.png)
Small and medium-sized businesses now sit at the center of the cybercrime economy, not on its edges. The Verizon 2025 Data Breach Investigations Report found that ransomware is now present in 88% of breaches affecting SMBs, compared with 39% at large enterprises, after analyzing more than 22,000 security incidents and 12,195 confirmed breaches. The Identity Theft Resource Center's 2025 Business Impact Report puts the share of small businesses that suffered a security breach, a data breach, or both in the past 12 months at 81%, with 62.5% of victims reporting total financial impact above $250,000. SMBs are no longer collateral damage in attacks aimed at the Fortune 500. They are the target.
Summary: SMB cybersecurity statistics at a glance
- 88% of SMB breaches now involve ransomware, versus 39% at large enterprises (Verizon 2025 DBIR).
- 81% of small business owners and executives say they suffered a security breach, a data breach, or both in the past year (ITRC 2025 Business Impact Report).
- $115,000 is the median ransom payment to attackers across all victim sizes, a figure that can easily exceed an SMB's annual security budget (Verizon 2025 DBIR).
- $638,536 is the average ransomware recovery cost for SMBs with 100 to 250 employees, excluding any ransom paid (Sophos State of Ransomware 2025).
- 228 employees is the median size of a ransomware victim organization in early 2025, confirming that the mid-market is the prime target (Coveware Q1 2025).
- 30% of all breaches now involve a third party, double the prior year, putting outsourced IT and SaaS dependencies in the spotlight (Verizon 2025 DBIR).
- 59% of businesses globally experienced a cyberattack in the last 12 months (Hiscox Cyber Readiness Report 2025).
38.4% of SMB leaders say they feel very prepared for a cyberattack, down from 56.5% the year before (ITRC 2025).
SMB attack frequency: how often small businesses are hit
The myth that attackers prefer enterprise targets is over. According to the Verizon 2025 DBIR, SMBs absorbed nearly four times the attack volume of larger organizations over the reporting period. Verizon's analysis spans more than 22,000 incidents and 12,195 confirmed breaches between November 2023 and October 2024, with ransomware involved in 44% of all breaches, up from 32% the year before.
The Hiscox Cyber Readiness Report 2025, which surveys businesses across the US, UK, and Europe, found that 59% of respondents experienced a cyberattack in the last 12 months, with a third of breached organizations (33%) hit with a substantial regulatory fine in the aftermath. Hiscox notes that smaller businesses are now reporting higher year-over-year incident growth than larger peers, reversing the pre-2022 trend where enterprises took the brunt.
On the ground, Huntress's 2025 Cyber Threat Report (drawn primarily from telemetry inside small and mid-sized environments) shows that nearly 24% of incidents now involve infostealers and that malicious scripts make up another 22% of detected attacks. In 65% of incidents Huntress investigated, attackers hijacked the SMB's own remote monitoring and management (RMM) tooling to maintain persistence, turning the IT stack itself into the attack path.
The cost of a breach for a small business
Headline breach-cost figures usually quote enterprise averages. The reality at the SMB level is a wider, scarier range. The Sophos State of Ransomware 2025 survey, which separately reports recovery costs by company size, puts the average cost to recover from a ransomware attack at $1.53 million across all victims, down from $2.73 million a year earlier. For SMBs in the 100 to 250 employee band, the figure is still steep at $638,536, excluding any ransom paid.
The ITRC's 2025 Business Impact Report sharpens the SMB picture further. Among small businesses that suffered an incident, 62.5% reported a total financial impact above $250,000 in 2025, and 36.7% of victims faced costs above $500,000, an increase over 2024. For the first time, 38.3% of breached small business leaders told ITRC they raised prices to absorb the cost, passing cybercrime onto customers.
For context, the global average cost of a data breach across all company sizes is $4.44 million in 2025, down 9% from $4.88 million in 2024, according to the IBM Cost of a Data Breach Report 2025. In the United States, the same report puts the average breach cost at $10.22 million, the highest of any region. The gap between the global average and the SMB-specific Sophos and ITRC figures shows why SMBs cannot benchmark themselves against IBM's headline number. They need their own.
Ransomware: the single biggest threat to SMBs in 2026
The 88% ransomware involvement figure from the Verizon 2025 DBIR is the single most quoted SMB cybersecurity statistic for good reason. It captures a structural shift: ransomware groups have stopped reserving themselves for billion-dollar prey and now run high-volume campaigns against the mid-market. As IDC's Craig Robinson put it in Verizon's accompanying analysis, SMBs are paying the price for their size with ransomware now present in 88% of breaches they suffer.
Coveware's quarterly data confirms the targeting pattern. The Coveware Q1 2025 report puts the median size of a victim organization at 228 employees, with companies of 11 to 100 employees making up 35.6% of attacks and the 101 to 1,000 employee band another 32.7%. Together, businesses below the 1,000-employee mark accounted for more than two thirds of all observed ransomware engagements.
