Small Business Cybersecurity Statistics 2026: Attacks, Costs & Readiness


Ransomware was present in 88% of breaches at small and mid-sized businesses in the 2025 Verizon Data Breach Investigations Report — more than double the 39% rate at large organizations. Small businesses face enterprise-grade attackers with a fraction of enterprise budgets, and the gap is measurable. This page compiles 56 small business cybersecurity statistics from Verizon, IBM, the FBI, Coalition, Hiscox, and other primary sources — including a fact-check of the most repeated small business cyber statistic that turns out to have no verifiable source.
Table of Contents
How Often Small Businesses Are Attacked
Small businesses are attacked constantly, and the best-known number about it is also the oldest. The 43% figure below dates to research published in 2019 — treat it as a historical benchmark, not a current measurement. For the cross-market picture beyond SMBs, see our full cybersecurity statistics roundup for 2026.
| Metric | Value | Source |
|---|---|---|
| Small businesses that experienced a breach or attack | 81% | ITRC 2024 |
| US small businesses reporting an attack in 12 months | 53% | Hiscox 2023 |
| Share of cyberattacks aimed at small businesses | 43% (2019 vintage) | Accenture |
| Extra social engineering pressure on sub-100-employee firms | +350% | Barracuda |
| Complaints filed with FBI IC3 in 2024 | 859,532 | FBI IC3 |
- 81% of small businesses experienced a cyberattack, a data breach, or both at least once, according to the Identity Theft Resource Center 2024 Business Impact Report.
- 53% of US small businesses reported at least one cyberattack in the prior 12 months (Hiscox Cyber Readiness Report 2023).
- 43% of cyberattacks target small businesses, per Accenture research published in 2019. The figure is still the most quoted in the category, and its age is the reason we flag it — no newer Accenture study has refreshed it.
- Employees at companies with fewer than 100 staff face 350% more social engineering attacks than employees at larger firms (Barracuda spear-phishing research, 2023).
- The FBI Internet Crime Complaint Center logged 859,532 complaints in 2024, with reported losses of $16.6 billion — up 33% year over year (FBI IC3 2024 Annual Report).
- Business email compromise alone produced $2.77 billion in reported US losses in 2024 (FBI IC3) — a crime that disproportionately hits firms without dedicated finance controls.
- The average eCrime breakout time — from initial access to lateral movement — fell to 48 minutes in 2024, with the fastest observed at 51 seconds (CrowdStrike 2025 Global Threat Report). Small teams get less time to respond than ever.
- The 2025 Verizon DBIR analyzed 22,052 security incidents and 12,195 confirmed breaches — the dataset behind the SMB ransomware findings later on this page.
- Microsoft reports its customers face more than 600 million attacks per day across identity, email, and endpoints (Microsoft Digital Defense Report 2024). Attackers automate; company size is not a filter.
What an Attack Costs
Cost figures for small business incidents vary widely by methodology. Survey medians land in the thousands. Full breach accounting lands in the millions. Both are real — they measure different things. Our data breach statistics page breaks down the methodology differences in detail.
| Cost Metric | Value | Source |
|---|---|---|
| Average small business attack recovery cost | $120,000 | VikingCloud 2025 |
| Median annual cost of attacks, US small business | $8,300 | Hiscox 2023 |
| Average breach cost, orgs under 500 employees | $3.31 million | IBM 2023 |
| Average ransom payment (Q1 2025) | $552,777 | Coveware |
| Median ransom payment (Q1 2025) | $200,000 | Coveware |
- The average cost for a small business to recover from a cyberattack is roughly $120,000 (VikingCloud 2025 SMB Threat Landscape research).
- The median cost of all cyber incidents over 12 months for US small businesses was $8,300 (Hiscox Cyber Readiness Report 2023). Medians hide the tail: a minority of victims absorb six- and seven-figure losses.
- For organizations with fewer than 500 employees, the average cost of a full data breach reached $3.31 million (IBM Cost of a Data Breach Report, 2023).
- The global average breach cost across all company sizes hit $4.88 million in 2024, the highest on record (IBM Cost of a Data Breach Report 2024).
- The average ransom payment was $552,777 and the median was $200,000 in Q1 2025 (Coveware quarterly ransomware report).
- Ransomware victims averaged around 24 days of downtime per incident in Coveware incident-response data from 2022 — for a small firm, that is a month of interrupted revenue.
- Mean ransomware recovery costs, excluding any ransom paid, reached $2.73 million across all organization sizes (Sophos State of Ransomware 2024).
- Organizations took an average of 258 days to identify and contain a breach (IBM 2024). Small businesses without monitoring typically discover incidents when the damage is already visible.
The 60% Closure Claim — a Fact-Check
You have seen the claim: 60% of small businesses close within six months of a cyberattack. It appears in vendor pitches, news articles, and government presentations. We could not verify it, and neither has anyone else. It does not appear anywhere else on this page as a statistic, because it is not one.
- The 60%-closure figure has no verifiable primary source. The National Cyber Security Alliance, the organization most often credited with it, has publicly distanced itself from the number and stopped using it in its own materials.
