GITNUXREPORT 2026

Small Business Cyber Security Statistics

Small businesses face devastating cyber attacks and must urgently increase their security.

Min-ji Park

Min-ji Park

Research Analyst focused on sustainability and consumer trends.

First published: Feb 13, 2026

Our Commitment to Accuracy

Rigorous fact-checking · Reputable sources · Regular updatesLearn more

Key Statistics

Statistic 1

Phishing is the most common threat, accounting for 36% of SMB breaches in 2023

Statistic 2

Ransomware affected 66% of SMBs that paid attackers in 2023 surveys

Statistic 3

Malware infections represent 22% of small business cyber incidents annually

Statistic 4

Business Email Compromise (BEC) scams targeted 43% of small firms in 2023

Statistic 5

DDoS attacks hit 20% of SMB websites monthly

Statistic 6

Supply chain vulnerabilities exploited in 15% of SMB breaches

Statistic 7

Cloud misconfigurations cause 32% of small business data exposures

Statistic 8

IoT devices are entry points in 18% of SMB attacks

Statistic 9

Insider threats contribute to 34% of small business incidents

Statistic 10

Weak passwords lead to 81% of SMB hacking-related breaches

Statistic 11

Spear-phishing success rate in SMBs is 3%, higher than average

Statistic 12

Unpatched software vulnerabilities in 57% of SMB malware cases

Statistic 13

Social engineering tricks 85% of small business employees yearly

Statistic 14

Mobile device threats affect 25% of SMB remote workers

Statistic 15

Third-party app risks in 29% of SaaS-using SMBs

Statistic 16

Credential stuffing attacks on SMBs up 71% in 2023

Statistic 17

Zero-day exploits hit 12% of small manufacturers

Statistic 18

Vishing (voice phishing) incidents rose 15% in SMB call centers

Statistic 19

Smishing texts targeted 40% of small retailers

Statistic 20

Ransomware-as-a-Service used in 70% of SMB infections

Statistic 21

API vulnerabilities exposed in 23% of SMB cloud apps

Statistic 22

Wi-Fi eavesdropping risks 19% of SMB cafes/hotels

Statistic 23

Deepfake threats emerging in 5% of BEC SMB cases

Statistic 24

Legacy system exploits in 27% of small finance firms

Statistic 25

Shadow IT usage leads to 16% of unauthorized access

Statistic 26

Average cost of a data breach for small businesses was $25,000 in 2023

Statistic 27

SMBs lost $4.45 million on average per ransomware attack in 2023

Statistic 28

60% of small businesses that suffer a breach close within 6 months, costing $1.2M in lost revenue

Statistic 29

Phishing costs small businesses $4.91 million annually on average

Statistic 30

Hiscox reports average cyber claim for SMBs at £12,500 ($15,800) in 2023

Statistic 31

Downtime from attacks costs SMBs $184,000 per incident in productivity losses

Statistic 32

Small business ransomware recovery averages $1.85 million including fines

Statistic 33

BEC scams drained $2.9 billion from US small businesses in 2023

Statistic 34

Notification costs post-breach average $150,000 for SMBs under GDPR

Statistic 35

SMB cyber insurance premiums rose 50% to $2,500 annually in 2023

Statistic 36

Lost business post-breach costs SMBs 25% of annual revenue on average

Statistic 37

Average DDoS attack mitigation costs SMBs $40,000 per event

Statistic 38

Data recovery expenses hit $100,000 for 35% of SMB breaches

Statistic 39

Legal fees from SMB breaches average $75,000 in the US

Statistic 40

SMB supply chain attacks cost $500,000 in remediation on average

Statistic 41

Phishing training failure costs SMBs $12,000 per employee annually

Statistic 42

Cloud breach costs SMBs $200,000 in fines and cleanup

Statistic 43

IoT attack financial impact on SMBs averages $50,000 per incident

Statistic 44

SMB malware removal costs $25,000 including expert help

Statistic 45

Reputation damage post-SMB breach leads to 20% revenue drop ($300K avg)

Statistic 46

Ransomware negotiation fees for SMBs average $10,000

Statistic 47

SMB e-commerce breaches cost $90,000 in PCI compliance fines

Statistic 48

Hybrid work cyber losses total $1.5M per SMB annually

Statistic 49

Small business fines under CCPA average $50,000 per violation

Statistic 50

DDoS extortion demands cost SMBs $30,000 in payouts yearly

Statistic 51

SMB data center outages cost $8,000 per hour

Statistic 52

Phishing spear campaigns cost SMBs $150,000 per successful hit

Statistic 53

Small retailer POS breaches average $250,000 loss

Statistic 54

SMB consultant fees post-breach hit $60,000

Statistic 55

Ransomware backups restoration costs SMBs $80,000

Statistic 56

43% of all cyber attacks target small businesses despite them representing only 20% of the market

