Small Business Cybersecurity Statistics and Trends [2026]
88% of small business breaches include ransomware. That is 2.3x the rate at larger organizations (Verizon DBIR 2025). If you run or work in a small business, cybersecurity for small business is no longer optional — it is survival.
You'll find 51+ statistics across 16 categories — from SMB breach costs and ransomware to small business cyber insurance and employee training — sourced from Verizon, IBM, Sophos, StrongDM, VikingCloud, and more. Each section includes original analysis cross-referencing multiple reports to surface insights you won't find in any single source.
Small Business Cybersecurity Statistics at a Glance
- 43% of all cyberattacks target small businesses (Verizon / Cybersecurity Magazine)
- 61% of SMBs experienced a breach in the past year (PreVeil 2025)
- 88% of SMB breaches included ransomware — vs 39% at larger orgs (Verizon DBIR 2025)
- $3.31M average breach cost for businesses with <500 employees (IBM)
- 47% of businesses <50 employees have zero cybersecurity budget (StrongDM)
- 17% of US small businesses have cyber insurance vs 62% in the UK
- 95% of cybersecurity incidents attributed to human error (BDEmerson)
- 7x improvement in phishing resistance with consistent training (Cofense)
Last updated: March 2026
📊 Small Business Cybersecurity: Key Numbers
43% of all cyberattacks target small businesses (Verizon / Cybersecurity Magazine). 61% experienced a breach in the past year (PreVeil 2025). The average breach cost for businesses with fewer than 500 employees is $3.31 million (IBM). Meanwhile, 47% of businesses with fewer than 50 employees allocate zero budget to cybersecurity (StrongDM 2025).
SMBs are 3x more likely to be targeted than larger firms (PreVeil) and account for 46% of all cyber breaches globally (StrongDM). The most alarming figure: 88% of SMB breaches included a ransomware component (Verizon DBIR 2025), compared to just 39% at larger organizations. Small businesses receive the highest rate of targeted malicious emails at 1 in 323 (Verizon DBIR / StrongDM).
| Finding | Value | Source |
|---|---|---|
| Cyberattacks aimed at small businesses | 43% | Cybersecurity Magazine / Verizon |
| Average SMB breach cost (<500 employees) | $3.31M | IBM Cost of a Data Breach Report 2024 |
| SMB breaches including ransomware | 88% | Verizon DBIR 2025 |
| SMBs breached in the past year | 61% | PreVeil |
| SMBs <50 employees with zero cyber budget | 47% | StrongDM / CrowdStrike |
| US small businesses with cyber insurance | 17% | StrongDM / CNBC |
| Cybersecurity incidents from human error | 95% | BDEmerson |
| SMBs where $100K attack ends the business | 40% | VikingCloud |
SMBs Are 2.3x More Likely to Face Ransomware in a Breach
88% of SMB breaches included ransomware compared to just 39% at larger organizations (Verizon DBIR 2025). That is a 2.3x gap. Larger firms have dedicated security teams, segmented networks, and faster patch cycles. SMBs typically lack all three, making ransomware the dominant breach component. (Verizon DBIR 2025)
🎯 How Often Are Small Businesses Attacked?
61% of small businesses experienced a breach in the past year (PreVeil 2025). That is not a typo. More than six in ten SMBs were compromised. 79% experienced at least one attack in the past five years (Coalition 2025). SMBs are 3x more likely to be targeted than larger firms, accounting for 50% of all attacks despite representing a fraction of economic output.