- The claim has circulated since at least the early 2010s and has appeared in US congressional testimony, government small-business guidance, and thousands of vendor marketing pages — almost always citing another citation rather than a study.
- Verified survivorship data points the other way: 81% of small businesses report having been attacked or breached (ITRC 2024), yet the overwhelming majority continue operating. No peer-reviewed research supports a 60% closure rate at any time window.
None of this means attacks are survivable by default. The verified cost data above is bad enough on its own. But an industry that needs to invent statistics undermines the case for real spending. Cite the $120,000 recovery figure and the 88% ransomware share instead — they hold up.
Readiness & Spending Gaps
The defining feature of small business security is not negligence — it is capacity. Most small firms have no security staff, no formal plan, and a budget that rounds to zero against enterprise norms. Our SMB IT spending statistics show where security sits inside the broader budget. Many firms close part of the gap by routing day-to-day IT and security hygiene through an outsourced helpdesk instead of hiring.
- 59% of small businesses spend fewer than 10 hours per week on cybersecurity across the entire company (Coalition 2025 small business security research).
- 74% of small businesses spend less than $10,000 per year on cybersecurity (Coalition, 2025). A single average recovery — $120,000 per VikingCloud — would erase 12 years of that budget.
- 50% of UK businesses identified a cyber breach or attack in the prior 12 months, per the UK government Cyber Security Breaches Survey 2024 — one of the few nationally representative datasets on smaller firms.
- Only about 22% of businesses have a formal incident response plan (UK Cyber Security Breaches Survey 2024). Most small firms improvise their first response during the incident itself.
- CISA's guidance for small businesses lists four starting controls — MFA, patching, strong passwords, and phishing training — and offers free cyber hygiene scanning to any US organization that enrolls (CISA).
- The security workforce gap makes in-house hiring unrealistic for most: the global shortfall of cybersecurity workers reached 4.8 million people (ISC2 2024 Cybersecurity Workforce Study).
Ransomware & Phishing Against SMBs
This is where the size penalty shows up most clearly. Recent Verizon DBIR editions consistently find ransomware in SMB breaches at roughly four times the rate of large organizations. Deeper numbers live in our ransomware statistics and phishing statistics pages.
- Ransomware was present in 88% of breaches at small and mid-sized businesses versus 39% at larger organizations in the 2025 Verizon DBIR — the starkest size split in the report.
- Across all victims, ransomware appeared in 44% of breaches in the 2025 DBIR, up 37% from the prior year.
- The median ransom payment in DBIR 2025 data was $115,000 — near the total annual IT budget of many small firms.
- 64% of ransomware victims did not pay, up from 50% two years earlier (Verizon DBIR 2025). Refusal is becoming the norm where backups survive.
- Coveware measured the payment rate at just 25% of ransomware cases in Q4 2024 — a record low.
- 59% of organizations were hit by ransomware in the prior year (Sophos State of Ransomware 2024), with rates broadly similar across revenue bands.
- The human element was involved in 60% of breaches (Verizon DBIR 2025) — phishing, stolen credentials, and simple error, all of which scale down to the smallest victim.
- Credential abuse (22%) and vulnerability exploitation (20%) led initial access vectors, with phishing close behind at 16% (Verizon DBIR 2025). For small businesses, phishing remains the most common first contact because it requires nothing but a mailbox.
- The median user clicks a phishing link 21 seconds after opening the email, and submits data 28 seconds after that (Verizon DBIR 2024).
- The Anti-Phishing Working Group has recorded more than one million unique phishing attacks in a single quarter repeatedly since 2022 — sustained volume, not a spike (APWG Phishing Activity Trends Reports).
Cyber Insurance Uptake
Cyber insurance is the control small businesses skip most. Uptake is rising from a very low base, and insurers now function as de facto regulators — MFA and backup requirements arrive with the application form. Full market data is in our cyber insurance statistics page.
- Only about 17% of small businesses carry standalone cyber insurance (AdvisorSmith survey) — the number behind the 83% gap in the chart above.
- Cyber insurance take-up among insurance brokerage clients roughly doubled from 26% in 2016 to 47% in 2020 (US Government Accountability Office) — growth driven overwhelmingly by mid-sized and large buyers, not the smallest firms.
- US insurers wrote about $7.2 billion in direct cyber insurance premiums in 2023 (National Association of Insurance Commissioners data).
- The global cyber insurance market reached roughly $15.3 billion in premiums in 2024 (Munich Re estimates), with SMB policies the fastest-growing segment.
- Phishing-driven business email compromise and funds transfer fraud together account for the majority of small business claims by frequency in Coalition claims data — ransomware drives severity, email fraud drives volume (Coalition Cyber Claims Report).
- Insurers increasingly make coverage conditional: applications routinely require MFA on email and remote access, offline or immutable backups, and endpoint detection before quoting — controls documented across carrier underwriting guides and Coalition policyholder requirements.