Statistic 57

In 2023, 74% of small and medium-sized businesses (SMBs) reported experiencing at least one cyber incident

Statistic 58

Small businesses account for 31% of all data breaches reported in 2023

Statistic 59

60% of SMBs faced phishing attempts in the past year, leading to higher incidence rates

Statistic 60

UK small businesses saw a 190% increase in cyber attacks from 2022 to 2023

Statistic 61

82% of small business owners believe they are targets but only 14% feel prepared, increasing vulnerability incidence

Statistic 62

In the US, 1 in 10 small businesses suffer a cyber attack daily

Statistic 63

SMBs experienced 2,200 cyber attacks per business on average in 2023

Statistic 64

46% of small businesses reported a breach in the last 12 months as per 2024 surveys

Statistic 65

Ransomware attacks on small businesses rose by 37% year-over-year in 2023

Statistic 66

28% of small businesses closed permanently after a cyber attack

Statistic 67

EU SMBs faced 15% higher attack rates than large firms in 2023

Statistic 68

67% of small retailers reported cyber incidents in 2023 holiday season

Statistic 69

Phishing incidents affected 83% of small businesses in Q1 2024

Statistic 70

SMB cloud misconfigurations led to 40% of breaches in 2023

Statistic 71

55% of small businesses in healthcare sector hit by attacks in 2023

Statistic 72

DDoS attacks targeted 39% of small businesses globally in 2023

Statistic 73

71% of SMBs in finance reported incidents, highest sector rate

Statistic 74

Cyber attacks on small manufacturers up 25% in 2023

Statistic 75

62% of small businesses in APAC faced ransomware in 2023

Statistic 76

US small businesses saw 300% spike in supply chain attacks

Statistic 77

49% of SMBs experienced BEC scams leading to incidents

Statistic 78

IoT vulnerabilities caused 22% of small business breaches

Statistic 79

76% of small construction firms hit by cyber events in 2023

Statistic 80

Hybrid work increased SMB attack incidence by 35%

Statistic 81

58% of small nonprofits faced cyber incidents annually

Statistic 82

SMB e-commerce sites breached at 41% rate in 2023

Statistic 83

65% of small law firms reported data exposures

Statistic 84

Cyber incidents in small transport businesses up 28%

Statistic 85

53% of SMB accountants hit by attacks in tax season 2023

Statistic 86

Businesses with backups recover 60% faster from ransomware

Statistic 87

SMBs with incident response plans reduce breach costs by 35%

Statistic 88

MFA adoption cuts account compromise recovery time by 50%

Statistic 89

Trained employees report 70% more phishing attempts early

Statistic 90

Network segmentation limits breach scope to 40% of systems

Statistic 91

Regular patching reduces exploit success by 65%

Statistic 92

Cyber insurance claims processed 80% faster with preparedness

Statistic 93

EDR tools detect 90% of ransomware before encryption

Statistic 94

Tested backups restore data in 24 hours for 75% of cases

Statistic 95

Zero-trust cuts lateral movement recovery by 45%

Statistic 96

Phishing simulations improve detection rates to 92%

Statistic 97

Cloud backups enable 55% quicker recovery vs on-prem

Statistic 98

Incident response teams form in 2 days for prepared SMBs

Statistic 99

DLP prevents 78% of data exfiltration attempts

Statistic 100

Pen testing identifies 85% of vulnerabilities pre-attack

Statistic 101

MDM wipes lost devices recovering 60% of data remotely

Statistic 102

SIEM alerts reduce response time to 1 hour average

Statistic 103

Third-party audits improve supply chain recovery by 40%

Statistic 104

Password managers prevent 81% of credential breaches

Statistic 105

AI threat hunting shortens dwell time to 1 day

Statistic 106

Dark web monitoring alerts before 70% of identity thefts

Statistic 107

Immutable backups thwart 95% of ransomware deletions

Statistic 108

Cyber drills cut panic response errors by 50%

Statistic 109

Endpoint protection blocks 99% of known malware

Statistic 110

Post-incident reviews prevent 62% of repeat attacks

Statistic 111

Automated backups achieve 100% uptime recovery in tests

Statistic 112

MFA recovery from compromises takes 30% less effort

Statistic 113

Vulnerability management programs restore ops 2x faster

Statistic 114

Only 26% of SMBs use multi-factor authentication (MFA), exposing to account takeovers