In the UK, 41% of micro businesses and 50% of small businesses identified breaches or attacks in 2025 (UK Gov Cyber Breaches Survey). 75% of SMB owners now rank cyberattacks as their #1 operational threat in 2026 (VikingCloud / Enterprise Security Tech). Small businesses receive targeted malicious emails at the highest rate of any size category: 1 in every 323 emails (Verizon DBIR / StrongDM).
| Finding | Value | Source |
|---|---|---|
| All cyberattacks targeting SMBs | 43% | Cybersecurity Magazine / Verizon |
| SMBs experiencing a breach in the past year | 61% | PreVeil |
| How much more likely SMBs are targeted vs large firms | 3x | PreVeil |
| All cyber breaches affecting <1,000 employee businesses | 46% | StrongDM |
| SMBs attacked at least once in the past 5 years | 79% | Coalition |
| Targeted malicious email rate for SMBs (highest) | 1 in 323 | Verizon DBIR / StrongDM |
| Top threat vector for small businesses | 75% | VikingCloud |
Why SMBs Are Disproportionately Targeted
SMBs have fewer security controls, less staff training, and smaller budgets. 59% of SMB owners with no security believe they are too small to be attacked (StrongDM). That misconception is the attack vector. Criminals target SMBs precisely because defences are weaker. (StrongDM, PreVeil, Verizon DBIR)
💰 Cost of Cyber Attacks on Small Businesses
$3.31 million. That is the average data breach cost for businesses with fewer than 500 employees (IBM / Deepstrike). TechAisle puts the broader SMB average at $1.6 million. Recovery costs alone average $120,000 (VikingCloud 2025), and downtime runs $53,000 per hour. For a business operating on thin margins, these figures are existential.
40% of SMBs say a $100,000 or less attack could put them out of business (VikingCloud 2025). Breach costs have a long tail: 47% of costs land in the first year, 29% in the second, and 24% persist beyond two years (IBM 2023). Prevention costs 50-60x less than recovery at $5,000-$15,000 annually versus $500,000+ for a single incident (AlphaCIS 2026).
| Finding | Value | Source |
|---|---|---|
| Average breach cost, <500 employees (IBM) | $3.31M | IBM Cost of a Data Breach Report 2024 |
| Average SMB breach cost (TechAisle) | $1.6M | TechAisle |
| Average SMB recovery cost | $120,000 | PurpleSec / IBM |
| Average SMB recovery cost (2025) | $120,000 | PurpleSec / IBM |
| Average SMB downtime cost per hour | $53,000/hour | VikingCloud |
| Breach cost savings from IR plan + trained team | $232K | IBM Cost of a Data Breach Report |
| Prevention vs recovery cost ratio | 50-60x | AlphaCIS |
| SMBs where $100K attack ends the business | 40% | VikingCloud |
Prevention Costs 50-60x Less Than Recovery
Annual prevention measures cost $5,000-$15,000 for a typical small business. A single ransomware incident averages $120,000 in recovery costs (VikingCloud 2025), and can reach $1.6M (TechAisle). That makes prevention 50-60x cheaper than recovery (AlphaCIS 2026). Yet 47% of businesses with fewer than 50 employees allocate zero cybersecurity budget (StrongDM 2025). (AlphaCIS, StrongDM, VikingCloud)
⚠️ Do Small Businesses Survive Cyber Attacks?
The statistic you will see everywhere: "60% of small businesses close within 6 months of a cyberattack." This figure comes from the National Cyber Security Alliance (NCSA, circa 2012-2013) and has been cited across hundreds of publications. It deserves honest analysis.
The Verizon DBIR 2025 paints a less extreme picture: 19% of SMBs face bankruptcy following an attack. VikingCloud (2025) finds 40% of SMBs say even a $100,000 attack would end their business. 75% say they could not continue operating if hit with ransomware (StrongDM 2025). The NCSA's 60% may be an overestimate, but the directional signal is clear: a significant minority of SMBs do not survive major cyber incidents. Whether the real figure is 19% or 60%, neither is acceptable.
