60 Small Business Cybersecurity Statistics to Know in 2026

Small businesses might assume that hackers go after bigger targets, but the data points to a harsher reality.

Cybercriminals are pursuing small and medium-sized businesses in 2026. These businesses hold valuable data, process real money, and typically operate with far less security infrastructure than enterprise organizations. That combination makes them attractive, accessible, and increasingly profitable to attack.

This article compiles the most important small business cybersecurity statistics for 2025 and 2026 — drawn from the most authoritative sources available, including the Verizon Data Breach Investigations Report, IBM Cost of a Data Breach Report, FBI Internet Crime Complaint Center (IC3), Hiscox Cyber Readiness Report, CrowdStrike, Sophos, KnowBe4, and several newly published studies from 2025 and early 2026.

Where older statistics are included, they are clearly dated. Where commonly cited statistics have been officially debunked, we say so — including one of the most viral stats in the industry.

• Small businesses experience ~4x as many confirmed breaches as large organizations.
• 88% of SMB breaches in 2025 involved ransomware, compared with just 39% for large organizations.
• 80% of small businesses experienced at least one cyberattack in 2025, and 41% of those incidents were AI-driven.
• For a company with fewer than 500 employees, the average cost of a breach is $3.31 million.
• Only 34% of SMBs have a formal incident response plan; just 11% use AI-powered defenses.
• 65% of SMBs do not use MFA, although it blocks 99.9% of automated account attacks.
• The widely cited “60% of small businesses close within 6 months of an attack” statistic has been officially debunked by the National Cybersecurity Alliance.

Rather than being deterred by a small headcount or modest revenue, attackers often look for precisely those conditions.

1. SMBs experienced approximately 4x more confirmed breaches than large organizations in 2024, recording 3,049 security incidents and 2,842 confirmed breaches compared to 982 incidents and 751 breaches for large organizations.
2. 43% of all cyberattacks target small businesses. This figure is from 2019 and remains the most widely cited stat in the industry. More recent studies suggest the share may be higher.
3. 46% of all data breaches impact businesses with fewer than 1,000 employees.
4. 80% of small businesses suffered at least one cyberattack in 2025.
5. Employees at small businesses (fewer than 100 staff) experience 350% more social engineering attacks than employees at larger enterprises.
6. 88% of SMB breaches involved ransomware, compared with just 39% for large organizations. This illustrates that ransomware is disproportionately a problem for small businesses.
7. Malicious insider attacks increased by 85% in SMBs during 2024, costing an average of $812,000 per incident, which is 3.5x more than external attacks.
8. Zero-day exploits targeting small businesses exploded by 267% in 2025. The average time between vulnerability discovery and exploit deployment fell from 68 days to just 14 days.
9. 78% of current SMB encryption standards will be vulnerable to quantum computing attacks by 2030, but only 12% have begun planning for cryptographic migration.

What this means for your business: The scale data is unambiguous: Small businesses are not collateral damage in attacks aimed at larger targets. They are the primary target. The 4x breach disparity in Verizon’s 2025 data is particularly striking because it controls for organization size. Attackers know that small businesses hold real assets and real credentials while typically running leaner security operations.

Cost is often the argument that moves small business owners from awareness to action. The numbers are significant even at the lower end of the range, but at the upper end, they are existential.

10. The average cost of a data breach for an organization with fewer than 500 employees is $3.31 million, up 13.4% year-over-year.
11. The U.S. average cost of a data breach reached an unprecedented high of $10.22 million in 2025, up 9% from the prior year.
12. For most small businesses, breach costs typically fall between $120,000 and $1.24 million, depending on the scale of the incident and the organization’s security posture.
13. Total reported cybercrime losses in the United States reached $16.6 billion in 2024, rising 33% from $12.5 billion in 2023.
14. Business email compromise (BEC) alone accounted for $2.77 billion in U.S. losses in 2024.
15. 37% of SMBs that were attacked in 2025 lost more than $500,000 per incident. 38% raised prices to cover their losses.
16. The average cost of a ransomware or extortion incident is $5.08 million, an increase of 3% year-over-year.
17. Downtime costs small businesses approximately 50x more than the ransom itself. Lost productivity, recovery, and reputational damage almost always eclipse the cost of the ransom.
18. 63% of small businesses saw their cyber insurance premiums increase by 200% or more in 2024, with 27% being unable to secure coverage at any price due to inadequate security controls.
19. Organizations with less than $25 million in annual revenue made 64% of all cyber insurance claims in 2024, with average per-claim losses exceeding $84,000.
20. 58% of SMBs spent more on cybersecurity in 2024 than they originally budgeted, suggesting that reactive spending after incidents is displacing planned investment.