Statistic 115

51% of small businesses lack employee cybersecurity training programs

Statistic 116

Just 14% of SMBs have incident response plans in place

Statistic 117

69% of small firms do not encrypt sensitive data

Statistic 118

Only 28% conduct regular vulnerability scans

Statistic 119

45% of SMBs fail to patch software within 30 days

Statistic 120

Cyber insurance held by only 34% of small businesses

Statistic 121

62% lack endpoint detection and response (EDR) tools

Statistic 122

Backup testing done quarterly by just 22% of SMBs

Statistic 123

Zero-trust architecture adopted by 17% of small firms

Statistic 124

73% do not segment networks to limit breach spread

Statistic 125

Employee phishing simulations run by 31% annually

Statistic 126

Cloud security posture management used by 25% of SMBs

Statistic 127

Password managers implemented in 39% of small businesses

Statistic 128

Regular penetration testing by 19% of SMBs

Statistic 129

55% have no mobile device management (MDM)

Statistic 130

SIEM tools deployed in 12% of small operations

Statistic 131

Data loss prevention (DLP) software in 27% of firms

Statistic 132

41% conduct third-party risk assessments yearly

Statistic 133

Firewall updates automated in 33% of SMB networks

Statistic 134

Cyber hygiene audits done by 24% semi-annually

Statistic 135

MFA enforced on all accounts in 29% of SMBs

Statistic 136

Incident reporting to authorities by 38% post-event

Statistic 137

67% lack AI-driven threat detection

Statistic 138

Employee offboarding security checks in 44%

Statistic 139

IoT security policies in 21% of connected SMBs

Statistic 140

Dark web monitoring subscribed by 15%

Sources
Trusted by 500+ publications
Harvard Business ReviewThe GuardianFortune+497
With small businesses accounting for nearly a third of all data breaches while being vastly unprepared, the hidden costs of a cyberattack—from crushing fines to a 60% chance of closing within six months—are a quiet crisis threatening the backbone of our economy.

Key Takeaways

  • 43% of all cyber attacks target small businesses despite them representing only 20% of the market
  • In 2023, 74% of small and medium-sized businesses (SMBs) reported experiencing at least one cyber incident
  • Small businesses account for 31% of all data breaches reported in 2023
  • Average cost of a data breach for small businesses was $25,000 in 2023
  • SMBs lost $4.45 million on average per ransomware attack in 2023
  • 60% of small businesses that suffer a breach close within 6 months, costing $1.2M in lost revenue
  • Phishing is the most common threat, accounting for 36% of SMB breaches in 2023
  • Ransomware affected 66% of SMBs that paid attackers in 2023 surveys
  • Malware infections represent 22% of small business cyber incidents annually
  • Only 26% of SMBs use multi-factor authentication (MFA), exposing to account takeovers
  • 51% of small businesses lack employee cybersecurity training programs
  • Just 14% of SMBs have incident response plans in place
  • Businesses with backups recover 60% faster from ransomware
  • SMBs with incident response plans reduce breach costs by 35%
  • MFA adoption cuts account compromise recovery time by 50%

Small businesses face devastating cyber attacks and must urgently increase their security.

Common Threats

  • Phishing is the most common threat, accounting for 36% of SMB breaches in 2023
  • Ransomware affected 66% of SMBs that paid attackers in 2023 surveys
  • Malware infections represent 22% of small business cyber incidents annually
  • Business Email Compromise (BEC) scams targeted 43% of small firms in 2023
  • DDoS attacks hit 20% of SMB websites monthly
  • Supply chain vulnerabilities exploited in 15% of SMB breaches
  • Cloud misconfigurations cause 32% of small business data exposures
  • IoT devices are entry points in 18% of SMB attacks
  • Insider threats contribute to 34% of small business incidents
  • Weak passwords lead to 81% of SMB hacking-related breaches
  • Spear-phishing success rate in SMBs is 3%, higher than average
  • Unpatched software vulnerabilities in 57% of SMB malware cases
  • Social engineering tricks 85% of small business employees yearly
  • Mobile device threats affect 25% of SMB remote workers
  • Third-party app risks in 29% of SaaS-using SMBs
  • Credential stuffing attacks on SMBs up 71% in 2023
  • Zero-day exploits hit 12% of small manufacturers
  • Vishing (voice phishing) incidents rose 15% in SMB call centers
  • Smishing texts targeted 40% of small retailers
  • Ransomware-as-a-Service used in 70% of SMB infections
  • API vulnerabilities exposed in 23% of SMB cloud apps
  • Wi-Fi eavesdropping risks 19% of SMB cafes/hotels
  • Deepfake threats emerging in 5% of BEC SMB cases
  • Legacy system exploits in 27% of small finance firms
  • Shadow IT usage leads to 16% of unauthorized access