| Finding | Value | Source |
|---|---|---|
| SMBs that close within 6 months of attack (NCSA) | 60% | National Cyber Security Alliance |
| SMBs facing bankruptcy post-attack (Verizon) | 19% | Verizon DBIR 2025 |
| SMBs where $100K attack would end business (VikingCloud) | 40% | VikingCloud |
| SMBs that could not continue operating after ransomware | 75% | StrongDM |
The 60% Closure Stat: What the Data Actually Shows
The widely cited "60% of SMBs close within 6 months" comes from the National Cyber Security Alliance (circa 2012-2013) and has been repeated across hundreds of sources. The Verizon DBIR 2025 puts the figure lower at 19% facing bankruptcy. VikingCloud (2025) found 40% of SMBs say a $100K attack would end their business. The truth is somewhere in between: the 60% figure is directionally correct about existential risk, but the precise number is debated among researchers. What is clear: a significant minority of SMBs do not survive a major cyber attack. (NCSA, Verizon DBIR 2025, VikingCloud 2025)
The survival question is not just about the immediate breach cost. 50% of SMBs expect customer loss post-breach; 48% expect reputational damage (VikingCloud). For small businesses that depend on trust and repeat customers, a data breach can erode the customer base over months even if the business initially survives the financial shock.
🔒 Small Business Ransomware Statistics
88% of SMB breaches included a ransomware component (Verizon DBIR 2025). At larger organizations, that figure is 39%. The gap is 2.3x. SMBs are disproportionately hit because they lack network segmentation, endpoint detection, and offline backups that larger firms deploy. 51% of small businesses that fall victim to ransomware pay the ransom (CNBC / Momentive), with 24% paying out of pocket and 27% covered by insurance.
The median ransom payment dropped to $115,000, down from $150,000 in 2024 (Verizon DBIR 2025). 64% of all ransomware victims now refuse to pay, up from 50% two years earlier. But 75% of SMBs say they could not continue operating if hit with ransomware (StrongDM 2025). Ransomware attacks are projected to rise 40% by end of 2026 versus 2024 (Cobalt). 96% of ransomware attacks target backup locations (VikingCloud), and in 54% of incidents, ransomware is deployed within 7 days of initial access.
| Finding | Value | Source |
|---|---|---|
| SMB breaches including ransomware (Verizon DBIR 2025) | 88% | Verizon DBIR 2025 |
| Ransomware rate in larger organizations | 39% | Verizon DBIR 2025 |
| Small org ransomware hit rate (Sophos) | 47% | Sophos State of Ransomware 2024 |
| Small businesses that pay the ransom | 51% | CNBC / Momentive |
| Median ransom payment (Verizon DBIR 2025) | $115K | Verizon DBIR 2025 |
| SMBs that could not survive a ransomware hit | 75% | StrongDM |
| Ransomware victims that refused to pay | 64% | Verizon DBIR 2025 |
Backups Are the Ransomware Defence That Works
96% of ransomware attacks target backup locations (VikingCloud). Organizations with offline, air-gapped backups are the ones that refuse to pay and recover. For SMBs, a tested 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite) costs under $500/year and eliminates the extortion leverage entirely. (VikingCloud, Verizon DBIR 2025)
🎣 Phishing and Social Engineering
33.8% of all breaches against SMBs are phishing, making it the #1 attack type for small businesses (Heimdal Security 2025). 68% of those breaches trace to a single untrained staff member (Keepnet Labs 2025). 74% of all breaches involve the human element (Verizon DBIR 2024). The average phishing breach costs SMBs $200,000 (Keepnet Labs).
Business email compromise (BEC) has cost businesses $55 billion+ over a decade, with average losses of $4.67 million per attack (VikingCloud). SMBs with 1-249 employees have a baseline phishing click rate of 24.6% (Kymatio 2026). The median time-to-click on a phishing link is under 60 seconds (Verizon DBIR 2024), and 20% of users who click also enter credentials. 68% of SMBs lack DMARC policies, making them especially vulnerable to email spoofing (Heimdal 2025).
