duties practice that limits insider exposure. And one tabletop exercise per year on a workplace-violence or active-aggressor scenario, so the team is not improvising the first time something happens.

That's most of the program for most operators. None of it requires a national-firm contract. None of it requires a fortress aesthetic. It does require deciding to do it, which is the part most owners postpone until after the incident.

What this means for you

If you operate a small or mid-size business in the Valley, the actuarial reality is straightforward. Commercial burglary, commercial robbery, and insider theft each happen at meaningful base rates, and the cumulative probability over a five- or ten-year horizon is materially higher than "it won't happen to me" assumes. The events with the highest dollar impact — insider fraud and workplace-violence — are the ones owners model least.

The controls that reduce that exposure are not exotic and not expensive. The right question isn't "do I need a security program?" — for most operators the answer to that has already been quietly answered by the data. The right question is "is the program I have actually sized to the risk in front of me?" For most owners, the honest answer is "I don't know — I've never had it stress-tested."

A 30-minute conversation with someone who runs this work for a living gets you a real answer. Request a confidential conversation and we'll tell you, with specifics, what your current posture is doing well and where it's exposed. Or browse our resources page for owner-level material on specific topics — including last week's post on what a real incident actually costs if you want the dollar context to go with the probability context.