Must-Know Small Business Cybersecurity Statistics for 2025

While technological advances have made it simpler than ever to launch a small business, the ever-evolving digital landscape includes sophisticated cyber criminals that are waiting for businesses to slip up so that they can make a move. Small and medium-sized businesses (SMBs) already have plenty to contend with–they must manage talent, maintain regulatory compliance, exceed customer expectations, and bolster financial stability, all while competing in an increasingly crowded market. The critical aspect of effective cybersecurity is often overlooked, as it does not seem integral to daily operations, leaving a blind spot that exposes many small businesses to cyber threats.

Small businesses are the backbone of the global economy, accounting for 90% of all businesses worldwide and employing 60% to 70% of the workforce [1]. In the U.S. alone, there are 32.5 million small businesses, making up 99.9% of all firms and employing over 61.2 million people [2]. These businesses drive innovation, foster local economic growth, and contribute significantly to job creation.

However, despite their importance, small businesses face high failure rates. One of the most underestimated risks for small businesses is cybercrime. Many small business owners assume hackers only target large corporations, but in reality, small businesses are prime targets. Cybercriminals exploit weak security measures and target businesses that lack cybersecurity expertise and adequate financial resources, launching attacks that lead to small business data breaches, financial losses, and even permanent closures.

In this article, we’ll explore the latest cybersecurity statistics for 2025 and the most common cyber threats facing small businesses

Cyberattacks aren’t just a threat to individual businesses, they impact the entire economy. As small businesses struggle with digital threats, it’s time to take cybersecurity seriously. Let’s dive into the numbers and facts that can make a difference.

Small Business and Cybersecurity: Why It Matters

Cybersecurity is no longer optional for small businesses — it is a necessity. 43% of all cyberattacks in 2023 targeted small businesses[1], proving that hackers see them as easy prey due to weaker security measures. Unlike large corporations, many small businesses lack dedicated IT teams or cybersecurity budgets, which makes them more vulnerable to data breaches, ransomware, and phishing attacks.

A single cyberattack can lead to financial losses, reputational damage, and even business closure. To stay protected, small businesses must invest in security awareness, employee training, and essential cybersecurity tools to defend against evolving digital threats.

Also read: Why is Cyber Security Awareness Training Important for Employees?

Small Business Cyber Security Statistics Overview

Cyber threats pose a growing risk to small businesses, with many lacking the necessary resources to defend against attacks. Understanding the latest cybersecurity statistics can help business owners recognize vulnerabilities and take proactive measures. Let’s take a look at some key cybersecurity facts impacting small businesses:

1. 43% of all cyberattacks in 2023 targeted small businesses. [1]
2. 46% of all cyber breaches impact businesses with fewer than 1,000 employees. [3]
3. 59% of companies have experienced a data breach caused by a third party or vendor with whom they have shared sensitive information. [4]
4. 95% of cybersecurity incidents can be attributed to human error. [5]
5. Malware is the most common attack type for SMBs (18%), followed by phishing (17%), data breaches (16%), website hacking (15%), DDoS attacks (12%), and ransomware (10%). [6]
6. 37% of ransomware attack victims have fewer than 100 employees. [6]
7. 27% of small businesses with no cybersecurity measures in place have had customer credit card information stolen. [7]
8. Small businesses receive the highest rate of targeted malicious emails, with 1 in 323 being affected. [8]
9. The majority of malicious emails, such as spam, phishing, and email malware, are targeted at businesses with fewer than 250 employees. [7]
10. SMBs spend between $826 and $653,587 on cybersecurity incidents [3]
11. 54% of businesses admit their IT departments lack experience to handle complex cyberattacks. [9]
12. Remote work, personal device use, and lack of employee security training are increasing cybersecurity vulnerabilities for SMBs. [10]

With cyber security threats for small businesses are on rise, companies must prioritize security measures, employee training, and risk management strategies to safeguard their data and operations.

The Cost of Cyber Attacks on Small Businesses

Small businesses are increasingly targeted by cybercriminals, often suffering severe financial and operational consequences. Unlike large corporations, SMBs typically lack robust cybersecurity infrastructure, which makes them vulnerable to attacks. The cost of a cyberattack varies based on factors such as data loss, downtime, and recovery expenses. The following statistics highlight the financial and reputational impact of cyber threats on small businesses.