| Finding | Value | Source |
|---|---|---|
| SMB breaches from phishing (#1 attack type) | 33.8% | Heimdal Security |
| SMB phishing breaches from one untrained employee | 68% | Keepnet Labs |
| All breaches involving the human element | 74% | Verizon DBIR 2024 |
| Phishing resistance improvement from training | 7x | Cofense |
| Cybersecurity incidents from human error | 95% | BDEmerson |
7x Improvement in Phishing Resistance With Training
Employees receiving consistent simulation-based security training are 7x less likely to fall for phishing (Cofense 2023). Yet only 9% of small businesses train quarterly (SQ Magazine 2025), and 68% of SMB phishing breaches start with a single untrained employee (Keepnet Labs 2025). At $5-$15 per employee per month for training platforms, this is the highest ROI security measure available to small businesses. (Cofense, SQ Magazine, Keepnet Labs)
🛡️ Small Business Cyber Insurance
Only 17% of US small businesses have cyber insurance (StrongDM / CNBC). In the UK, that figure is 62% (UK Gov Cyber Breaches Survey 2025), up from 49% the year before. Globally, adoption sits around 38% (SQ Magazine). 64% of small businesses are not even familiar with cyber insurance (StrongDM), and 48% only purchased coverage after being attacked.
Insurance claims are increasing roughly 13% year-on-year (VikingCloud). Average loss per claim is approximately $100,000 (VikingCloud). Ransomware accounts for 19% of all cyber insurance claims. Premiums fell 6% in 2025 from the prior year and are 22% below the 2022 peak (SwissRe), but are forecast to rise 15-20% in 2026 (S&P Global Ratings). 14% of insured firms faced claim denial due to non-compliance (SQ Magazine).
| Finding | Value | Source |
|---|---|---|
| US small businesses with cyber insurance | 17% | StrongDM / CNBC |
| UK small businesses with cyber insurance | 62% | UK Gov Cyber Breaches Survey |
| Small businesses unfamiliar with cyber insurance | 64% | StrongDM |
| Only purchased insurance after being attacked | 48% | StrongDM |
Insurance Gap: 17% in the US vs 62% in the UK
Only 17% of US small businesses have cyber insurance (StrongDM), compared to 62% in the UK (UK Gov Survey 2025). The gap reflects different regulatory environments: the UK government actively promotes Cyber Essentials certification and insurance uptake through procurement requirements. In the US, no federal mandate exists, and 64% of small businesses are not even familiar with cyber insurance (StrongDM). The UK figure rose from 49% to 62% in a single year, showing that policy nudges work. (StrongDM, UK Gov Cyber Breaches Survey 2025)
The UK's success story offers a model. Government-backed Cyber Essentials certification, which many UK insurers require, created a feedback loop: businesses get certified to buy insurance, and the certification itself improves their security posture. No equivalent federal program exists in the US, which explains much of the 17% vs 62% gap. UK penetration by size shows a clear gradient: sole traders 13.1%, micro 26.4%, small 40.1%, medium 63% (GlobalData 2025).
💸 How Much Do Small Businesses Spend on Cybersecurity?
47% of businesses with fewer than 50 employees have no cybersecurity budget at all (StrongDM / CrowdStrike 2025). 51% have no security measures in place (StrongDM). Nearly half of small businesses spend less than $1,500 per month on cybersecurity. One-third of SMBs with fewer than 50 employees rely on free, consumer-grade security solutions.
The market is growing: global SMB cybersecurity spending is projected to reach $109 billion by 2026 (Analysys Mason), growing at a 10% compound annual rate. 63% of small businesses increased cybersecurity spending in 2025 (MySecurityMarketplace), with 76% citing rising fear of new threats. But spending more does not automatically mean spending well: 58% of SMBs overspent relative to plan in 2024 (ConnectWise), often on reactive incident response rather than prevention.