What this means for your business: The $3.31M IBM average cost of a data breach for smaller organizations will feel abstract for a business with five employees and $800K in annual revenue. The Verizon range of $120,000 to $1.24M is more representative of typical SMB incident costs. But even $120,000 would represent a serious operational shock for most small businesses. Factor in the finding that downtime costs 50x more than the ransom, plus the insurance implications of cyberattacks, and the true cost picture becomes much clearer.

Ransomware has evolved from a broad opportunistic threat into a highly targeted, professionalized operation. Far from being caught in the crossfire, small businesses are increasingly the intended target.

21. Ransomware was a factor in 44% of all data breaches in 2025, up sharply from 32% the previous year.
22. Total ransomware attacks rose 45% in 2025, with 9,251 recorded attacks compared with 6,395 in 2024.
23. Ransomware prompted 70% of Sophos incident response cases handled on behalf of small business customers.
24. 27% of SMEs experienced a ransomware attack in the past year. Of those, 80% paid the ransom.
25. The median ransom payment in 2025 was $115,000, down from $150,000 the prior year — but the total costs of an incident remain far higher.
26. Of SMEs that paid the ransom, only 60% successfully recovered their data. 31% of those received subsequent demands for more money.
27. 69% of businesses that paid a ransom were attacked again within the following year.
28. Excluding the ransom payment itself, the average ransomware recovery cost is $1.53 million.
29. The average ransomware-related downtime is 24 days.
30. 58% of ransomware attacks on SMBs originate from compromised third-party vendors. Alarmingly, the average time to detect these supply chain breaches is 317 days.
31. 89% of SMBs have unsecured IoT devices on their networks, and those devices are the initial access point for 43% of ransomware attacks and 67% of data exfiltration incidents.

What this means for your business: Given that only 60% of ransom payers recover their data and 69% are targeted again within a year, there is little point in paying. Paying does not resolve the underlying vulnerability and signals to attackers that you are willing to hand over money. Investing that money in prevention and a tested incident response plan makes more sense.

Technical defenses cannot fully protect against attacks that exploit human judgment. Phishing remains the most common way attackers gain access, and small businesses are disproportionately exposed because they typically run less employee training.

32. Phishing is the costliest initial attack vector, with an average breach cost of $4.8 million per phishing-initiated incident.
33. The median time for an employee to click a phishing link is just 21 seconds. Once they click, they enter their credentials an average of 28 seconds later.
34. 71% of targeted email attacks against organizations with 100 or fewer mailboxes were phishing, compared with 41% for larger organizations.
35. 47% of phishing emails now bypass traditional Secure Email Gateways (SEGs), making gateway-only defenses increasingly insufficient.
36. Research involving 67.7 million simulated phishing tests across 62,400 organizations reveals that security awareness training reduces employee phishing susceptibility by 86% over 12 months.
37. Phishing-as-a-service (PhaaS) kits accounted for 30% of all credential-based attacks in 2024 and are projected to account for 50% in 2025, lowering the skill barrier for attackers significantly.

What this means for your business: You have a window of 21 seconds before an employee clicks a phishing link. With almost half of phishing emails getting through SEGs, traditional email gateway filtering is no longer enough. Training is the key: The KnowBe4 finding that training reduces susceptibility by 86% is one of the strongest ROI arguments for security awareness programs. This is an area where relatively low investment produces measurable, documented results.

Compromised passwords and stolen credentials remain the preferred path into small business networks. This is also one of the most preventable attack vectors.

38. A factor in 22% of all breaches, compromised credentials are the leading initial attack vector.
39. Credential-based breaches take an average of 292 days (almost ten months) to identify and contain, the longest lifecycle of any attack type.
40. Only 3% of passwords currently in use meet NIST complexity requirements.
41. 2.8 billion passwords were listed for sale on criminal forums in 2024, at an average price of $10 per credential.
42. Approximately 65% of global SMBs do not use multifactor authentication and have no plans to implement it. 58% say they are not even aware of its benefits.
43. MFA adoption among small businesses lies between 27% and 34%, compared with 87% for large enterprises.
44. MFA blocks 99.9% of automated account compromise attacks.
45. Attackers used legitimate system tools and credentials in 79% of all cyberattack detections in 2024, up from 40% in 2019. These “malware-free” intrusions are much harder to detect with traditional antivirus.

