36 Important Small Business Cybersecurity Statistics (2025)

author avatarIvelin Krastev Hours Posted on Hours Updated on

Small business owners often underestimate how common cyber attacks can be—yet 43% of cyber breaches each year are aimed at smaller businesses, specifically those with fewer than 500 employees

Additionally, statistics show that over 60% of small businesses faced cybersecurity incidents last year, causing major financial and operational setbacks.

Despite the growing number of cybersecurity threats, few small businesses remain prepared, leaving critical data at risk.

This article compiles essential small business cybersecurity statistics to help owners and high-level company members understand how crucial it is to maintain a strong cybersecurity posture and protect sensitive data.

This Article Contains:

Top cyber security statistics for small businesses in 2025

  1. 43% of cyber breaches worldwide involve small businesses or organizations with fewer than 1,000 employees [1].
  2. Over 50% of small businesses experienced at least one cyber attack last year, often losing between $84,000 and $148,000 per incident [2].
  3. Ransomware remains a primary worry for small and medium-sized businesses, with damages expected to exceed $250 billion globally by 2031 [3].
  4. 51% of small businesses that fall victim to ransomware pay the ransom, often due to lack of backups or cyber insurance [2].
  5. In 2020, over 700,000 attacks targeted small businesses, totaling $2.8 billion in damages [4].
  6. 60% of small businesses that suffer a severe cyber attack go out of business within six months [1].
  7. 31% of small businesses have implemented multi-factor authentication (MFA), which significantly reduces the risk of compromised credentials [2].
  8. One-third of small businesses with fewer than 50 employees rely on free consumer-grade cybersecurity tools, offering fewer security protections than paid solutions [5].
  9. 47% of businesses with fewer than 50 employees have no cybersecurity budget [2].
  10. Only 20% of small businesses have implemented multi-factor authentication, even though it significantly reduces unauthorized users gaining access [2].

These statistics highlight how small business owners face critical data risks and why many businesses must invest in a robust cybersecurity plan to avoid detrimental impacts to client retention and overall business continuity.

Why small businesses remain prime targets

Cybercriminals often assume that smaller businesses have weaker security measures than large enterprises, making them easier to infiltrate.

Many business owners also believe they are “too small” to be targeted, reinforcing a false sense of safety.

Addressing cybersecurity challenges with small business cybersecurity attacks.

The stats are alarming; over 60% of small businesses were targeted by cyber attacks in the past year, with a 350% higher risk of social engineering attacks.

In fact, fewer than 50 employees companies receive the highest rate of targeted malicious emails at 1 in 323, compared to 1 in 555 for larger companies. [2]. According to recent research:

  • 59% of small business owners with no cybersecurity measures in place believe their operation is “too small” to be attacked, which fosters a false sense of security.
  • 36% of small businesses surveyed are “not at all concerned” about a cyber attack, despite mounting evidence to the contrary.
Crucial Point: 87% of all small businesses hold customer information (including credit card details and other sensitive data), meaning a data breach can have devastating consequences for customer loyalty and brand reputation.

The financial impact of cyber attacks on small businesses

The financial repercussions of cyber risk from cyber attacks on small businesses are staggering.

financial, crisis, loss, business, trade, down, chart, decreasing, problem, man, stock, exchange, graph, stressful, fear, arrow, depression, economy, economic, global, market, stress, fall, failed, cartoon, loss, loss, loss, loss, loss, decreasing, failed

In 2020 alone, attacks against small businesses led to damages amounting to $2.8 billion [2]. This figure is projected to escalate, with damages expected to reach $13.82 trillion by 2028.

95% of cyber attacks for small businesses cost between $826 and $653,587. These costs stem from various factors, including:

  • downtime
  • lost business
  • emergency solutions
  • legal fiduciary fines

The prevalence of phishing attacks has also significantly increased, impacting small businesses both financially and operationally. Phishing attacks can lead to direct financial losses through tactics like credential theft and fake invoices.

Moreover, ransom demands can stretch into millions, creating substantial financial strain for SMBs.

These financial challenges highlight the importance of proactive measures to prevent cyber attacks and minimize their economic impact.

Recovery time and its economic impact

The recovery time following a cyber attack can have a significant economic impact on small businesses:

  • 51% of small businesses reported their website was down for 8-24 hours after a cyber attack, causing lost revenue and diminished customer loyalty.
  • Companies that suffered a data breach see a sharp drop in repeat customers, with 55% of U.S. consumers saying they would take their business elsewhere if a breach occurs.

Moreover, a prolonged recovery can result in lost customers, as clients may seek more reliable alternatives during downtime.