Common Threats Interpretation

If you thought your small business was too unglamorous for cyberattacks, this constellation of statistics suggests that criminals are far less discerning and far more opportunistic than your average food critic.

Financial Impact

  • Average cost of a data breach for small businesses was $25,000 in 2023
  • SMBs lost $4.45 million on average per ransomware attack in 2023
  • 60% of small businesses that suffer a breach close within 6 months, costing $1.2M in lost revenue
  • Phishing costs small businesses $4.91 million annually on average
  • Hiscox reports average cyber claim for SMBs at £12,500 ($15,800) in 2023
  • Downtime from attacks costs SMBs $184,000 per incident in productivity losses
  • Small business ransomware recovery averages $1.85 million including fines
  • BEC scams drained $2.9 billion from US small businesses in 2023
  • Notification costs post-breach average $150,000 for SMBs under GDPR
  • SMB cyber insurance premiums rose 50% to $2,500 annually in 2023
  • Lost business post-breach costs SMBs 25% of annual revenue on average
  • Average DDoS attack mitigation costs SMBs $40,000 per event
  • Data recovery expenses hit $100,000 for 35% of SMB breaches
  • Legal fees from SMB breaches average $75,000 in the US
  • SMB supply chain attacks cost $500,000 in remediation on average
  • Phishing training failure costs SMBs $12,000 per employee annually
  • Cloud breach costs SMBs $200,000 in fines and cleanup
  • IoT attack financial impact on SMBs averages $50,000 per incident
  • SMB malware removal costs $25,000 including expert help
  • Reputation damage post-SMB breach leads to 20% revenue drop ($300K avg)
  • Ransomware negotiation fees for SMBs average $10,000
  • SMB e-commerce breaches cost $90,000 in PCI compliance fines
  • Hybrid work cyber losses total $1.5M per SMB annually
  • Small business fines under CCPA average $50,000 per violation
  • DDoS extortion demands cost SMBs $30,000 in payouts yearly
  • SMB data center outages cost $8,000 per hour
  • Phishing spear campaigns cost SMBs $150,000 per successful hit
  • Small retailer POS breaches average $250,000 loss
  • SMB consultant fees post-breach hit $60,000
  • Ransomware backups restoration costs SMBs $80,000

Financial Impact Interpretation

This chorus of fiscal horrors, where a $25,000 breach can be the overture to a $1.85 million ransomware symphony and a final curtain of insolvency, sings a simple truth for small businesses: cybersecurity isn't a line item, it's your survival's bottom line.

Prevalence and Incidence

  • 43% of all cyber attacks target small businesses despite them representing only 20% of the market
  • In 2023, 74% of small and medium-sized businesses (SMBs) reported experiencing at least one cyber incident
  • Small businesses account for 31% of all data breaches reported in 2023
  • 60% of SMBs faced phishing attempts in the past year, leading to higher incidence rates
  • UK small businesses saw a 190% increase in cyber attacks from 2022 to 2023
  • 82% of small business owners believe they are targets but only 14% feel prepared, increasing vulnerability incidence
  • In the US, 1 in 10 small businesses suffer a cyber attack daily
  • SMBs experienced 2,200 cyber attacks per business on average in 2023
  • 46% of small businesses reported a breach in the last 12 months as per 2024 surveys
  • Ransomware attacks on small businesses rose by 37% year-over-year in 2023
  • 28% of small businesses closed permanently after a cyber attack
  • EU SMBs faced 15% higher attack rates than large firms in 2023
  • 67% of small retailers reported cyber incidents in 2023 holiday season
  • Phishing incidents affected 83% of small businesses in Q1 2024
  • SMB cloud misconfigurations led to 40% of breaches in 2023
  • 55% of small businesses in healthcare sector hit by attacks in 2023
  • DDoS attacks targeted 39% of small businesses globally in 2023
  • 71% of SMBs in finance reported incidents, highest sector rate
  • Cyber attacks on small manufacturers up 25% in 2023
  • 62% of small businesses in APAC faced ransomware in 2023
  • US small businesses saw 300% spike in supply chain attacks
  • 49% of SMBs experienced BEC scams leading to incidents
  • IoT vulnerabilities caused 22% of small business breaches
  • 76% of small construction firms hit by cyber events in 2023
  • Hybrid work increased SMB attack incidence by 35%
  • 58% of small nonprofits faced cyber incidents annually
  • SMB e-commerce sites breached at 41% rate in 2023
  • 65% of small law firms reported data exposures
  • Cyber incidents in small transport businesses up 28%
  • 53% of SMB accountants hit by attacks in tax season 2023