Payment behavior is shifting. Sophos finds that 49% of organizations that suffered a ransomware attack paid the ransom and recovered their data, the second-highest payment rate in six years but down from 56% the prior year. Among the 826 organizations that disclosed both the demand and the payment, victims paid an average of 85% of the initial ask. Verizon, looking at all breaches, found that 64% of victim organizations did not pay, compared with 50% two years earlier. Resistance is rising, but the median ransom payment of $115,000 still lands like a wrecking ball on a 50-person company.
Budget, staffing, and the SMB security gap
Why are SMB breach rates climbing while enterprise rates flatten? The resourcing gap is now quantifiable. According to context provided alongside the Verizon 2025 DBIR findings, SMBs typically allocate 6 to 9% of their IT budget to cybersecurity, compared with 12 to 15% at large enterprises, and 43% of SMBs have no dedicated cybersecurity staff member at all.
The ITRC 2025 Business Impact Report documents a worrying reversal in foundational controls. Implementation of critical security measures like multi-factor authentication declined among SMBs from 33.6% in 2024 to 27.2% in 2025. Self-assessed readiness fell in step: only 38.4% of small business leaders said they feel very prepared for a cyberattack in 2025, down from 56.5% the year before. The combination of higher attack volume and lower control adoption is exactly the gap that ransomware crews are exploiting.
Sophos's recovery economics tell the same story from the other side. Recovery cost falls dramatically when victims have working backups, segmented networks, and modern endpoint protection in place. Average recovery costs dropped 44% year over year to $1.53 million as backup and detection investments paid off, but the SMBs that lacked those controls saw the worst outcomes, with extortion-only incidents and rebuild-from-scratch recoveries pushing the upper end of the cost distribution.
Supply chain and MSP risk: the SMB attack surface keeps widening
Third-party risk is no longer a Fortune 500 concern. The Verizon 2025 DBIR found that the share of breaches involving a third party doubled in a single year to 30%, with most of those incidents originating from vendor compromises rather than direct intrusion. For SMBs, which often outsource IT, payroll, accounting, and core SaaS to a handful of providers, that means the most likely route into the business is now through a partner's network rather than the front door.
Managed service providers (MSPs) have become a particularly attractive force multiplier for attackers. Huntress's 2025 Cyber Threat Report observed that in 65% of incidents inside SMB environments, adversaries hijacked the remote monitoring and management tooling supplied by an MSP or internal IT team. Tools designed to deploy software silently to hundreds of endpoints are equally effective for deploying ransomware to those same endpoints. Huntress also notes that remote access trojans like AsyncRAT and Jupyter were present in more than 75% of the remote access incidents it investigated.
Emerging trends and what is new in 2026
Several 2026 themes are reshaping the SMB threat model.
Shadow AI is now a measurable cost line. The IBM Cost of a Data Breach Report 2025 quantified the new attack surface created by unsanctioned AI tools: organizations that suffered a breach involving shadow AI paid roughly $670,000 more on average than those without. Twenty percent of breaches IBM analyzed involved an AI-related vector, and 13% of those involved an AI model or AI-powered application directly. SMBs, which typically allow generative AI use to flow ahead of formal policy, are disproportionately exposed.
Vulnerability exploitation is the fastest-growing entry vector. Verizon recorded a 34% year-over-year increase in vulnerability exploitation as an initial access method, with zero-days targeting perimeter devices and VPNs driving the surge. For SMBs whose firewall or VPN appliance is rarely patched within the 30-day window, this is the most dangerous shift in the threat landscape. Credential abuse remains the single most common initial vector at 22% of breaches, but the gap is closing fast.
Attackers are pricing ransoms to fit the victim. The Sophos State of Ransomware 2025 found that median ransom demands now scale with revenue: companies with over $1 billion in revenue saw median demands of $5 million, while organizations under $250 million in revenue saw median demands below $350,000. Ransomware crews have adopted dynamic pricing. The implication for SMBs is that being small is no longer a deterrent; it just changes the dollar figure on the demand note.
Ransomware fragmentation is making attribution harder. Huntress's 2025 report documents how the takedowns of LockBit and Hive in 2023 and 2024 did not reduce attack volume; they just scattered affiliates across dozens of smaller groups. That fragmentation means SMBs now face a more unpredictable threat landscape, with new ransomware brands appearing monthly and threat intel feeds struggling to keep up.
Self-assessed readiness is falling while incidents rise. The combination of ITRC's data on declining MFA adoption and falling SMB readiness with rising attack rates from Verizon, Sophos, and Hiscox points to a confidence collapse in the SMB segment. Many small business leaders, having watched MSPs and security vendors compromised in 2024 and 2025, no longer believe that outsourcing risk is enough. Expect 2026 to be the year SMBs reach the limits of the outsource-everything model and start to rebuild in-house security baselines.
For broader context on the trends above, see our ransomware statistics and phishing statistics roundups.
How swif.ai helps SMBs close the cybersecurity gap
swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore swif.ai unified endpoint management to see how it works.
.webp)