These operational disruptions underscore the need for efficient recovery strategies and robust cybersecurity measures to minimize downtime and economic losses.

Small business preparedness statistics

interface, internet, program, browser, www, graphic, flat design, icon, desktop, app, web design, internet page, analysis, graph, chart, pie chart, ranking, statistics, internet, internet, internet, app, web design, web design, web design, web design, web design, graph, chart, statistics

Despite facing rising fear of new threats, few small businesses remain adequately prepared:

  1. One-third of small businesses with fewer than 50 employees rely on free or consumer-grade cybersecurity solutions [5].
  2. 59% of small business owners who do not invest in IT security believe they are too small to be a target [1].
  3. Only 17% of small businesses adopt data encryption practices for critical files, leaving them vulnerable to theft [2].
  4. A growing number of midsize businesses have begun hiring in-house IT staff or retaining a cybersecurity firm after experiencing an attack, though many businesses still lack an incident response plan.
  5. 58% of small businesses adopt antivirus software as their primary cybersecurity tool [2].
  6. Firewalls are adopted by 49% of small businesses [2].
  7. Password management tools are adopted by 39% of small businesses [2].
  8. 44% of small businesses use virtual private networks (VPNs) as a cybersecurity tool [2].
  9. 64% of all small businesses are not familiar with cyber insurance [2].
  10. 51% of small businesses have no cybersecurity measures in place at all [2].

Lack of cybersecurity budgets

One of the most significant challenges small businesses face is the lack of dedicated cybersecurity spending. Many small business owners fail to recognize the risk associated with cyber attacks, with 36% expressing no concern regarding potential threats.

As a result, only 24% of SMBs allocate between $1,500 and $1,999 monthly on cybersecurity.

Furthermore, 50% of small businesses have a cybersecurity plan in place, indicating that half remain unprepared for cyber threats.

The perception that data encryption technology is complicated deters many small business owners from utilizing it, contributing to their vulnerability.

Implementation of multi-factor authentication

Multi-factor authentication (MFA) is a critical security measure that significantly reduces the risk of credential theft. Despite its importance, only 20% of small businesses have adopted MFA as a security measure [2].

Implementing MFA involves using multiple verification methods to confirm a user’s identity, making it more challenging for attackers to gain unauthorized access.

By adopting MFA, small businesses can enhance their security posture and protect against common cyber threats.

Use of free cybersecurity solutions

Many small businesses depend on free, consumer-grade cybersecurity solutions, which may not offer adequate protection against cyber threats.

One in three small businesses utilizes these free solutions, exposing them to significant risks.

While these tools can provide a basic level of security, they often lack advanced features needed to defend against sophisticated cyber attacks, resulting in fewer security protections.

Key Observation: Lack of cyber insurance and minimal use of data encryption can lead to bigger financial repercussions when a data breach or ransomware attack hits.

Scope of cyber attacks

Small businesses are under more pressure than ever to protect themselves online.

The benefits of implementing extended detection and response (XDR) solutions.

Hackers see them as easy targets, and one successful attack can shut down a company’s operations and damage its reputation.

  • Over 50% of small businesses reported at least one cyber attack in the last year, incurring direct financial losses that can climb into six figures [2].
  • In 2020 alone, over 700,000 attacks targeted small businesses, leading to $2.8 billion in damages [4].
  • 60% of small businesses that experience a serious breach cannot continue operating and shut down within six months [1].

Common cyber attack methods targeting small businesses

Phishing, ransomware, malware, and social engineering attacks are among the most prevalent methods targeting small businesses.

Each of these attack types exploits different vulnerabilities and can have devastating impacts on business operations and finances.

Malware

Malware is designed to harm computers, networks or servers so is a common threat to small business. It can get into a small business network through infected emails and compromised software downloads.

The impact of malware can be data breaches, operational downtime, and financial loss.

Small business need to implement strong cybersecurity measures like antivirus and firewalls to protect against these common attacks.

Phishing

Phishing is the second most common attack on small business causing huge disruption and financial loss.

This involves deceptive tactics like email phishing and spear-phishing to trick users into revealing sensitive information.

Phishing attacks involve fake websites that mimic the real ones to steal credentials and compromise security.

Ransomware

Ransomware remains a huge threat to SMBs because of its simplicity and effectiveness. It blocks access to systems or encrypts files, requiring payment to regain access.

Ransomware attacks often start through compromised remote desktop protocol access, 37% of companies hit by ransomware have less than 100 employees.

The financial impact is worsened by the fact that many small business don’t have dedicated budget to pay for ransomware expenses so they have to pay the ransom to get back to business.

