Heimdal
article featured image

Contents:

Small businesses are a big target for cyber criminals. Read our small business statistics rundown to get a true picture of how the sector is being affected in 2025.

Until relatively recently, cybercrime wasn’t perceived as a major risk for small businesses. Hackers traditionally focused on larger companies or government bodies with more money and troves of valuable data. 

But things have changed – a lot

Small and micro-businesses have digitally transformed, bigger firms have improved their defences, and hacking has become cheaper. As a consequence of these trends, small firms are now seen as increasingly attractive targets by criminals. 

At Heimdal, we work with small businesses around the world, and are continually monitoring for threats they face. In this article, we’ve compiled data and insights from surveys and studies published in 2025 or late 2024 to create a picture of small business cybersecurity challenges today. 

top cybersecurity for small businesses

Key small business cybersecurity statistics for 2025

Our teams read all the latest industry reports, government publications and academic papers into threats and issues facing small businesses. Here are the top small business cybersecurity statistics that have stood out in 2025:

  • 43% of SMBs have faced at least one cyber attack in the past 12 months
  • At 33.8% of all breaches, phishing is the most common kind of attack against small businesses
  • Less than half of businesses with fewer than 50 employees have a security plan in place
  • 63% of small businesses are spending more on cyber security this year
  • The average cost of a cyber attack on small UK businesses is £3,398 ($4,580)
  • Lack of funding is the top challenge for small business cybersecurity in 2025

Small businesses are indisputably a cyber crime target

For any small business that doesn’t think hackers are interested in them, let this be your wake-up call. 

Multiple studies this year have found that a high proportion of small businesses have experienced at least one breach in the past 12 months. 

In June 2025, MySecurityMarkeptplace published results of a survey with 445 professionals which revealed that 43% of small businesses faced at least one cyber attack in the preceding 12 months. 

This tallies with data from a UK government survey which found that 41% of micro businesses and 50% of small businesses had identified breaches or attacks in 2025. And a Mastercard survey across four continents also found that 46% of SMB business owners have experienced a cyber attack. 

While small businesses do receive fewer attacks than medium, large or enterprise-size businesses, they are clearly still a major target. 

Related: Cybersecurity for small and medium businesses

Kinds of cyber attacks affecting small businesses in 2025

Cyber criminals use a wide range of methods to attack small businesses. However, phishing, viruses and ransomware appear to be the most common attack vectors used against small businesses, according to a paper published in the Technology in Society scholarly journal in late 2024. 

attack types targeting small businesses

These figures correspond with an Australian academic study of small businesses which also found that phishing, ransomware and malware were the top three kinds of cyber attacks.

Software containing malicious files at SMBs

A 2025 Kaspersky report looked at the kinds of software containing most malicious files at small businesses. 

software with malicious files smb statistics

Consequences of a breach for small businesses

Discovering your business has been breached is immensely stressful for small business owners and employees. And the consequences can be severe. 

In the Technology in Society academic study, 240 businesses were analysed. Of this total, just under 15% reported direct consequences of breaches, as follows:

  • Stopped the business-as-usual activities – 5%
  • Negative impact on the revenue or share value – 1.7%
  • Repair or recovery costs – 4.2%
  • Fines from regulators or authorities or associated legal costs – 0.8%
  • Reputational damage and loss of customer trust – 2.1%

Meanwhile, a 2025 VikingCloud study reported that one in five small US businesses would go out of business if an attack cost them $10,000 in damages, and 55% of companies would fold if a cyber attack cost them $50,000.

Costs of cyber security breaches to small businesses in 2025

There are extremely wide ranging estimates for the costs to small businesses of cyber breaches in 2025, with estimates ranging from a few hundred dollars to several million. 

This range in cost estimates is down to a few factors. Some studies focus on the direct cost of a breach (e.g. paying a ransom), while others consider a far wider range of factors (e.g. loss of customer trust or impacts on productivity). Different publications classify ‘small’ businesses in different ways, which also affects estimates. 

 But to give you a sense of the costs, I’ve compiled figures from different sources:

  • Deepstrike estimates that for businesses with under 500 employees, the average cost of a data breach in 2025 is $3.31 million.
  • TechAisle reports that small businesses lose $1.6 million on average when they suffer cyber breaches in 2025.
  • Microsoft estimates that for companies with 25-299 employees, the average total cost of an attack is $254,445, although this can reach as high as $7 million.
  • But Vodafone reports that the cost of cyber attacks to UK firms with under 50 employees is a (comparatively) more manageable £3,398 ($4,580), rising to £5,001 ($6,740) for companies with over 50 staff. 
  • And a UK government survey reports that the average short-term direct cost of the most disruptive breaches for micro and small businesses is £990 ($1,334), while average long-term costs are £2,820 ($3,800).

Perceptions of cyber risk among small business owners

Around the world, small business owners are increasingly conscious of the risks associated with cyber crime. In our work, we’ve certainly noticed much higher awareness among entrepreneurs than just a few years ago. 

And this is reflected in a variety of studies that have asked SMB owners about how they perceive cyber threats. 

  • According to VikingCloud, 60% of SMBs recognise that they’re the top target for cybercriminals.
  • CrowdStrike reports that 93% of SMBs consider themselves to be knowledgeable about cybersecurity risks.
  • Microsoft found that nine in 10 agree that cyberthreats are a growing risk.
  • An academic study of small Australian businesses found that 78% of respondents agreed they are a target for cyber criminals.
  • 91% of SMBs told STL Partners that cybersecurity is a top priority for management.
  • 71 of SMBs told MySecurityMarketplace they’re confident they could handle a major cyber security incident.