| Finding | Value | Source |
|---|---|---|
| Businesses <50 employees with zero cyber budget | 47% | StrongDM / CrowdStrike |
| SMBs with no security measures in place | 51% | StrongDM |
| SMB cybersecurity spend as % of IT | 5%-20% | StrongDM / Deloitte |
| SMBs that overspent on cyber (2024) | 58% | ConnectWise State of SMB Cybersecurity 2024 |
| Global SMB cyber spending (projected 2026) | $109B | IT Security Guru |
| Prevention vs recovery cost ratio | 50-60x | AlphaCIS |
47% Have Nothing, But an IR Plan Saves $232K Per Breach
47% of businesses with fewer than 50 employees have zero cybersecurity budget (StrongDM 2025). Meanwhile, IBM data shows a tested incident response plan reduces breach cost by $232,007. The math is straightforward: even a minimal IR plan and basic security controls costing $5,000-$15,000 annually would save hundreds of thousands if a breach occurs. The businesses that spend nothing are the ones that pay the most. (StrongDM, IBM)
📋 Small Business Incident Response
Only 34% of SMBs have a formal incident response plan (Guardz 2025). 47% of SMBs with fewer than 50 employees have any security plan at all (CrowdStrike 2025). Only 13% of small firms conduct proactive cybersecurity audits (SQ Magazine), only 22% perform regular vulnerability scanning, and only 1 in 5 conducts annual penetration testing.
The cost of unpreparedness is quantifiable. IBM data shows a tested IR plan and trained team reduces breach cost by $232,007. System recovery alone costs $15,000-$50,000 for professional incident response (AlphaCIS 2026). 42% of small businesses revised their cybersecurity plan since COVID-19 (StrongDM), but the majority still lack basic preparedness.
| Finding | Value | Source |
|---|---|---|
| SMBs with a formal incident response plan | 34% | Guardz 2025 SMB Cybersecurity Report |
| SMBs (<50 employees) with a security plan | 47% | CrowdStrike |
| SMBs without any cybersecurity plan | 50% | Fortinet |
| Small firms conducting proactive security audits | 13% | SQ Magazine |
| Breach cost savings from tested IR plan | $232K | IBM Cost of a Data Breach Report |
A Basic IR Plan Costs Hours, Not Thousands
An incident response plan does not require a six-figure security budget. A small business can create an effective IR plan in a single afternoon: identify critical assets, define roles (who calls whom), establish communication protocols, and document backup recovery procedures. IBM data shows this simple exercise saves $232,007 per breach. The 66% of SMBs without an IR plan are leaving that saving on the table. (IBM, Guardz 2025)
👥 Employee Training and Human Error
95% of cybersecurity incidents are attributed to human error (BDEmerson 2025). Only about 40% of SMBs have a formal security awareness training program (TotalAssure 2025). Just 9% of small businesses train quarterly (SQ Magazine 2025). 68% of SMB phishing breaches start with one untrained employee (Keepnet Labs 2025). 54% of businesses admit their IT departments lack experience for handling complex attacks (BDEmerson).
The ROI of training is among the highest of any security investment. Employees with consistent simulation-based training are 7x less likely to fall for phishing (Cofense 2023). Employee training provides the highest ROI of any security measure (AlphaCIS 2026). A well-trained IR team combined with a tested IR plan reduces breach cost by $232,007 (IBM). At $5-$15 per employee per month, security awareness platforms deliver measurable risk reduction that no other control matches at that price point.
| Finding | Value | Source |
|---|---|---|
| Cybersecurity incidents from human error | 95% | BDEmerson |
| SMBs with formal security training program | ~40% | TotalAssure |
| SMBs training quarterly | 9% | SQ Magazine |
| Phishing breaches from one untrained employee | 68% | Keepnet Labs |
| Training improvement in phishing resistance | 7x | Cofense |
The Single-Employee Problem
68% of SMB phishing breaches start with a single untrained staff member (Keepnet Labs 2025). One person clicking one link can expose the entire organization. The fix: quarterly phishing simulations and 15-minute training sessions. Cofense data shows a 7x improvement in resistance. The cost: less than a team lunch per employee per month. (Keepnet Labs, Cofense, SQ Magazine)
🏢 SMB Cybersecurity by Industry
Highest Risk Sectors
- Healthcare — Ransomware 45%, Phishing 32%
- Manufacturing — Supply Chain 35%, 72hr recovery
- Retail — POS Malware 42%
Best Prepared Sectors
- Financial Services — 67% insured, 18% IT budget
- Retail — 41% insured, 24hr recovery
- Healthcare — 34% insured, 12% IT budget
Different SMB sectors face different threat profiles. The data below (TotalAssure 2025) shows the top attack vectors, recovery times, insurance coverage, and prevention investment by industry.