Key small business cyber attack statistics:

1. 60% of small businesses that suffer a cyberattack shut down within six months. [13]
2. 75% of SMBs say they could not continue operating if hit with ransomware. [14]
3. The average total cost of a cyberattack on an SMB is $254,445, with some incidents costing up to $7 million [10].
4. The financial impact of a data breach has reached a record-breaking $4.54 million per incident across all organizations, with SMBs incurring costs between $120,000 and $1.24 million. [11]
5. 40% of small businesses reported losing important data due to cyberattacks, leading to potential lawsuits and liabilities. [12]
6. 55% of U.S. consumers would be less likely to continue doing business with a company that has suffered a cyberattack. [12]
7. 51% of small businesses reported website downtime of 8-24 hours following an attack. [14]
8. 50% of SMBs take at least 24 hours to recover from an attack. [14]
9. Only 17% of small businesses have cyber insurance, leaving the majority financially vulnerable to cyber threats. [15]
10. 64% of small businesses are not familiar with cyber insurance, despite its potential to mitigate financial losses. [16]

Most Common Cyber Attacks on Small Businesses

Small businesses are increasingly becoming prime targets for cybercriminals, with various types of cyberattacks posing significant risks to their operations. From small business ransomware attacks to phishing, the scale and frequency of these attacks are growing, with devastating consequences for businesses that lack appropriate cybersecurity measures. Below, we outline key statistics that reveal the most common types of cyberattacks on small businesses.

1. 82% of ransomware attacks in 2021 targeted SMBs with fewer than 1,000 employees, highlighting the risk small businesses face. [7]
2. 75% of SMBs could not continue operating if hit with ransomware, underscoring the devastating potential of these attacks. [6]
3. The average cost of recovering from a ransomware attack is $84,000, putting a significant financial burden on SMBs. [17]
4. Malware accounts for 18% of cyberattacks on small businesses, making it one of the most common threats. [6]
5. Phishing (17%), data breaches (16%), website hacking (15%), DDoS attacks (12%), and ransomware (10%) round out the most common cyber attacks types, according to a survey. [6]

6. Over $16,000 in ransom payments were made by US small businesses in the last year, demonstrating the financial impact of these attacks. [18]
7. Small businesses saw a 200% increase in DoS (Denial of Service) incidents in 2022, showing the rising frequency of these attacks. [19]
8. A recent DarkTrace report revealed a 135% surge in social engineering attacks between January and February 2023. [20]
9. Smaller businesses were hit the hardest, with companies fewer than 100 employees facing a 350% higher attack rate compared to larger enterprises. [21]

Small Business Cybersecurity Preparedness

Cyberattacks can cripple small businesses, leading to financial losses, stolen customer sensitive data, and damaged reputations. However, many SMBs remain underprepared, and lack key cybersecurity measures like employee training, multi-factor authentication (MFA), and in-house security expertise. Below are the most critical small business preparedness statistics: 

1. 60% of small business owners consider cybersecurity threats a top concern, yet only 23% say they are very prepared to handle a cyberattack. [22]
2. 50% of small businesses take 24 hours or longer to recover from a cyberattack, which significantly impacts operations and customer trust. [18]
3. 80% of small business leaders plan to increase their cybersecurity spending, and recognize the growing need for better protections. [11]
4. Less than 30% of SMBs manage their security in-house, instead relying on external sources such as:

• IT consultant/Managed Services Provider (MSP) recommendations
• Cyber insurance providers
• Web searches
• Analyst reports
• Rating/review sites. [10]

5. Top cybersecurity challenges SMBs face include:

• Lack of phishing awareness training (83%)
• Lack of employee training on AI security risks (83%)
• Insecure access via personal devices (80%)
• Compliance and regulatory challenges (79%)
• Limited resources and budget (75%)
• Shortage of in-house cybersecurity professionals (72%). [10]
• Only 46% of SMBs have implemented MFA, and just 13% require employees to use it for most accounts. [23]
• 48% of small businesses have provided cybersecurity training to employees in the past year, with adoption highest in professional services (64%) and mid-sized businesses (69%). [22]
• One in three small businesses with 50 or fewer employees rely on free or consumer-grade cybersecurity tools, which may not provide adequate protection. [24]
• 44% of SMBs believe they won’t be attacked again if they’ve already been attacked once. [10]
• 26% of SMBs think they are too small to be targeted by hackers, while another 26% believe they are safe because they’ve never been attacked before. [10]

