The old advice was simple: you’re probably too small to bother with. Cybercriminals go after the big fish, the enterprises with millions of customer records and deep pockets. Run a 50-person accounting firm or a regional plumbing supply company? You’re safe.
That logic is now dangerously outdated.
In 2025, 80% of small businesses experienced at least one cyberattack. Not because they were unlucky or singled out, but because automated attack tools have made it cheap and easy to sweep for vulnerabilities across millions of small business systems simultaneously. You’re not being targeted. You’re being fished.
The attack surface nobody talks about
Small businesses have the same digital footprint as large enterprises, minus the security budget. You run Microsoft 365. You have remote employees accessing shared drives. You probably use some cloud-based accounting software, a CRM, maybe a VoIP phone system. Each connection point is a potential entry.
A Fortune 500 company has a security operations center monitoring those entry points 24/7. You have whoever handles IT when they’re not doing something else.
This is exactly what attackers exploit. Ransomware-as-a-Service platforms now let anyone with a few hundred dollars and minimal technical skill launch professional-grade attacks. The tools have gotten better; the barrier to entry has dropped to nearly zero. Three ransomware groups were responsible for nearly half of all ransomware attacks in a recent month, and they weren’t exclusively going after big targets.
The AI factor
Forty-one percent of small business cyber incidents in 2025 were AI-driven. Phishing emails that used to announce themselves with bad grammar and obvious red flags now read like internal memos from your CEO. Business Email Compromise attacks, where attackers impersonate executives or vendors to wire money, increasingly use AI to generate convincing correspondence. In Q2 of last year, 40% of BEC emails were AI-generated.
This matters for small businesses because you lack the dedicated training resources that larger organizations can throw at employee awareness. Your team isn’t getting quarterly phishing simulations and security briefings. They get a memo once a year, maybe.
Attackers know this. They’ve calibrated their tools accordingly.
What breaches actually cost
The numbers are grim. For companies with fewer than 500 employees, the average cost of a data breach now runs $3.31 million. That’s not a typo. That’s direct costs, regulatory fines, legal fees, lost business while systems are down, and the customers who never come back.
Most small businesses don’t have cyber insurance that covers this. Many don’t have any cyber insurance at all. Of those that do, policy language often excludes certain types of attacks or requires documentation standards that small businesses can’t meet in the chaos of an incident.
The survival rate after a significant cyberattack for a small business is grim. Not because the attacks are technically unstoppable, but because the financial shock is often terminal.
The myths that get small businesses in trouble
“We use a cloud provider, so we’re covered.” Your cloud provider secures their infrastructure. You’re responsible for your data, your access controls, your configuration. The 2019 Capital One breach happened because of a misconfigured web application firewall, not a failure at Amazon’s end.
“Our employees would never click on that.” The most sophisticated phishing emails don’t look like phishing emails. They look like DocuSign notifications, QuickBooks invoices, or a Slack message from your office manager about a voicemail. By the time someone realizes something’s wrong, it’s too late.
“We’d know if we were attacked.” dwell time, the period between a breach and its discovery, averages over 200 days for small businesses. Your systems might be compromised right now, with an attacker watching your email traffic and mapping your financial processes, waiting for the right moment to strike.
What actually works
You don’t need enterprise security to dramatically reduce your risk. The basics work; they just require consistency.
Multi-factor authentication on everything. If your email is compromised, attackers have a foothold into everything else. One compromised email account has been the starting point for breaches that cost companies millions. Every account, no exceptions.
Offline backups. Ransomware attackers specifically target backups first. If your backup solution is connected to your network, it can be encrypted along with everything else. Offline, tested backups that you can actually restore from are non-negotiable.
Patch management. A decade-old vulnerability in a VPN appliance was responsible for millions in breach costs in 2024. The vulnerability had been patched. The companies affected hadn’t applied the update. Pick one day a month to update critical systems and treat it like a business meeting you can’t cancel.
Incident response plan. Only 34% of small businesses have a formal incident response plan. When you’re in the middle of an attack is a terrible time to figure out who does what, which systems to shut down first, and how to communicate with customers. Write the plan now, while your systems are running normally.
Assume your vendors are a risk. Your IT managed service provider, your payroll processor, the software your accountant uses to access your books, all of these are potential entry points. Ask your vendors about their security practices. If they can’t give you a straight answer, that’s information.
The hard truth
You can’t prevent every attack. Nation-state actors and determined criminals will sometimes get through no matter what you do. What you can do is make yourself a harder target than the business next door, build systems that recover quickly, and understand that security is not a product you buy but a practice you maintain.
The attackers aren’t going to stop targeting small businesses. The tools are getting cheaper and more sophisticated. The only question is whether you’re going to do anything about it before something happens, not after.
