Small businesses are now at the epicenter of a growing cybersecurity crisis, with ransomware, AI-driven scams, and supply chain breaches driving record losses in 2025. Despite increased awareness, the vast majority of small to medium-sized businesses lack adequate protections, training, and insurance, making them key targets for a rapidly evolving cybercriminal landscape.
According to the latest Verizon Data Breach Report, which analyzed more than 22,000 incidents, small to medium-sized businesses (SMBs) accounted for 82% of ransomware victims. These attacks have surged by 25% in the past year alone, and data theft prior to encryption has nearly doubled in frequency. As of early 2025, at least 80 active ransomware groups are operating globally, with 16 new groups emerging just since January.
Compounding the issue, most SMBs do not believe they are likely to be targeted. One in three SMBs suffered a cyberattack last year, yet only 17% carry cyber insurance. Worse still, 32% of small businesses say that a single day of downtime, or roughly $10,000 in losses, could permanently put them out of business.
The growing threat
Artificial intelligence (AI) is now supercharging Business Email Compromise (BEC) scams. Since cybercriminals are utilizing AI to generate flawless, convincing messages and impersonations, this enables targeted attacks at scale. The FBI has reported $2.9 billion in BEC losses last year alone. Moreover, small business employees now face 350% more social engineering attacks than staff at larger firms.
Additionally, third-party and supply chain attacks have doubled in frequency, ranging from 15% to 30% of all breaches, according to Verizon’s report. Nearly half of companies expect supply chain-based cyberattacks in 2025. Cloud services are also under siege, with a 75% increase in intrusions largely due to misconfigurations and weak credentials. Yet, several SMBs mistakenly assume that vendors and cloud providers will cover their security gaps.
Post-breach fallout
The average cost of a data breach now stands at $4.88 million, a 10% increase from last year. In 2024, over 5.5 billion accounts were compromised, fueling future attacks and regulatory action. Even small businesses can result in legal battles and lost customer trust. Alarmingly, 64% of SMBs remain unfamiliar with cyber insurance options, despite 87% handling sensitive employee or customer data.
Furthermore, with an increasing number of SMBs supporting remote work and the Internet of Things (IoT) devices, attack surfaces have expanded immensely. Many remote workers don’t use VPNs or enforce multi-factor authentication (MFA), and 22% of small businesses have no mobile device security policy. Home offices, public Wi-Fi, and outdated software give attackers new entry points.
Nevertheless, cybersecurity threats are no longer just an enterprise issue. For the 34 million SMBs in the U.S., building a resilient security posture in 2025 is not optional; it is essential for survival.