Small Business Cybersecurity Response & Defense

As cyber threats evolve, small businesses recognize the importance of investing in cybersecurity to protect their operations, customers, and financial stability. While many SMBs are taking steps to improve their security posture, challenges remain in terms of budget allocation, incident response, and adoption of security tools. Below are key statistics which highlight how small businesses are responding to cybersecurity threats.

1. 94% of SMBs consider cybersecurity essential to their business operations, underscoring its critical importance. [25]
2. 81% of SMBs believe AI increases the need for additional security controls, reinforcing the necessity of proactive cybersecurity measures. [25]
3. 80% of SMBs plan to increase cybersecurity spending, primarily to protect financial assets and safeguard customer data. Among them, 65% prioritize data protection, and highlight growing concerns over AI-related security risks. [25]
4. 42% of small businesses have revised their cybersecurity strategy since the COVID-19 pandemic, and adapted to new threats and remote work risks. [26]
5. Nearly half of small businesses spend less than $1,500 per month on cybersecurity, which may not be sufficient given the rising sophistication of cyber threats. [26]
6. SMBs allocate 5% to 20% of their total IT budget to cybersecurity, which reflects varying levels of commitment based on business size and risk perception. [27]
7. 22% of SMBs increased their cybersecurity spending in 2021, showing a gradual but necessary shift to stronger defenses. [27]
8. The top four cybersecurity tools adopted by SMBs include:

• Antivirus software (58%)
• Firewalls (49%)
• VPNs (44%)
• Password management solutions (39%)

Final thoughts 

In conclusion, small businesses face a rapidly evolving landscape of cybersecurity threats, from ransomware and social engineering to data breaches and phishing attacks. Despite growing awareness, many remain underprepared, with limited resources and a lack of comprehensive defense strategies. However, increasing cybersecurity spending and a greater focus on data protection indicate positive movement toward stronger defenses. As threats continue to rise, especially with AI-related risks, it’s important for small businesses to prioritize cybersecurity, invest in essential tools, and continuously update their security protocols to mitigate potential risks and protect customer trust. Staying informed and proactive is the key to long-term security.

To ensure your business stays secure, take action today. 

Contact BD Emerson for professional cyber compliance consulting and audit services. Our experts can help identify vulnerabilities, strengthen your defenses, and ensure your business meets all necessary cybersecurity standards. Don't wait — secure your future now! Reach out for a consultation!