Healthcare SMBs
Ransomware hits 45% of healthcare SMBs, with phishing at 32%. Average recovery takes 48 hours. Only 34% have cyber insurance, and they invest 12% of their IT budget in security. Healthcare phishing has led to $10M ransomware recovery costs per incident (2025).
Financial Services SMBs
Social engineering leads at 38%, followed by malware at 29%. Financial SMBs recover fastest at 16 hours, have the highest insurance coverage at 67%, and invest the most in prevention at 18% of IT budget. Ransomware is increasing 9% year-over-year in this sector.
Professional Services SMBs
Phishing dominates at 41%, with BEC at 28%. Recovery takes 32 hours. Only 28% have insurance, and prevention investment sits at just 8% of IT budget. Law firms, consultancies, and accounting firms hold sensitive client data that makes them high-value targets.
Manufacturing SMBs
Supply chain attacks lead at 35%, followed by ransomware at 31%. Manufacturing has the longest recovery time of any sector at 72 hours, the lowest insurance rate at 22%, and invests only 6% of IT budget in security. OT/ICS systems create unique attack surfaces.
Retail SMBs
POS malware leads at 42%, followed by card skimming at 27%. Retail recovers in 24 hours on average, has 41% insurance coverage, and invests 9% of IT budget in security. PCI DSS compliance is at 58% but has dropped slightly (SQ Magazine).
The Verizon DBIR 2024 shows the top attack pathways for SMBs are stolen credentials, phishing, and vulnerability exploitation. External actors are responsible for 91% of breaches at small organizations, with the primary motivation being overwhelmingly financial. Third-party risk has doubled to 30% of all breaches (Verizon DBIR 2025), particularly affecting manufacturing supply chains.
🌍 Small Business Cybersecurity by Country
🇺🇸 United States
43% of US SMBs faced at least one cyberattack in the past 12 months (TechAisle). 40% of small businesses with fewer than 250 employees suffered at least one attack (Hiscox). The median cost of all cyber attacks for US SMBs is $16,000, with the most severe single attack costing $25,000 (Hiscox). Only 10-20% of SMEs have cyber insurance (SwissRe), with 4.37 million cyber insurance policies in force (11.7% YoY increase, NAIC). Top entry points: corporate servers (31%), employee devices (28%), cloud servers (26%) (Hiscox).
🇬🇧 United Kingdom
42% of UK small businesses experienced a breach or attack in 2025 (UK Gov DCMS Survey). 41% of micro businesses and 50% of small businesses identified breaches/attacks. Average cyber attack cost: £3,398 ($4,580) for firms with fewer than 50 employees (Vodafone). 62% of UK small businesses have cyber insurance, up from 49% in 2024 (UK Gov Survey). 52% made a slight increase in cybersecurity budget; 10% made a large increase. UK penetration by company size: sole traders 13.1%, micro 26.4%, small 40.1%, medium 63% (GlobalData 2025).
🌐 Global
Global SMB cybersecurity spending is projected to reach $109 billion by 2026 (Analysys Mason), growing at a 10% compound annual rate. Ransomware attacks against SMBs are projected to rise 40% by end of 2026 versus 2024 (Cobalt). SMEs make up approximately 90% of companies globally but account for only about 30% of cyber premiums, roughly $4.7 billion (SwissRe). 78% of small Australian businesses agree they are a target.
📜 SMB Compliance and Regulations
Only 27% of small businesses claim full compliance with cybersecurity laws and frameworks (SQ Magazine 2025). HIPAA compliance among small healthcare firms stands at 51%. PCI DSS compliance among small retail businesses is 58%, and it has dropped slightly. 23% of firms are confused about whether they fall under GDPR (SQ Magazine). CCPA directly impacts 18% of US small businesses.