What this means for your business: The poor level of MFA adoption among SMEs represents one of the starkest gaps in this entire dataset. MFA blocks 99.9% of automated attacks, yet under 34% of small businesses have implemented it. This is the highest-impact, lowest-barrier security improvement available to most SMBs. The 292-day credential breach lifecycle is a reminder that the damage is rarely visible and that attackers can operate inside a network for months before anyone notices.

The gap between small businesses’ perception of their preparedness and the reality is one of the most consistent findings across 2025 research.

46. 79% of SMBs experienced a cyberattack in the past five years, but 64% still do not believe they are an attractive target for attackers.
47. 93% of SMBs describe themselves as knowledgeable about cybersecurity risks. Only 11% have deployed AI-powered security defenses.
48. Only 34% of small businesses have a formal incident response plan developed with cybersecurity expertise.
49. 52% of small businesses rely on untrained internal staff or the business owner to manage cybersecurity entirely.
50. Two-thirds of SMBs say the cost of security tools prevents them from upgrading. Only 7% believe their current budget is sufficient.
51. Based on a survey of 1,200 small businesses, 75% of SMBs say they could not continue operating if they were hit with a ransomware attack.
52. 78% of SMBs fear that a major cyber incident could put them out of business entirely.

What this means for your business: Most small businesses believe they are informed and therefore protected. However, the data illustrates that awareness has not translated into readiness. The organizations most at risk are those that self-assess as competent but have not implemented the fundamentals: an incident response plan, MFA, employee training, and at minimum a basic security audit.

This section covers the most significant emerging trend in the small business threat landscape for 2025 and 2026. AI-powered attacks were barely measurable 12 months ago. They are now a primary attack method, and small businesses are particularly exposed because they rarely have the defenses to detect them.

53. AI-powered cyberattacks against small businesses rose by 340% in 2025, with generative AI tools now responsible for 78% of sophisticated social engineering campaigns.
54. 41% of cyberattack incidents against small businesses in 2025 were attributed to AI-driven methods. Compare this with virtually zero identified as AI-related in 2024.
55. AI-generated phishing emails achieve open rates of 54–78%, compared to approximately 12% for traditionally crafted phishing.
56. AI-generated phishing attacks cost 95% less to execute and are produced 40% faster than manually crafted attacks, removing the cost and skill barriers that previously limited sophisticated phishing to well-resourced threat actors.
57. 13% of organizations experienced an AI-related security breach in 2025, but 97% lacked proper AI governance frameworks and security controls at the time of the breach.
58. Breaches involving unmanaged “shadow AI” tools cost organizations an average of $4.63 million, which is $670,000 more than the global average breach cost.
59. Voice phishing (vishing) attacks surged 442% between the first and second halves of 2024, making telephone-based social engineering one of the fastest-growing attack vectors.
60. 83% of SMBs say that AI and generative AI have increased the cybersecurity threat level they face. However, only 51% have implemented any AI-related security policies.

What this means for your business: The explosion in AI-driven attacks is arguably the most important development in cybersecurity. It represents a fundamental shift in the threat model. AI attacks are cheaper to run, faster to generate, harder to detect, and dramatically more effective at fooling employees. The 54–78% open rate for AI phishing versus 12% for traditional phishing illustrates how significant this gap is. For small businesses, this means that defenses built around recognizing suspicious-looking emails are increasingly inadequate because AI-generated messages are well-written, contextually relevant, and personalized. Training programs need to evolve accordingly.

The statistics in this article point clearly to where the highest-impact improvements lie. Here are five actions grounded directly in the data above.

1. Implement multifactor authentication across all accounts. This is the single highest-ROI action available. MFA blocks 99.9% of automated account attacks, yet 65% of SMBs have no plans to implement it. Start with email, remote access, and any financial systems.
2. Develop and test a formal incident response plan. Only 34% of SMBs have one. Businesses with a tested incident response plan consistently recover faster, spend less, and are less likely to face a second attack. The plan need not be complex; it just needs to exist and be practiced.
3. Run regular employee security awareness training. The human element drives 95% of breaches, and the average phishing click happens in 21 seconds. KnowBe4’s data shows that 12 months of regular training reduces phishing susceptibility by 86%. This is a proven, measurable intervention.
4. Treat credentials as infrastructure. With 2.8 billion passwords on criminal forums at $10 each, and only 3% of passwords meeting NIST standards, credential hygiene is a fundamental gap. Password managers, regular credential audits, and dark web monitoring are no longer optional.
5. Do not pay ransoms without expert guidance. 40% of ransom payers did not recover their data, 31% faced secondary demands, and 69% were attacked again within a year. Payment funds the next attack. Instead, invest those resources in offline backups and a tested recovery plan before an incident occurs.