36 Important Small Business Cybersecurity Statistics (2025)

author avatarIvelin Krastev Hours Posted on Hours Updated on

Small business owners often underestimate how common cyber attacks can be—yet 43% of cyber breaches each year are aimed at smaller businesses, specifically those with fewer than 500 employees

Additionally, statistics show that over 60% of small businesses faced cybersecurity incidents last year, causing major financial and operational setbacks.

Despite the growing number of cybersecurity threats, few small businesses remain prepared, leaving critical data at risk.

This article compiles essential small business cybersecurity statistics to help owners and high-level company members understand how crucial it is to maintain a strong cybersecurity posture and protect sensitive data.

This Article Contains:

Top cyber security statistics for small businesses in 2025

  1. 43% of cyber breaches worldwide involve small businesses or organizations with fewer than 1,000 employees [1].
  2. Over 50% of small businesses experienced at least one cyber attack last year, often losing between $84,000 and $148,000 per incident [2].
  3. Ransomware remains a primary worry for small and medium-sized businesses, with damages expected to exceed $250 billion globally by 2031 [3].
  4. 51% of small businesses that fall victim to ransomware pay the ransom, often due to lack of backups or cyber insurance [2].
  5. In 2020, over 700,000 attacks targeted small businesses, totaling $2.8 billion in damages [4].
  6. 60% of small businesses that suffer a severe cyber attack go out of business within six months [1].
  7. 31% of small businesses have implemented multi-factor authentication (MFA), which significantly reduces the risk of compromised credentials [2].
  8. One-third of small businesses with fewer than 50 employees rely on free consumer-grade cybersecurity tools, offering fewer security protections than paid solutions [5].
  9. 47% of businesses with fewer than 50 employees have no cybersecurity budget [2].
  10. Only 20% of small businesses have implemented multi-factor authentication, even though it significantly reduces unauthorized users gaining access [2].

These statistics highlight how small business owners face critical data risks and why many businesses must invest in a robust cybersecurity plan to avoid detrimental impacts to client retention and overall business continuity.

Why small businesses remain prime targets

Cybercriminals often assume that smaller businesses have weaker security measures than large enterprises, making them easier to infiltrate.

Many business owners also believe they are “too small” to be targeted, reinforcing a false sense of safety.

Addressing cybersecurity challenges with small business cybersecurity attacks.

The stats are alarming; over 60% of small businesses were targeted by cyber attacks in the past year, with a 350% higher risk of social engineering attacks.

In fact, fewer than 50 employees companies receive the highest rate of targeted malicious emails at 1 in 323, compared to 1 in 555 for larger companies. [2]. According to recent research:

  • 59% of small business owners with no cybersecurity measures in place believe their operation is “too small” to be attacked, which fosters a false sense of security.
  • 36% of small businesses surveyed are “not at all concerned” about a cyber attack, despite mounting evidence to the contrary.
Crucial Point: 87% of all small businesses hold customer information (including credit card details and other sensitive data), meaning a data breach can have devastating consequences for customer loyalty and brand reputation.

The financial impact of cyber attacks on small businesses

The financial repercussions of cyber risk from cyber attacks on small businesses are staggering.

financial, crisis, loss, business, trade, down, chart, decreasing, problem, man, stock, exchange, graph, stressful, fear, arrow, depression, economy, economic, global, market, stress, fall, failed, cartoon, loss, loss, loss, loss, loss, decreasing, failed

In 2020 alone, attacks against small businesses led to damages amounting to $2.8 billion [2]. This figure is projected to escalate, with damages expected to reach $13.82 trillion by 2028.

95% of cyber attacks for small businesses cost between $826 and $653,587. These costs stem from various factors, including:

  • downtime
  • lost business
  • emergency solutions
  • legal fiduciary fines

The prevalence of phishing attacks has also significantly increased, impacting small businesses both financially and operationally. Phishing attacks can lead to direct financial losses through tactics like credential theft and fake invoices.

Moreover, ransom demands can stretch into millions, creating substantial financial strain for SMBs.

These financial challenges highlight the importance of proactive measures to prevent cyber attacks and minimize their economic impact.