Compliance fines averaged $8,900 per violation for noncompliant SMBs (SQ Magazine 2025). The new FTC Safeguards Rule (2024) caused compliance expenses to spike 19% in some sectors. Only 34% of small businesses have a formal cybersecurity policy. Risk assessments are conducted annually by only 18% of small firms. Only 13% conduct proactive cybersecurity audits.
| Finding | Value | Source |
|---|---|---|
| SMBs claiming full compliance with cyber laws | 27% | SQ Magazine |
| HIPAA compliance among small healthcare firms | 51% | SQ Magazine |
| PCI DSS compliance among small retail firms | 58% | SQ Magazine |
| Average fine per violation for noncompliant SMBs | $8,900 | SQ Magazine |
| Small firms conducting proactive audits | 13% | SQ Magazine |
Compliance Does Not Equal Security, But Non-Compliance Guarantees Fines
27% compliance is a failing grade by any measure. But the real issue is not the fine itself ($8,900 average per violation). It is that non-compliant organizations are also the ones least prepared for an actual breach, meaning they pay both the fine and the full breach cost. Compliance frameworks like Cyber Essentials, PCI DSS, and HIPAA exist because they encode minimum viable security. Meeting them is a floor, not a ceiling. (SQ Magazine 2025)
🤖 AI Threats to Small Businesses
83% of SMBs believe AI has raised the cybersecurity threat level (ConnectWise 2024). AI-powered phishing emails now match or exceed human-crafted ones in effectiveness, achieving click rates of 40%+ (HBR 2024). AI reduces the cost of launching a phishing campaign by 95%, making SMBs — previously too small to target cost-effectively — profitable attack targets.
Deepfake BEC is the emerging frontier. The largest deepfake CFO scam in 2024 extracted $25 million via a video call (CrowdStrike). For SMBs without formal AI security policies, the risk compounds: AI voice cloning can replicate a person's voice from just 3 seconds of audio (McAfee 2024). SMBs must update their verification procedures to assume that any communication — email, voice call, or video — could be synthetically generated.
| Finding | Value | Source |
|---|---|---|
| SMBs believing AI has raised threat level | 83% | ConnectWise State of SMB Cybersecurity 2024 |
| SMBs without formal AI security policy | 51% | ConnectWise State of SMB Cybersecurity 2024 |
AI Makes Every SMB a Viable Target
Before AI, phishing at scale required manual effort that made targeting individual small businesses uneconomical. AI-generated phishing reduces campaign costs by 95% (HBR 2024). A criminal can now generate thousands of personalised SMB-targeted phishing emails for pennies. The economics of cybercrime have fundamentally shifted against small businesses. (HBR 2024, ConnectWise 2024)
📋 Key Takeaways
8 Things Every Small Business Should Know
- You are the primary target. 43% of all cyberattacks target SMBs, and 88% of SMB breaches include ransomware (Verizon DBIR 2025).
- The cost is survival-level. Average SMB breach cost is $3.31M (IBM). 40% of SMBs say a $100K attack ends their business (VikingCloud).
- Prevention costs 50-60x less than recovery. $5K-$15K/year in prevention vs $500K+ for a single incident (AlphaCIS).
- 95% of incidents are human error. Training employees — especially quarterly phishing simulations — delivers the highest ROI of any security measure.
- A tested IR plan saves $232K per breach. It costs nothing to create. 66% of SMBs do not have one (IBM, Guardz).
- Cyber insurance is not optional. Only 17% of US SMBs have it. Premiums are lower than at any point since 2022.
- Backups defeat ransomware. A 3-2-1 backup strategy costs under $500/year and eliminates the extortion leverage entirely.
- AI is changing the threat landscape. 83% of SMBs say AI has raised the threat level. Update verification procedures for all communications.
❓ Small Business Cybersecurity FAQ
What percentage of cyber attacks target small businesses?
43% of all cyberattacks target small businesses (Verizon / Cybersecurity Magazine). SMBs are 3x more likely to be targeted than larger firms (PreVeil 2025), and 46% of all cyber breaches impact businesses with fewer than 1,000 employees (StrongDM).
How much does a data breach cost a small business?