27% of ransomware victims are covered by cyber insurance so the financial risk is still big for those without coverage.

Social Engineering Attacks

Social engineering attacks exploit human interaction to trick employees to reveal confidential information.

Companies with less than 100 employees are 350% more likely to be hit by social engineering attacks than larger companies.

Tactics used in these attacks are phishing, baiting, quid pro quo, pretexting and tailgating.

Social engineering attacks exploit trust and human mistake, small business need to have comprehensive employee training and awareness programs to counter these.

Important Note: 82% of ransomware attacks in 2021 targeted companies with fewer than 1,000 employees, often because of fewer security protections and limited cybersecurity posture.

Impact of COVID-19 and remote work

Since the COVID-19 pandemic, 42% of small businesses have revised their cybersecurity plan due to the surge in remote work setups [2].

However, the rapid shift exposed SMBs to more supply chain attacks and unauthorized users attempting to access systems.

  • Companies that faced a cyber breach often respond by hiring a cybersecurity firm or increasing in-house IT staff, with 29% taking this action.
  • 21% of small businesses increased multi-factor authentication usage, recognizing it as a best practice to reduce breached user credentials.

Ransomware attacks: A top concern for SMBs

Ransomware hits on small businesses continue to grow:

  1. Experts predict that global ransomware damage costs could exceed $250 billion by 2031 [3].
  2. Many business owners facing ransomware demands choose to pay in hopes of restoring operations quickly, which perpetuates the cycle of such attacks.
  3. 60% of small businesses struggling with ransomware ultimately shut down [1].
  4. 37% of companies hit by ransomware had fewer than 100 employees [2].
  5. 51% of SMBs that fall victim to ransomware pay the ransom, emphasizing the severity of operational disruptions.

This trend underscores the importance of multi-factor authentication, endpoint security, and continuous employee training to detect suspicious links or social engineering attacks.

Summary

Small businesses face ongoing cyber threats and remain high-priority targets for criminals looking to exploit weaker security measures.

With nearly half of small business owners investing under $1,500 monthly in cyber security, many remain vulnerable.

Whether through phishing, malware, or ransomware attacks, the loss of customer data and direct financial damages can be catastrophic—particularly for fewer employees operations.

Key steps to strengthen your cyber security strategy include:

  1. Train employees on spotting and preventing social engineering attacks.
  2. Implement multi-factor authentication to protect accounts from unauthorized users and compromised credentials.
  3. Increase data encryption for sensitive data, including customer information like credit card details.
  4. Adopt a balanced approach to antivirus software, VPNs, firewalls, and password management tools.
  5. Consider cyber insurance to mitigate financial risks.
  6. Allocate 5%–20% of your total IT budget specifically for security to stay protected against new threats.

References

  1. 10 Small Business Cyber Security Statistics That You Should Know
  2. Small Business Cyber Security Statistics
  3. Global Ransomware Damage Costs Predicted to Reach 250 Billion USD by 2031
  4. Small Business Cyber Attack Statistics
  5. The Grim Reality: Cyber Attacks on Small Businesses in 2024

(All data points and quotes in this article are sourced or cross-referenced from the above links and reports.)

Share this post on your favorite social media
author avatar

Ivelin is a Mac security expert who works hard to keep computers safe. He helps develop SpyHunter for Mac, a tool that fights off new cyber threats. With a lot of experience, Ivelin knows a lot about keeping Macs safe and makes sure people can use their computers without worry.

SpyHunter Free Trial: Important Terms & Conditions

The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac, offering comprehensive malware detection and removal functionality, high-performance guards to actively protect your system from malware threats, and access to our technical support team via the SpyHunter HelpDesk. You will not be charged upfront during the Trial period, although a credit card is required to activate the Trial. (Prepaid credit cards, debit cards, and gift cards are not accepted under this offer.) The requirement for your payment method is to help ensure continuous, uninterrupted security protection during your transition from a Trial to a paid subscription should you decide to purchase. Your payment method will not be charged a payment amount upfront during the Trial, although authorization requests may be sent to your financial institution to verify that your payment method is valid (such authorization submissions are not requests for charges or fees by EnigmaSoft but, depending upon your payment method and/or your financial institution, may reflect on your account availability). You can cancel your Trial by contacting EnigmaSoft’s payment processor (identified in your confirmation email) or EnigmaSoft directly no later than two business days before the 7-day Trial period expires to avoid a charge coming due and being processed immediately after your Trial expires. If you decide to cancel during your Trial, you will immediately lose access to SpyHunter. If, for any reason, you believe a charge was processed that you did not wish to make (which could occur based on system administration, for example), you may also cancel and receive a full refund for the charge any time within 30 days of the date of the purchase charge. See FAQs.

