+50 Cyber Attacks on Small Businesses Statistics

Cyber Attacks on Small Businesses Statistics

Are small organizations taking cyber attacks seriously enough? What type of threats are small businesses vulnerable to? What are the typical consequences of a security breach on small businesses? And how can these impacts be mitigated? 

These questions are especially relevant if you work (or plan to work) in a cyber security role for small businesses - either as a direct employee, a freelancer, a consultant, or through a managed service provider. And of course, if you plan to start your own business, you also need to know what security risks you could face.   

These cyber attacks on small businesses statistics can help achieve a greater understanding. With this in mind, here’s a rundown of recent research findings and trends. 

Cyber Attacks on Small Businesses Trends 

Recent figures show that cyber attacks on small businesses are increasing. In the last year alone, almost half of smaller organizations have been subject to an attack, and in many cases, this has led to an actual breach. 

1. Globally, 48% of SMBs (small and mid-size businesses) have experienced a cyber security incident in the past year. 25% say they have experienced more than one incident in the past year.  

2. 73% of US small business owners reported a cyber attack last year. 

3. An estimated 90% of cyber security breaches worldwide occur in small businesses.    

4. According to its latest DBIR summary, Verizon investigated 699 cyber security incidents in the last year impacting small businesses. 381 of these involved confirmed data disclosures. This compares to 496 incidents for large companies, of which 227 involving confirmed data breaches.

5. Between 2020 and 2022, the volume of cyber attacks against SMBs increased by 150%, reaching 31,000 attacks per day globally.

6. 67% of organizations with fewer than 1,000 employees have experienced a cyber attack at some point, and 58% have experienced a breach.   

Methods and Motives of Cyber Attacks on Small Businesses 

Regarding the who, how, and why of attacks, there is very little difference between SMBs and larger organizations. When hackers strike, they are mostly in it for the money

As Verizon illustrated recently, regardless of target size, the top attack patterns are the same: system intrusion, social engineering, and basic web application attacks represent the vast majority of breaches.  

7. 82% of all ransomware attacks target SMB organizations.  

8. 94% of small business cyber incidents investigated by Verizon last year involved external threat actors (85% for large businesses). 

9. For breaches involving small businesses last year, user credentials were the most commonly compromised category of data (compromised in 54% of breaches). For large companies, this figure was 37%. 

10. System intrusion, social engineering, and basic web application attacks represent 92% of all small business breaches.  

11. 98% of cyber attacks on small businesses are driven by financial motives (97% for large businesses).      

12. An average small business employee with less than 100 employees will receive 350% more social engineering attacks than an employee of a large enterprise. 

Impact of Cyber Attacks on Small Businesses 

As we highlighted in our recent Cyber Security Breach Statistics roundup, the global average data breach cost currently exceeds $4 million USD. For smaller businesses, the figures involved are a lot lower. However, a major breach's financial and operational hit tends to be a lot harder.  

13. 33% of small business owners hit by cyber attacks say they have experienced financial losses.  

14. Of small businesses that have experienced a cyber attack, 42% said it led to a financial loss. 32% said that it led to a loss of customer trust

15. Claims data from US small business insurance specialist Nationwide suggests that average cyber claims range between $15,000 USD and $25,000 USD in recovery costs. The data also shows that the average recovery time for a business after an attack is 279 days.

16. For companies with an annual turnover of less than $10 million USD, the average cost of recovery following a ransomware attack is $165,520 USD. 

17. 60% of small businesses close within six months of being hacked. 

18. The average cost-per-incident of DDOS for small-to-medium-sized businesses is $52,000 USD (compared to $444,000 USD for large enterprises). 

19. System downtime and reduced productivity are the most common impacts SMBs encounter after a cyber attack, experienced in 30% of attack instances.

1. Most Frequently Encountered Consequences of Cyber Attacks on Small Businesses

Small Business Cyber Attack Readiness 

As we’ve seen, small businesses face the same threat landscape as their larger counterparts. Where SMBs often diverge from big corporates, however, is in their ability to respond to threats. Lots of small businesses are failing even to cover the basics.

20. 87% of small businesses collect or process customer data that could be compromised.

21. 46% of SMBs do not use firewalls.

22. 42% of SMBs do not back up critical data.

23. Only 57% of SMBs monitor remote work security. 

24. Among those SMBs with a designated plan or process for remote work security, 25% say the plan is not universally adhered to.   

25. 21% of small businesses with 500 employees or less are developing security plans. 30% have no protection against cyber attacks. 

26. Only 28% of small business owners in the US report having cyber insurance. This compares to 71% of mid-size businesses. 

27. 56% of small business owners provide cyber security training to their employees once a year, compared to 94% of mid-size businesses. 

28. 24% of small business owners send phishing test emails to employees, compared to 65% of mid-size businesses. 

29. A third of businesses with 50 or fewer employees rely on free or consumer-grade cybersecurity tools.

30. 30% of SMB executives told Amazon that they know their company’s security, risk, and compliance requirements but are unsure of how to manage them. 

31. 41% of SMB respondents told Amazon that they haven’t provided any security training to their organizations.

32. Once they’ve experienced a cyber security incident, small business owners are much more likely to take action. 53% of small businesses hit by cyber attacks in the last year say they have implemented new security tools. 65% say they have provided further staff training

33. Only 8% of businesses with fewer than 50 employees have a dedicated cyber security budget.

Cyber Security Budget Status based on Business Size

34. Almost half (47%) of businesses with less than 50 employees rely on external resources for the planning, oversight, and execution of cybersecurity. This compares to 34% of companies with 50-249 employees and 31% of businesses with 250+ employees.