And in response to this threat perception, 62% of small businesses in the UK government survey said they’d taken out cyber insurance.

But a perception vs action gap remains

While small businesses appear to be aware that they face risks of cyber breaches, this doesn’t always translate into preventative actions or strategies. 

According to VikingCloud:

  • 1 in 3 use outdated cybersecurity technology
  • 20% don’t have any cybersecurity technology at all
  • 22% don’t have cybersecurity measures for devices such as smartphones
  • 18% don’t require regular software updates
  • 17% don’t train their teams on cybersecurity

Similarly, Crowdstrike found that only 47% of small businesses (with fewer than 50 staff) had a security plan in place. Microsoft found that 26% of SMBs agreed with the statement “we’re too small to be targeted by hackers”. And even though a 2025 Coalition survey found that 79% of small businesses experienced at least one cyber attack in the past five years, 64% still don’t think they’re an attractive target to malicious actors. 

Strengths and weaknesses in security methods

Small businesses appear to have a mixed approach to using more advanced cybersecurity in 2025. 

Crowdstrike’s survey found that SMBs rely heavily on outdated tools, with firewalls (91%) and traditional antivirus (70%) remaining among the main types of defences they use. 

Compared to bigger businesses, SMBs are much less likely to use cutting edge cyber defences. According to the Australian study:

  • Less than half (48%) use multi-factor authentication
  • Just 21% carry out regular cyber security assessments
  • Only 17% perform routine vulnerability assessments
  • And Crowdstiek found only 11% use AI powered tools to defend against modern attacks

On the flip side, there are some positive results, showing that SMBs are using more advanced security in certain areas:

  • In the Australian study, 57% said they regularly patch operating systems and apps
  • 72% secure wireless access points and networks
  • And 72% regularly make full backups of important data

Cybersecurity spending is increasing at small businesses

In 2025, research suggests that small businesses are starting to increase their spending on defences to respond to the growing threats of cyber criminals. According to Analysys Mason, SMB spending on cyber security will reach $109 bn worldwide by 2026 at a 10% compound annual growth rate.

The MySecurityMarkeplace study found that 63% of small businesses have allocated more funds to cyber defences in 2025. Similarly, a UK study found that 52% of small companies have made a “slight” increase in their cybersecurity budget, and 10% have made a large investment in better defences in 2025.

That being said, many firms are still spending a relatively low proportion of their IT budget on defence. MySecurityMarkeplace found that 29% of companies spend less than 5%, and only 5% of firms spend more than 20% of their budget on defence. 

However, these figures are contradicted by the STL Partners survey which found that on average 39% of SMB IT spend goes on cybersecurity in 2025.

Barriers to better cybersecurity at small businesses

Small businesses appear to be aware of the risk of cyber attacks in 2025. So, what’s stopping them improving their defences? 

According to the Australian study, the top five challenges for implementing cybersecurity were:

  1. We lack funds/budget
  2. We lack in house cyber security skills
  3. Our primary focus is on sales and revenue
  4. It’s too technical
  5. Don’t know where to start from

These findings also reflect data from Crowdstrike’s 2025 study, which found that 66% of SMBs cite ‘cost’ as their top obstacle to adopting stronger cybersecurity.

Strategies for cybersecurity support for small businesses

Small businesses are using different approaches to securing their defences in 2025. According to a UK academic survey, the top five cyber management methods in order of frequency were:

  1. Employing cyber security staff
  2. Setting cybersecurity policies
  3. Performing cyber security checks
  4. Outsourcing
  5. Carrying out board-level discussions

VikingCloud’s study also looked at small business’s cybersecurity strategies and found some similar trends. They found that 74% of SMB owners self-manage cybersecurity or rely on an untrained family member or friend, and only 15% have hired external IT staff or used an MSP. And STL Partners also found that 48% of small businesses manage cybersecurity in house with a non-expert. 

One possible reason that so few SMBs work with external MSSPs and experts is the complexity of onboarding clients to security tools. In our recent survey into agent fatigue, we asked MSPs about their challenges with onboarding, and found that some of the most common challenges were:

  • Lengthy setup process with security tools
  • Lack of automation in the process
  • Integrating new clients into existing security platforms
  • Coordinating with vendors for onboarding and setup

 This suggests that MSPs may avoid working with small businesses because it’s simply too complex to onboard them to make it financially worthwhile. 

Suggested: How can MSPs solve the ‘small client problem’?

Small businesses are being let down

Although there are some bright spots, these 2025 small business cybersecurity statistics are concerning. Results from an array of surveys and studies strongly suggest that small businesses are not adequately protected, are using unsuitable cyber defences, and are at risk of being breached. 

Any business that experiences a cyber attack can face serious disruption and commercial setbacks. But they can be especially cruel for small businesses whose entrepreneurial owners can suffer severe personal losses if their companies get attacked. 

While small businesses ultimately need to take responsibility for their own security, MSPs, governments and cybersecurity software providers must also find ways to support this essential sector of the economy. 

At Heimdal, we work with MSPs, MSSPs and directly with small business owners to provide the tools needed to keep small businesses secure. Through our unified security platform, we provide an easy-to-use dashboard that allows MSPs and business owners to continually monitor their environments using the most advanced tools available. 

Discover Heimdal’s security platform – and learn how it can help small businesses today.

If you liked this article, follow us on LinkedIn, Reddit, X, Facebook, and Youtube.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE