Gitnux/Report 2026

Small Business Cybersecurity Statistics

Small businesses still get hit with ransomware and phishing, but the newest 2025 figures show faster escalation and more damaging downtime than many owners expect. These statistics highlight exactly where basic protections fail so you can spot the gaps before the next breach turns into a bill you did not plan for.
143Statistics
5Sections
1Visuals
9mRead
10 days agoUpdated
Small Business Cybersecurity Statistics
Verified via a 4-step process
01Source

Data aggregated from peer-reviewed journals, government agencies, and professional bodies with disclosed methodology and sample sizes.

02Verify

Each statistic is independently verified via reproduction analysis and cross-referencing against independent databases.

03Grade

Figures are graded by cross-model consensus. Statistics failing independent corroboration are excluded regardless of how widely cited.

04Cite

Every figure carries a primary source. We maintain stable URLs and versioned verification dates so the report can be cited.

Read our full methodology →

Statistics that fail independent corroboration are excluded.

Next review Dec 2026
43 percent of cyber attacks target small businesses. Human error accounts for 95 percent of their cybersecurity issues. The data below shows where training gaps and weak protections leave the largest openings.

Key Takeaways

  • 71% of small businesses experienced a successful phishing attack due to poor training
  • The average cost of a data breach for small businesses is $25,000 to $100,000
  • 43% of all cyber attacks target small businesses
  • Only 26% of small businesses encrypt data, despite 74% breach risk reduction potential saving millions
  • Multi-factor authentication (MFA) blocks 99.9% of account compromise attacks for small businesses

Most small businesses face rising cyber risk, so investing in basic protections can prevent costly breaches.

01 · Category

Employee Training and Awareness27 stats

01
71% of small businesses experienced a successful phishing attack due to poor training
02
95% of cybersecurity issues in small businesses stem from human error
03
Only 28% of small business employees receive regular cybersecurity training
04
57% of employees in small businesses admit to clicking suspicious links
05
Phishing simulation training reduces clicks by 40% in trained small business staff
06
82% of small business breaches involve weak or stolen passwords due to lack of awareness
07
69% of small business owners do not discuss cybersecurity with employees regularly
08
Training improves small business incident reporting by 50%
09
74% of employees share passwords in small businesses without training
10
Awareness programs cut social engineering success by 70%
11
Only 35% of small business staff can identify phishing emails accurately
12
91% of small businesses cite lack of time as reason for no training
13
Post-training, small business phishing susceptibility drops from 30% to 5%
14
62% of small employees use personal email for work without awareness of risks
15
Security champions programs boost awareness in 80% of implementing small businesses
16
48% of small business staff unaware of ransomware indicators
17
Annual training required by 89% less breached small businesses
18
55% of insider errors due to no awareness training
19
Gamified training increases retention by 90% in small business settings
20
66% of small businesses report improved culture post-awareness campaigns
21
Only 23% train on mobile security risks
22
Awareness reduces data exfiltration by employees by 65%
23
79% of small business CEOs overestimate employee awareness levels
24
Quarterly training cuts repeat phishing by 83%
25
41% of employees bypass security due to lack of understanding
26
Post-training quizzes show 75% knowledge gain in small firms
27
83% of small businesses see ROI from awareness training within 6 months
Interpretation

Employee Training and Awareness Interpretation

Our small businesses are being held hostage by a painfully preventable threat, as executives who balk at the ten minutes for training are somehow finding the endless hours to clean up the predictable, human-error-fueled breaches that follow.

02 · Category

Financial Impacts29 stats

01
The average cost of a data breach for small businesses is $25,000to $100,000
02
Small businesses lose an average of $184,000per ransomware attack
03
60% of small businesses close within 6 months of a major cyber attack, costing billions annually
04
Phishing costs small businesses $4.91 million on average per incident
05
BEC scams resulted in $2.7 billion losses for small firms in 2021
06
Downtime from cyber attacks costs small businesses $8,000per hour
07
Insurance premiums for small businesses rose 25% due to cyber risks in 2023
08
Average recovery cost post-breach for small businesses is $1.2 million including lost business
09
50% of small businesses face fines averaging $50,000 for non-compliance post-breach
10
Ransomware payments by small businesses averaged $1.54 million in 2023
11
Supply chain breaches cost small suppliers $4.45 million on average
12
Lost productivity from cyber incidents costs $1,000per employee per day
13
Small retail loses 5% annual revenue to cyber fraud, equating to $2.1 million average
14
Legal fees post-breach average $200,000for small businesses
15
Notification costs after breaches hit $250per record for small firms
16
76% of small businesses uninsured for cyber risks, facing full costs
17
DDoS attacks cause $40,000hourly revenue loss for small e-commerce
18
Malware cleanup costs small businesses $15,000-$30,000 per incident
19
Customer churn post-breach averages 30%, costing $500k in lifetime value
20
Small business cyber insurance claims rose 30% in 2023, averaging $35,000 payout
21
Forensic investigation post-attack costs $50,000on average
22
Brand damage reduces small business valuation by 20-30% post-incident
23
Average BEC loss per small business victim is $120,000
24
Cloud breach recovery costs small businesses $3.5 million including data loss
25
Only 14% of small businesses have cyber insurance, leaving 86% exposed to full financial hit
26
IoT breach costs average $749,000for small operations
27
Small firms spend 115% more on remediation than prevention annually
28
27% of small businesses spent over $100k on 2023 cyber recovery
29
Average small business cyber attack downtime is 24 days, costing $300k revenue
Interpretation

Financial Impacts Interpretation

You are essentially buying your digital demise on layaway, where each breach is a catastrophic installment payment and your eventual closure is the final, unaffordable balloon.

03 · Category

Prevalence of Threats30 stats

01
43% of all cyber attacks target small businesses
02
Small businesses account for 28% of all reported data breaches in 2023
03
60% of small businesses that suffer a cyber attack go out of business within six months
04
Phishing attacks represent 36% of breaches affecting small businesses
05
Ransomware attacks on small businesses increased by 37% in 2022
06
66% of small business owners reported experiencing a cyber incident in the past year
07
DDoS attacks against small businesses rose by 200% from 2020 to 2023
08
82% of small businesses experienced email-based threats in 2023
09
Malware infections hit 51% of small businesses annually
10
Insider threats account for 34% of small business data losses
11
Supply chain attacks impacted 23% of small businesses in 2023
12
IoT vulnerabilities exploited in 29% of small business attacks
13
Social engineering succeeds in 70% of small business phishing attempts
14
55% of small businesses faced credential stuffing attacks last year
15
Business email compromise (BEC) scams cost small businesses $2.4 billion in 2022
16
71% of small businesses lack incident response plans, making them vulnerable
17
Mobile device breaches affected 40% of small businesses in 2023
18
Cloud misconfigurations lead to 88% of small business cloud breaches
19
61% of small businesses hit by ransomware paid the ransom
20
Account takeover incidents rose 65% among small businesses
21
47% of small businesses reported AI-driven attacks in early 2024
22
Zero-day exploits used in 22% of small business attacks
23
75% of small businesses use unsupported software vulnerable to attacks
24
Cryptojacking incidents up 150% in small businesses
25
39% of small businesses faced deepfake phishing attempts
26
Average small business faces 300 cyber attacks per week
27
52% of small business breaches due to stolen credentials
28
Healthcare small practices saw 92% attack increase
29
Retail small businesses hit by 45% more POS malware
30
68% of small manufacturers faced OT cybersecurity threats
Interpretation

Prevalence of Threats Interpretation

Despite the glaring statistics that paint small businesses as the digital world's favorite punching bag—from ransomware shaking them down to phishing luring them in—their pervasive "it won't happen to me" mindset is essentially a signed invitation for cybercriminals to drive them out of business.

04 · Category

Security Measures Adoption27 stats

01
Only 26% of small businesses encrypt data, despite 74% breach risk reduction potential saving millions
02
51% of small businesses use MFA, up from 28% in 2021
03
Just 33% of small businesses have updated antivirus software
04
59% of small businesses lack employee training programs for cybersecurity
05
78% of small businesses do not conduct regular vulnerability scans
06
Only 22% of small businesses have a formal cybersecurity policy in place
07
46% of small businesses use firewalls consistently across all endpoints
08
65% of small businesses fail to patch software within 30 days of updates
09
Employee use of VPNs adopted by 41% of small businesses for remote work
10
29% of small businesses segment their networks to limit breach spread
11
Backup solutions implemented by 55% of small businesses with regular testing
12
37% of small businesses use endpoint detection and response (EDR) tools
13
Email filtering solutions cover 72% of small businesses
14
19% of small businesses conduct annual penetration testing
15
Zero-trust architecture adopted by 24% of small businesses in 2023
16
48% of small businesses have cyber insurance as a risk mitigation measure
17
Mobile device management (MDM) used by 35% of small businesses
18
62% of small businesses enable disk encryption on devices
19
Incident response plans exist in 31% of small businesses
20
Cloud access security brokers (CASB) deployed by 28% of small cloud-using businesses
21
44% of small businesses perform regular security awareness training
22
SIEM tools adopted by only 15% of small businesses due to cost
23
53% use password managers enterprise-wide
24
Web application firewalls (WAF) protect 39% of small business websites
25
Data loss prevention (DLP) tools in 26% of small businesses
26
67% of small business leaders believe cybersecurity is a top priority
27
Only 17% of small businesses have dedicated cybersecurity personnel
Interpretation

Security Measures Adoption Interpretation

The statistics paint a picture of a small business community earnestly trying to lock its digital doors but, in a classic comedy of errors, often forgetting the windows, handing out keys to strangers, and then being shocked when the rain gets in.

05 · Category

Tools and Solutions Effectiveness30 stats

01
Multi-factor authentication (MFA) blocks 99.9% of account compromise attacks for small businesses
02
AI-powered threat detection reduces breach detection time by 55% in small business EDR tools
03
Managed Detection and Response (MDR) services cut incident response time by 92% for small firms
04
Password managers reduce credential theft by 81% in adopting small businesses
05
Email security gateways stop 97% of phishing emails before reaching inboxes
06
Cloud backup with immutability prevents 100% of ransomware encryption on backups
07
Zero-trust solutions reduce lateral movement in breaches by 50%
08
Vulnerability management tools fix 85% of critical issues within 7 days
09
SIEM with UEBA detects 70% more insider threats automatically
10
Web Application Firewalls (WAF) block 94% of OWASP Top 10 attacks
11
Endpoint protection platforms (EPP) stop 99% of known malware variants
12
CASB tools prevent 88% of shadow IT data exfiltration risks
13
DLP solutions recover 95% of sensitive data at risk of loss
14
Patch management automation reduces exploit windows by 90%
15
DDoS mitigation services absorb 100% of volumetric attacks under 1 Tbps
16
Behavioral analytics in MDR flags 82% of anomalous activities pre-breach
17
MFA push notifications resist 99.98% of automated attacks
18
Ransomware rollback tools restore data in 70% of cases without payment
19
Network segmentation tools limit breach scope to 11% of assets
20
Security awareness platforms reduce phishing clicks by 55% long-term
21
Managed firewall services block 98% of inbound threats
22
IoT security gateways detect 96% of anomalous device behaviors
23
Cyber insurance with risk assessment tools lowers premiums by 20%
24
Automated compliance tools ensure 92% adherence to GDPR/CCPA for small businesses
25
Threat intelligence feeds improve detection accuracy by 40% in small SIEMs
26
Mobile threat defense apps block 99% of mobile malware
27
Backup verification tools confirm recoverability in 100% of tests for protected data
28
AI email filters achieve 99.5% spam/phishing accuracy
29
Penetration testing as a service uncovers 3x more vulnerabilities than manual checks
30
Unified endpoint management secures 87% faster policy enforcement across devices
Interpretation

Tools and Solutions Effectiveness Interpretation

Small businesses may feel like perpetual underdogs in cybersecurity, but these statistics prove that with the right stack of modern tools, they can build a defense so annoyingly effective it would make even a persistent hacker sigh and reluctantly move on.
report visual · Comparison

Human Error Drives Small Business Cybersecurity Issues (and Training Gaps)

Large majorities of small business cybersecurity problems trace back to people—while regular training remains low, leaving phishing-related risks elevated.

Cybersecurity issues from human error95%
Successful phishing due to poor training71%
Employees admitting to clicking suspicious links57%
Phishing simulation training reduces clicks40%
Employees receiving regular cybersecurity training28%
Reference

Cite This Report

This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.

APA
Min-ji Park. (2026, February 13). Small Business Cybersecurity Statistics. Gitnux. https://gitnux.org/small-business-cybersecurity-statistics
MLA
Min-ji Park. "Small Business Cybersecurity Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/small-business-cybersecurity-statistics.
Chicago
Min-ji Park. 2026. "Small Business Cybersecurity Statistics." Gitnux. https://gitnux.org/small-business-cybersecurity-statistics.