The average breach cost for businesses with fewer than 500 employees is $3.31 million (IBM). Recovery costs average $120,000 (VikingCloud 2025), and downtime costs $53,000 per hour. 40% of SMBs say a $100,000 attack could end their business.
Do small businesses close after a cyber attack?
The widely cited "60% close within 6 months" comes from the NCSA (circa 2012-2013). Verizon DBIR 2025 puts it at 19% facing bankruptcy. VikingCloud (2025) finds 40% say a $100K attack would end their business. The exact figure is debated, but a significant minority of SMBs do not survive major attacks.
What percentage of small businesses have cyber insurance?
17% in the US (StrongDM / CNBC), 62% in the UK (UK Gov Survey 2025), and approximately 38% globally (SQ Magazine). The UK's higher rate reflects government promotion of Cyber Essentials certification. 64% of US small businesses are not familiar with cyber insurance.
How much should a small business spend on cybersecurity?
Industry benchmarks suggest 5-20% of IT budget depending on sector. Financial services SMBs invest 18%, healthcare 12%, professional services just 8% (TotalAssure 2025). Prevention costs $5,000-$15,000/year, which is 50-60x less than the cost of a single incident ($500K+).
What is the most common cyber attack on small businesses?
Phishing is the #1 attack type at 33.8% of SMB breaches (Heimdal Security 2025). Ransomware appears in 88% of SMB breach components (Verizon DBIR 2025). 74% of all breaches involve the human element (Verizon DBIR 2024).
What is the ransomware rate for small businesses?
88% of SMB breaches included a ransomware component (Verizon DBIR 2025), compared to 39% at larger organizations. 51% of SMBs that are hit pay the ransom. The median payment is $115,000 (Verizon DBIR 2025).
Does employee training reduce cyber attacks?
Employees with consistent simulation-based training are 7x less likely to fall for phishing (Cofense 2023). 95% of incidents are attributed to human error (BDEmerson). A tested IR plan and trained team reduces breach cost by $232,007 (IBM).
📊 SMB Cybersecurity Risk Assessment
Answer these five questions to get an approximate risk score for your small business. This is not a substitute for a professional assessment, but it highlights the most impactful controls based on the statistics above.
1. Do you have a tested incident response plan?
2. Do employees receive security awareness training at least quarterly?
3. Do you have cyber insurance?
4. Do you maintain offline, tested backups (3-2-1 strategy)?
5. Do you have MFA enabled on all critical accounts?
About This Data
This article draws from 51 statistics aggregated from 50+ authoritative sources including IBM Cost of a Data Breach, Verizon DBIR, CrowdStrike Global Threat Report, WEF Global Cybersecurity Outlook, FBI IC3, ISC2 Cybersecurity Workforce Study, Sophos, Gartner, Mandiant M-Trends, and Ponemon Institute reports.
Derived statistics (marked "Nathan House's Analysis") are computed by cross-referencing data from multiple sources — for example, comparing breach costs across industries using IBM data, or validating ransomware trends across Verizon, Sophos, and HIPAA Journal findings.
All statistics include inline source citations with links to primary sources. Data spans 2023-2026, with preference given to the most recent available figures. Last updated: March 2026.
How to Use This Data
Use these small business data breach statistics to build a business case for cybersecurity investment, benchmark your SMB's risk profile, justify budget requests, or support policy advocacy for smb cybersecurity statistics. The derived analyses cross-reference multiple sources to surface patterns no single report captures.
This page is updated monthly as new reports are published. Bookmark it and return for the latest data. If you spot an outdated statistic or want to suggest a source, contact us.
About the Author
Nathan House, StationX
Nathan House is a cybersecurity expert with 30 years of hands-on experience. He holds OSCP, CISSP, and CEH certifications, has secured £71 billion in UK mobile banking transactions, and has worked with clients including Microsoft, Cisco, BP, Vodafone, and VISA. Named Cyber Security Educator of the Year 2020 and a UK Top 25 Security Influencer 2025, Nathan is a featured expert on CNN, Fox News, and NBC. He founded StationX, which has trained over 500,000 students in cybersecurity.