At the end of the Trial, you will be billed upfront immediately at the price and for the subscription period as set forth in the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country per purchase page details) if you have not timely canceled. Pricing typically starts at $72 for 3 months (SpyHunter Pro Windows) and $42 for 3 months (SpyHunter for Mac). Your purchased subscription will be automatically renewed in accordance with the registration/purchase page terms, which provide for automatic renewals at the then applicable standard subscription fee in effect at the time of your original purchase and for the same subscription time period, provided you’re a continuous, uninterrupted subscription user. Please see the purchase page for details. Trial subject to these Terms, your agreement to EULA/TOS, Privacy/Cookie Policy, and Discount Terms. If you wish to uninstall SpyHunter, learn how.

For payment on the automatic renewal of your subscription, an email reminder will be sent to the email address you provided when you registered before your next payment date. At the onset of your trial, you will receive an activation code that is limited to use for only one Trial and for only one device per account. Your subscription will automatically renew at the price and for the subscription period in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country per purchase page details), provided that you are a continuous, uninterrupted subscription user. For paid subscription users, if you cancel, you will continue to have access to your product(s) until the end of your paid subscription period. If you wish to receive a refund for your then current subscription period, you must cancel and apply for a refund within 30 days of your most recent purchase, and you will immediately stop receiving full functionality when your refund is processed.

For CALIFORNIA CONSUMERS, please see the notice provisions:
NOTICE TO CALIFORNIA CONSUMERS: Per the California Automatic Renewal Law, you may cancel a subscription as follows:

  1. Go to www.enigmasoftware.com and click the "Login" button at the top right corner.
  2. Log in with your username and password.
  3. In the navigation menu, go to "Order/Licenses." Next to your order/license, a button is available to cancel your subscription if applicable. Note: If you have multiple orders/products, you will need to cancel them on an individual basis.

Should you have any questions or problems, you can contact our EnigmaSoft support team by phone at +1 (888) 360-0646 (USA Toll-Free) / +353 76 680 3523 (Ireland/International) or by email at support@enigmasoftware.com.
How do you cancel a SpyHunter Trial? If your SpyHunter Trial was registered via MyCommerce, you can cancel the trial via MyCommerce by logging into the MyAccount section of MyCommerce (see your confirmation email for further details). You can also contact MyCommerce by phone or email to cancel. To contact MyCommerce via phone, you can call +1-800-406-4966 (USA Toll-Free) or +1-952-646-5022 (24x7x356). You can contact MyCommerce by e-mail at ordersupport@mycommerce.com. You can easily identify if your trial was registered via MyCommerce by checking the confirmation emails that were sent to you upon registration. Alternatively, all users may also contact EnigmaSoft Limited directly. Users can contact our technical support team by emailing support@enigmasoftware.com, opening a ticket in the SpyHunter HelpDesk, or calling +1 (888) 360-0646 (USA) / +353 76 680 3523 (Ireland/International). You can access the SpyHunter HelpDesk from SpyHunter's main screen. To open a support ticket, click on the "HelpDesk" icon. In the window that appears, click the "New Ticket" tab. Fill out the form and click the "Submit" button. If you are unsure of what "Problem Type" to select, please choose the "General Questions" option. Our support agents will promptly process your request and respond to you.

———

SpyHunter Purchase Details
You also have the choice of subscribing to SpyHunter immediately for full functionality, including malware removal and access to our support department via our HelpDesk, typically starting at $42 for 3 months (SpyHunter Basic Windows) and $42 for 3 months (SpyHunter for Mac) in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country per purchase page details). Your subscription will automatically renew at the then applicable standard subscription fee in effect at the time of your original purchase subscription and for the same subscription time period, provided you’re a continuous, uninterrupted subscription user and for which you will receive a notice of upcoming charges before the expiration of your subscription. Purchase of SpyHunter is subject to the terms and conditions on the purchase page, EULA/TOS, Privacy/Cookie Policy and Discount Terms.

———

General Terms
Any purchase for SpyHunter under a discounted price is valid for the offered discounted subscription term. After that, the then applicable standard pricing will apply for automatic renewals and/or future purchases. Pricing is subject to change, although we will notify you in advance of price changes.
All SpyHunter versions are subject to your agreeing to our EULA/TOS, Privacy/Cookie Policy, and Discount Terms. Please also see our FAQs and Threat Assessment Criteria. If you wish to uninstall SpyHunter, learn how.