Prevalence and Incidence Interpretation

Small businesses are disproportionately under siege in cyberspace, with a stubborn and widespread belief in their own immunity creating a tragically ironic reality where their lack of preparedness makes them the favorite target for criminals.

Recovery and Response

  • Businesses with backups recover 60% faster from ransomware
  • SMBs with incident response plans reduce breach costs by 35%
  • MFA adoption cuts account compromise recovery time by 50%
  • Trained employees report 70% more phishing attempts early
  • Network segmentation limits breach scope to 40% of systems
  • Regular patching reduces exploit success by 65%
  • Cyber insurance claims processed 80% faster with preparedness
  • EDR tools detect 90% of ransomware before encryption
  • Tested backups restore data in 24 hours for 75% of cases
  • Zero-trust cuts lateral movement recovery by 45%
  • Phishing simulations improve detection rates to 92%
  • Cloud backups enable 55% quicker recovery vs on-prem
  • Incident response teams form in 2 days for prepared SMBs
  • DLP prevents 78% of data exfiltration attempts
  • Pen testing identifies 85% of vulnerabilities pre-attack
  • MDM wipes lost devices recovering 60% of data remotely
  • SIEM alerts reduce response time to 1 hour average
  • Third-party audits improve supply chain recovery by 40%
  • Password managers prevent 81% of credential breaches
  • AI threat hunting shortens dwell time to 1 day
  • Dark web monitoring alerts before 70% of identity thefts
  • Immutable backups thwart 95% of ransomware deletions
  • Cyber drills cut panic response errors by 50%
  • Endpoint protection blocks 99% of known malware
  • Post-incident reviews prevent 62% of repeat attacks
  • Automated backups achieve 100% uptime recovery in tests
  • MFA recovery from compromises takes 30% less effort
  • Vulnerability management programs restore ops 2x faster

Recovery and Response Interpretation

If your small business cybersecurity strategy is merely an afterthought dressed as a password sticky note, these statistics are your intervention, proving that a little preparation is essentially a cheat code for surviving the digital thunderdome.

Security Practices

  • Only 26% of SMBs use multi-factor authentication (MFA), exposing to account takeovers
  • 51% of small businesses lack employee cybersecurity training programs
  • Just 14% of SMBs have incident response plans in place
  • 69% of small firms do not encrypt sensitive data
  • Only 28% conduct regular vulnerability scans
  • 45% of SMBs fail to patch software within 30 days
  • Cyber insurance held by only 34% of small businesses
  • 62% lack endpoint detection and response (EDR) tools
  • Backup testing done quarterly by just 22% of SMBs
  • Zero-trust architecture adopted by 17% of small firms
  • 73% do not segment networks to limit breach spread
  • Employee phishing simulations run by 31% annually
  • Cloud security posture management used by 25% of SMBs
  • Password managers implemented in 39% of small businesses
  • Regular penetration testing by 19% of SMBs
  • 55% have no mobile device management (MDM)
  • SIEM tools deployed in 12% of small operations
  • Data loss prevention (DLP) software in 27% of firms
  • 41% conduct third-party risk assessments yearly
  • Firewall updates automated in 33% of SMB networks
  • Cyber hygiene audits done by 24% semi-annually
  • MFA enforced on all accounts in 29% of SMBs
  • Incident reporting to authorities by 38% post-event
  • 67% lack AI-driven threat detection
  • Employee offboarding security checks in 44%
  • IoT security policies in 21% of connected SMBs
  • Dark web monitoring subscribed by 15%

Security Practices Interpretation

It is statistically more secure to run a medieval castle with a moat and a drawbridge than it is to run a modern small business, given that the castle's defense plan doesn't hinge on whether someone clicked a suspicious link offering a free PDF on proper chainmail maintenance.

Sources & References

Logos provided by Logo.dev