Sources

1. Mastercard, “Why Small Businesses Are Big Targets for Cybercriminals and 6 Steps to Protect Them,” https://www.mastercard.com/news/perspectives/2024/why-small-businesses-are-big-targets-for-cybercriminals-and-6-steps-to-protect-them-this-holiday-shopping-season/.
2. SBA Advocacy, “2021 Small Business Profiles for the States and Territories,” https://advocacy.sba.gov/wp-content/uploads/2021/08/2021-Small-Business-Profiles-For-The-States.pdf.
3. Verizon, “Data Breach Investigations Report (DBIR),” https://www.verizon.com/business/resources/reports/dbir/ .
4. Opus & Ponemon Institute, “Announce Results of 2018 Third-Party Cybersecurity Risk Management Study,” https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party.
5. World Economic Forum, “Cyber Risk and the Need for Cybersecurity Education,” https://www.weforum.org/agenda/2020/12/cyber-risk-cyber-security-education.
6. QuickBooks Survey, “Small Business Data Insights - April 2022,” https://quickbooks.intuit.com/r/small-business-data/insights-april-2022/.
7. SCIRP, “Ransomware Attacks and Their Impact on Small Businesses,” https://www.scirp.org/journal/paperinformation?paperid=130449.
8. Startups Magazine, “Why Small Businesses Need to Recalibrate Their Approach to Cybersecurity,” https://startupsmagazine.co.uk/article-why-small-businesses-need-recalibrate-their-approach-cybersecurity.
9. Sophos, “Ransomware Recovery Cost Reaches Nearly $2 Million, More Than Doubling in a Year,” https://www.sophos.com/en-us/press/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year.
10. Microsoft, “Small and Medium Business Cybersecurity Report,” https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/SMBCybersecurity-Report-Final.pdf.
11. Devolutions, “State of IT Security in SMBs 2023-2024,” https://cdndevolutions.blob.core.windows.net/documents/survey-report/state-of-it-security-in-smbs-2023-2024-en.pdf.
12. University of North Dakota Business Engagement, “October 2023,” https://blogs.und.edu/business-engagement/2023/10/october-2023/.
13. Fundera, “Small Business Cybersecurity Statistics,” https://www.fundera.com/resources/small-business-cyber-security-statistics.
14. Business Dasher, “Small Business Cyber Attack Statistics,” https://www.businessdasher.com/small-business-cyber-attack-statistics/.
15. Aviva, “One in Five Businesses Have Been Victims of Cyber Attack in the Last Year,” https://www.aviva.com/newsroom/news-releases/2023/12/One-in-five-businesses-have-been-victims-of-cyber-attack-in-the-last-year/.
16. AdvisorSmith, “Small Business Cyber Insurance Statistics,” https://advisorsmith.com/data/small-business-cyber-insurance-statistics/.
17. Forbes, “Average Cost to Recover from Ransomware Skyrockets to Over $84,000,” https://www.forbes.com/sites/leemathews/2020/01/26/average-cost-to-recover-from-ransomware-skyrockets-to-over-84000/#53655aed13a2.
18. Verizon, “2023 Data Breach Investigations Report,” https://www.verizon.com/about/news/2023-data-breach-investigations-report.
19. Cyber Magazine, “Zayo Group Confirms DDoS Attacks in 2023 Are Up 200%,” https://cybermagazine.com/cyber-security/zayo-group-confirms-ddos-attacks-in-2023-are-up-200.
20.  Darktrace, “Darktrace Email Defends Organizations Against Evolving Cyber Threat Landscape,” https://darktrace.com/news/darktrace-email-defends-organizations-against-evolving-cyber-threat-landscape.
21. Barracuda, “Spear Phishing Report: Social Engineering and Growing Complexity of Attacks,” https://blog.barracuda.com/2022/03/16/spear-phishing-report-social-engineering-and-growing-complexity-of-attacks.
22.  U.S. Chamber of Commerce, “New Survey Finds Small Businesses Think Cyberattacks Are Biggest Threat,” https://www.uschamber.com/small-business/new-survey-finds-small-businesses-think-cyberattacks-are-biggest-threat.
23. Cyber Readiness Institute, “Global Small and Medium-Sized Businesses Slow to Move to More Secure Multi-Factor Authentication Account Access Method, New Cyber Readiness Institute Survey Finds,” https://cyberreadinessinstitute.org/news-and-events/global-small-and-medium-sized-businesses-slow-to-move-to-more-secure-multi-factor-authentication-account-access-method-new-cyber-readiness-institute-survey-finds/.
24. PR Newswire, “BullGuard New Study Reveals One in Three SMBs Use Free Consumer Cybersecurity and One in Five Use No Endpoint Security at All,” https://www.prnewswire.com/news-releases/bullguard-new-study-reveals-one-in-three-smbs-use-free-consumer-cybersecurity-and-one-in-five-use-no-endpoint-security-at-all-301007466.html.
25. Microsoft, “7 Cybersecurity Trends and Tips for Small and Medium Businesses to Stay Protected,” https://www.microsoft.com/en-us/security/blog/2024/10/31/7-cybersecurity-trends-and-tips-for-small-and-medium-businesses-to-stay-protected/.
26. UpCity, “Small Business Cybersecurity Survey,” https://upcity.com/experts/small-business-cybersecurity-survey/.
27. PennyRile Technologies, “How Much Do SMBs Spend on Cybersecurity?” https://pennyriletechnologies.com/how-much-do-smbs-spend-cybersecurity/.
28. Digital.com, “51% of Small Businesses Admit to Leaving Customer Data Unsecure” https://digital.com/51-of-small-business-admit-to-leaving-customer-data-unsecure/.