MFA & Backup Adoption
Two controls decide most SMB incident outcomes: whether MFA was on, and whether backups survived. Adoption of both lags far behind their measured effectiveness. Weak credentials remain the front door — our password statistics page shows how attackers get them.
- 55% of small and medium businesses had not adopted multi-factor authentication, per the Cyber Readiness Institute global SMB survey — adoption remains below half.
- Among SMBs that do offer MFA, only 28% require employees to use it (Cyber Readiness Institute). Optional MFA protects the employees least likely to be phished.
- Enabling MFA reduces the risk of account compromise by 99.2%, based on Microsoft's 2023 study of real-world attacks against Entra ID accounts.
- Attackers attempted to compromise backups in 94% of ransomware attacks (Sophos State of Ransomware 2024). Backups are now a primary target, not an afterthought.
- Those backup-compromise attempts succeeded 57% of the time (Sophos 2024) — which is why insurers ask for offline or immutable copies specifically.
- Where backups survived, 68% of ransomware victims restored data from backup rather than paying (Sophos 2024). Backup integrity is the single biggest lever on whether a ransom gets paid.
What Closing the Gap Costs
The economics explain the gap. A small business cannot hire its way to 24/7 coverage — the math below shows why — but it can rent it. Bundled managed IT services put monitoring, patching, MFA enforcement, and backup management under one contract, and dedicated SOC services add round-the-clock detection at a fraction of the in-house price.
- The median US information security analyst salary was $120,360 (US Bureau of Labor Statistics, May 2023). One analyst covers one shift — 24/7 in-house coverage requires several, before tooling.
- Information security analyst employment is projected to grow 33% from 2023 to 2033 (BLS) — roughly ten times the average occupation, which keeps salaries climbing beyond small business reach.
- The global cybersecurity workforce gap of 4.8 million people (ISC2, 2024) means small businesses compete for the same scarce hires as banks and governments.
- Organizations making extensive use of security AI and automation saw breach costs $2.2 million lower on average (IBM Cost of a Data Breach Report 2024) — tooling small firms typically access only through a provider.
- Organizations with severe security staffing shortages faced breach costs $1.76 million higher than well-staffed peers (IBM 2024). Understaffing is itself a measurable cost.
- Roughly nine in ten SMBs say they would consider a new IT service provider if it offered the right cybersecurity solution (ConnectWise State of SMB Cybersecurity research).
- More than three-quarters of SMBs plan to increase cybersecurity investment over the next 12 months (ConnectWise SMB research) — intent is not the constraint; execution capacity is.
- Set against Coalition's finding that 74% of small businesses spend under $10,000 a year, a managed security contract at a few hundred dollars per user annually is the only route to enterprise-grade controls inside a small business budget.
Sources
These statistics are compiled from the following research publications and datasets:
- Verizon Data Breach Investigations Report (2024, 2025)
- IBM Cost of a Data Breach Report (2023, 2024)
- FBI Internet Crime Complaint Center (IC3) Annual Report 2024
- Identity Theft Resource Center (ITRC) 2024 Business Impact Report
- Coalition Small Business Cybersecurity Research 2025 and Cyber Claims Report
- Hiscox Cyber Readiness Report 2023
- VikingCloud SMB Threat Landscape Research 2025
- Coveware Quarterly Ransomware Reports (2022–2025)
- Sophos State of Ransomware 2024
- Accenture Cost of Cybercrime Study (2019)
- CrowdStrike 2025 Global Threat Report
- Microsoft Digital Defense Report 2024 and Microsoft Entra MFA Effectiveness Study 2023
- Barracuda Spear-Phishing Report 2023
- Anti-Phishing Working Group (APWG) Phishing Activity Trends Reports
- UK Government Cyber Security Breaches Survey 2024
- US Government Accountability Office (GAO) cyber insurance reporting
- National Association of Insurance Commissioners (NAIC) cyber insurance data
- Munich Re Cyber Insurance Market Estimates
- Cyber Readiness Institute Global SMB MFA Survey
- AdvisorSmith Small Business Cyber Insurance Survey
- US Bureau of Labor Statistics, Information Security Analysts
- ISC2 2024 Cybersecurity Workforce Study
- ConnectWise State of SMB Cybersecurity Research
- CISA Cyber Guidance for Small Businesses
Statistics are updated as new data becomes available. Last updated: July 2026.
Protect your organization with expert healthcare IT support designed for HIPAA compliance.
Healthcare IT Support ServicesTopics

Sreenivasa Reddy G
Founder & CEO • 15+ years
Sreenivasa Reddy is the Founder and CEO of Medha Cloud, recognized as "Startup of the Year 2024" by The CEO Magazine. With over 15 years of experience in cloud infrastructure and IT services, he leads the company's vision to deliver enterprise-grade cloud solutions to businesses worldwide.
More in Cybersecurity
View all
Insider Threat Statistics 2026: Cost, Frequency & Detection
16 min read

Cloud Security Statistics 2026: Breaches, Spending & Trends
18 min read

Password Statistics 2026: Reuse, Breaches & MFA Adoption
19 min read

Data Breach Statistics 2026: Costs, Causes & Records Exposed
18 min read

42 Cyber Insurance Statistics for 2026 — Premiums & Claims Data
16 min read

52 Email Security Statistics for 2026 — BEC, Spam & Phishing
19 min read