Recovery time and its economic impact

The recovery time following a cyber attack can have a significant economic impact on small businesses:

  • 51% of small businesses reported their website was down for 8-24 hours after a cyber attack, causing lost revenue and diminished customer loyalty.
  • Companies that suffered a data breach see a sharp drop in repeat customers, with 55% of U.S. consumers saying they would take their business elsewhere if a breach occurs.

Moreover, a prolonged recovery can result in lost customers, as clients may seek more reliable alternatives during downtime.

These operational disruptions underscore the need for efficient recovery strategies and robust cybersecurity measures to minimize downtime and economic losses.

Small business preparedness statistics

interface, internet, program, browser, www, graphic, flat design, icon, desktop, app, web design, internet page, analysis, graph, chart, pie chart, ranking, statistics, internet, internet, internet, app, web design, web design, web design, web design, web design, graph, chart, statistics

Despite facing rising fear of new threats, few small businesses remain adequately prepared:

  1. One-third of small businesses with fewer than 50 employees rely on free or consumer-grade cybersecurity solutions [5].
  2. 59% of small business owners who do not invest in IT security believe they are too small to be a target [1].
  3. Only 17% of small businesses adopt data encryption practices for critical files, leaving them vulnerable to theft [2].
  4. A growing number of midsize businesses have begun hiring in-house IT staff or retaining a cybersecurity firm after experiencing an attack, though many businesses still lack an incident response plan.
  5. 58% of small businesses adopt antivirus software as their primary cybersecurity tool [2].
  6. Firewalls are adopted by 49% of small businesses [2].
  7. Password management tools are adopted by 39% of small businesses [2].
  8. 44% of small businesses use virtual private networks (VPNs) as a cybersecurity tool [2].
  9. 64% of all small businesses are not familiar with cyber insurance [2].
  10. 51% of small businesses have no cybersecurity measures in place at all [2].

Lack of cybersecurity budgets

One of the most significant challenges small businesses face is the lack of dedicated cybersecurity spending. Many small business owners fail to recognize the risk associated with cyber attacks, with 36% expressing no concern regarding potential threats.

As a result, only 24% of SMBs allocate between $1,500 and $1,999 monthly on cybersecurity.

Furthermore, 50% of small businesses have a cybersecurity plan in place, indicating that half remain unprepared for cyber threats.

The perception that data encryption technology is complicated deters many small business owners from utilizing it, contributing to their vulnerability.

Implementation of multi-factor authentication

Multi-factor authentication (MFA) is a critical security measure that significantly reduces the risk of credential theft. Despite its importance, only 20% of small businesses have adopted MFA as a security measure [2].

Implementing MFA involves using multiple verification methods to confirm a user’s identity, making it more challenging for attackers to gain unauthorized access.

By adopting MFA, small businesses can enhance their security posture and protect against common cyber threats.

Use of free cybersecurity solutions

Many small businesses depend on free, consumer-grade cybersecurity solutions, which may not offer adequate protection against cyber threats.

One in three small businesses utilizes these free solutions, exposing them to significant risks.

While these tools can provide a basic level of security, they often lack advanced features needed to defend against sophisticated cyber attacks, resulting in fewer security protections.

Key Observation: Lack of cyber insurance and minimal use of data encryption can lead to bigger financial repercussions when a data breach or ransomware attack hits.

Scope of cyber attacks

Small businesses are under more pressure than ever to protect themselves online.

The benefits of implementing extended detection and response (XDR) solutions.

Hackers see them as easy targets, and one successful attack can shut down a company’s operations and damage its reputation.

  • Over 50% of small businesses reported at least one cyber attack in the last year, incurring direct financial losses that can climb into six figures [2].
  • In 2020 alone, over 700,000 attacks targeted small businesses, leading to $2.8 billion in damages [4].
  • 60% of small businesses that experience a serious breach cannot continue operating and shut down within six months [1].

Common cyber attack methods targeting small businesses

Phishing, ransomware, malware, and social engineering attacks are among the most prevalent methods targeting small businesses.

Each of these attack types exploits different vulnerabilities and can have devastating impacts on business operations and finances.

Malware

Malware is designed to harm computers, networks or servers so is a common threat to small business. It can get into a small business network through infected emails and compromised software downloads.

The impact of malware can be data breaches, operational downtime, and financial loss.