Internal Party Responsible for Cyber Security, based on Business Size

35. A third of small businesses would like additional help from their managed service provider in upgrading security. 

Attitudes of Small Businesses to Cybersecurity 

Many leaders of small businesses know they should be doing more about cybersecurity - but can’t keep up with what’s needed. There is also a sizeable minority who fall into the trap of thinking that a cyber attack is something that happens to other people. 

36. Most Common Cybersecurity Challenges for Small Business Owners: 

Keeping on top of new threats 51%
Ensuring employees understand what is expected of them 45%
Educating employees about cyber security44%
Understanding what protection is needed43%

37. Only 4 in 10 small business owners discuss cyber security regularly. 16% only discuss it when something goes wrong. 

38. The risk of ransomware attacks is the biggest cyber security concern for businesses with less than 50 employees. 

39. Phishing attacks are the biggest concern for businesses with 50-249 employees. 

Ranking of Cyber Security Concerns by Business Size

40. 59% of small business owners without cyber security measures say their business is “too small” to target.

41. Small business owners tend to underestimate the possible consequences of cyber attacks. 40% expect an attack to cost less than $1000 USD. 60% think it will take less than three months to recover. 

42. 77% of businesses with less than 50 employees cite complexity and lack of knowledge as factors preventing cyber security improvements from being made within their organization.

Factors Preventing Cyber Security Improvements, by Business Size

43. Globally, 44% of SMBs say that economic uncertainty and cost of living has reduced cyber security budgets.

44. Over half (52%) of small businesses consider it too costly to invest in cyber security. 

45. 47% of small business owners say they find navigating their cyber security options challenging, citing cost as the main barrier. 

46. Other barriers to paying more attention to cyber security include time (31%), lack of knowledge concerning security solutions (30%), and lack of awareness around potential threats (24%). 

47. 68% of small businesses say they would benefit from simple cyber security resources as an introductory measure. 

48. Only 48% of small business owners feel ready to prevent a cyber attack on their business, compared to 83% of mid-size business owners. 

49. 52% of small business owners say they want more support with education and training.

50. 40% of small businesses cite a “lack of skilled staff” as a barrier holding them back from investing in security. 

51. 35% of small business executives say security isn’t a strategic priority.

52. Just 22% of small business execs feel that they are ‘extremely well protected’ against cyber attacks.


Generally, a small business is as likely as a larger organization to be hit by a cyber attack. When it comes to social engineering, individual employees are statistically more likely to be targeted by an attack if they work for a smaller business.

Where small businesses often fall is in their ability to respond to threats. So, what’s the best way to fix this? 

If you’re a small business owner, one area of focus should be to boost your internal capabilities through upskilling existing staff in cyber security and looking carefully at the level of service you are currently getting from your MSP to ensure it is still fit for purpose. 

And if you’re currently working for a small business—perhaps in a general IT or admin role—you should think proactively. What cybersecurity skills is the business presently lacking? And what knowledge and credentials could you go out and get to fill those gaps? 

To learn more about managing defense for your business, applying security fixes, and the ins and outs of security, consider a StationX membership. We offer courses, labs, and more to help you become a cyber security expert.

Frequently Asked Questions


  1. AWS: ‘Three Common Misconceptions About Cloud Security that Are Holding Back Small and Medium Businesses, Article, October 2023 
  2. Barracuda: Spear Phishing: Top Threats and Trends, Report, March 2022
  3. Check Point: ‘Small-Medium Business Growth Plans Held Back by Inadequate Cybersecurity, Article, October 2022 
  4. CISO Magazine: ‘One in Three SMBs Rely on Free Cybersecurity Tools or Nothing’, Article, February 2020
  5. Corvus Risk Insights Index: ‘SMB Cyber Readiness’, Survey Findings, Q1 2022
  6. Cybersecurity Ventures: ‘60 percent of Small Companies Close Within 6 Months of Being Hacked’, Article, January 2019
  7. Infosecurity Magazine: ‘Small Businesses Suffer Record Number of Cyber Attacks’, Article, October 2023
  8. Kaspersky: Global IT Security Risks Survey, DDoS Attacks 
  9. Nationwide: ‘Cyber attack recovery time and cost much higher than businesses realize, Article, September 2022
  10. Sage: Cyber Security for SMBs, Report, November 2023
  11. SC Media: ‘Ransomware payouts and recovery costs went way up in 2023’, Article, August 2023
  12. Security Boulevard: Why Cybersecurity Needs to Be an SMB Priority, Article, December 2023 
  13. Security Brief Australia: ‘Cyber attacks target 309,000 small businesses with a third facing losses’, Article, November 2023 
  14. Tech Republic: ‘Cyberattacks on SMBs are increasing, will your business be ready?’, Article, March 2022 
  15. Verizon: Data Breach Investigations Report, SMBs, 2023  
  16. Wired: ‘Why Small Businesses Need to Take Cybersecurity Seriously’, Article  

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Gary Smith

    Gary spends much of his working day thinking and writing about professional and personal development, as well as trends and best practice in IT recruitment from both an organizational and employee perspective. With a background in regulatory risk, he has a special interest in cyber threats, data protection, and strategies for reducing the global cyber skills gap.

  • Jimmy says:

    Thank you amazing.

  • […] In 2023, users’ credentials were the most commonly compromised data category in data breaches involving small businesses, with about 54% compromised. […]

  • >