Small business need to implement strong cybersecurity measures like antivirus and firewalls to protect against these common attacks.

Phishing

Phishing is the second most common attack on small business causing huge disruption and financial loss.

This involves deceptive tactics like email phishing and spear-phishing to trick users into revealing sensitive information.

Phishing attacks involve fake websites that mimic the real ones to steal credentials and compromise security.

Ransomware

Ransomware remains a huge threat to SMBs because of its simplicity and effectiveness. It blocks access to systems or encrypts files, requiring payment to regain access.

Ransomware attacks often start through compromised remote desktop protocol access, 37% of companies hit by ransomware have less than 100 employees.

The financial impact is worsened by the fact that many small business don’t have dedicated budget to pay for ransomware expenses so they have to pay the ransom to get back to business.

27% of ransomware victims are covered by cyber insurance so the financial risk is still big for those without coverage.

Social Engineering Attacks

Social engineering attacks exploit human interaction to trick employees to reveal confidential information.

Companies with less than 100 employees are 350% more likely to be hit by social engineering attacks than larger companies.

Tactics used in these attacks are phishing, baiting, quid pro quo, pretexting and tailgating.

Social engineering attacks exploit trust and human mistake, small business need to have comprehensive employee training and awareness programs to counter these.

Important Note: 82% of ransomware attacks in 2021 targeted companies with fewer than 1,000 employees, often because of fewer security protections and limited cybersecurity posture.

Impact of COVID-19 and remote work

Since the COVID-19 pandemic, 42% of small businesses have revised their cybersecurity plan due to the surge in remote work setups [2].

However, the rapid shift exposed SMBs to more supply chain attacks and unauthorized users attempting to access systems.

  • Companies that faced a cyber breach often respond by hiring a cybersecurity firm or increasing in-house IT staff, with 29% taking this action.
  • 21% of small businesses increased multi-factor authentication usage, recognizing it as a best practice to reduce breached user credentials.

Ransomware attacks: A top concern for SMBs

Ransomware hits on small businesses continue to grow:

  1. Experts predict that global ransomware damage costs could exceed $250 billion by 2031 [3].
  2. Many business owners facing ransomware demands choose to pay in hopes of restoring operations quickly, which perpetuates the cycle of such attacks.
  3. 60% of small businesses struggling with ransomware ultimately shut down [1].
  4. 37% of companies hit by ransomware had fewer than 100 employees [2].
  5. 51% of SMBs that fall victim to ransomware pay the ransom, emphasizing the severity of operational disruptions.

This trend underscores the importance of multi-factor authentication, endpoint security, and continuous employee training to detect suspicious links or social engineering attacks.

Summary

Small businesses face ongoing cyber threats and remain high-priority targets for criminals looking to exploit weaker security measures.

With nearly half of small business owners investing under $1,500 monthly in cyber security, many remain vulnerable.

Whether through phishing, malware, or ransomware attacks, the loss of customer data and direct financial damages can be catastrophic—particularly for fewer employees operations.

Key steps to strengthen your cyber security strategy include:

  1. Train employees on spotting and preventing social engineering attacks.
  2. Implement multi-factor authentication to protect accounts from unauthorized users and compromised credentials.
  3. Increase data encryption for sensitive data, including customer information like credit card details.
  4. Adopt a balanced approach to antivirus software, VPNs, firewalls, and password management tools.
  5. Consider cyber insurance to mitigate financial risks.
  6. Allocate 5%–20% of your total IT budget specifically for security to stay protected against new threats.

References

  1. 10 Small Business Cyber Security Statistics That You Should Know
  2. Small Business Cyber Security Statistics
  3. Global Ransomware Damage Costs Predicted to Reach 250 Billion USD by 2031
  4. Small Business Cyber Attack Statistics
  5. The Grim Reality: Cyber Attacks on Small Businesses in 2024

(All data points and quotes in this article are sourced or cross-referenced from the above links and reports.)

Share this post on your favorite social media
author avatar

Ivelin is a Mac security expert who works hard to keep computers safe. He helps develop SpyHunter for Mac, a tool that fights off new cyber threats. With a lot of experience, Ivelin knows a lot about keeping Macs safe and makes sure people can use their computers without worry.