7 SMB Cybersecurity Statistics You Need to Know in 2025

Cybersecurity isn’t just at the top of the discussion queue within the IT channel. Businesses and governments worldwide have been paying close attention to rising cyber threats and SMB cybersecurity statistics.

Many have learned the hard way that small businesses are frequent targets of all types of cyberattacks. The idea of “targeting a victim” itself has come into question, as indiscriminate attacks are now the status quo. SMEs are particularly vulnerable, often lacking the awareness, staff, or cyber posture needed to resist them.

This is only one of many realizations that emerged in 2024. As we head through 2025, new threats and attack patterns continue to evolve, and MSPs must adapt or face significant consequences. Below are seven SMB cybersecurity statistics and trends that matter most this year.

What this article will cover:

• How many businesses are still vulnerable to cyberattacks?
• What are the leading cyber threats in 2024?
• Antivirus takes a backseat to endpoint protection
• The state of ransomware in 2024
• What MSPs can do about SME cybersecurity

1. The vast majority of businesses are still vulnerable to attack

94 percent of SMBs have experienced at least one cyberattack in the last year.

Furthermore, stats from Connectwise, show that at least 78% of SMBs fear that a major incident could put them out of business.Additionally, the emergence of AI has made these attacks more sophisticated: it is predicted that by 2027, 17% of cyberattacks will be executed with the help of generative AI.

Positive Technologies conducted a series of pen tests across several large sectors, including finance, fuel and energy, government bodies, industrial businesses, and even IT companies. They proved that in 93 percent of test cases, an attacker could breach an organization’s network defenses and gain access to the local network.

A study by VikingCloud reveals that downtime due to a cyberattack costs businesses about $53,000 an hour. (Source)

Downtime remains one of the biggest hidden costs. According to IBM’s Cost of a Data Breach 2025 Report, the average breach now costs $4.88 million globally and takes 204 days to identify. For smaller organizations, this kind of disruption can be devastating.

Additionally, as pointed out in Cybersecurity Magazine (Source):

• 30% of small businesses view phishing as their biggest cyber threat
• 83% of small and medium-sized businesses are not prepared to recover from the financial damages of a cyber attack
• 91% of small businesses haven’t purchased cyber liability insurance, despite awareness of risk and the likelihood that they would be unable to recover from an attack
• Only 14% of small businesses consider their cybersecurity posture to be highly effective

Why are businesses still hesitant to embrace a more robust approach to security? While cybersecurity statistics are good for understanding the nature of the threat environment, they don’t always work well as a tool for changing perceptions. Toward that end, many in the cybersecurity and channel community have advocated for a change in attitude toward cybersecurity adoption.

2. The leading cyberthreats in 2025

Humans are still being exploited as the “weakest link” in a cybersecurity plan.

Email phishing, spear-phishing, and social engineering continue to trend as the most common and reliable means of illegally accessing a network. Phishing and pretexting account for nearly 73% of breaches in some sectors, with credentials the most commonly compromised data (~50% of phishing incidents)

Social engineering and phishing are the most frequently used methods. Even when the appropriate software, hardware, and patches are in place, the human element still provides a weak point for entry.

A 2024 CyberArk study found that 49% of employees reuse the same credentials across multiple work-related applications, and 36% use the same credentials for both personal and work accounts. These habits magnify the risk of credential stuffing and lateral attacks, as well as increase exposure in hybrid environments.

Additional research shows the following:

• 82% of breaches are caused by humans, whether through phishing, credential theft, or manual errors. (Source)
• 65% of SMB employees bypass cybersecurity policies in order to make work easier. (Source)
• 61% of SMBs say phishing is the most common attack vector they faced in the last year. (Source)

3. Credentials and admin access management

Vastly more breaches have been linked to account compromises and poor permissions control than viruses.

Weak account security and poor privilege management remain some of the most exploited gaps in SMB defenses. According to the Verizon DBIR 2024, 86% of web application attacks were traced back to stolen credentials, while Microsoft’s Identity Report noted that nearly half of SMBs still rely on passwords alone without multi-factor authentication.

Once inside, attackers often exploit excessive admin rights. A 2024 survey done by Sophos shows that over 90% of malware attacks involved data or credential theft.

This means that the onus of SME endpoint security falls upon Managed Service Providers (MSPs) in most cases. MSPs must make small businesses aware of the need for password hygiene, permissions control, and other endpoint security measures like data encryption. At the very least, MSPs should actively embrace the principle of least privilege when it comes to admin account management in their clients’ networks.

By combining technical controls with user education and continuous monitoring, MSPs can help mitigate one of the most persistent and damaging risks facing SMBs today.

4. Ransomware is still a threat

The simplicity and efficacy of ransomware continue to make it a preferred choice for hackers.

Despite a slight dip in ransom payments in 2024, ransomware remains one of the most damaging threats for SMBs. Attackers are evolving tactics, using data theft and double extortion schemes to increase pressure.

Here are some important numbers you should know about:

• 5,243 ransomware victims were posted on leak sites in 2024, up 15% from 2023. (Source)
• Over $800 million in payments were made to ransomware hackers in 2024. (Source)
• The average ransom payment in 2024 was $2.73 million. (Source)
• 70% of cyberattacks in 2024 led to data encryption. (Source)
• 41% of Sophos respondents cite increased anxiety over the possibility of future ransomware attacks. (Source)

Learn how H.E.R.O.S. was able to quickly bounce back from a ransomware attack with minimal downtime and lasting damage.

5. There were 29,000 CVEs issued in 2024

By the end of 2024, there were ~29,000 new CVEs published, with thousands rated as critical or high severity (Source)

Vulnerabilities are expected to increase with the pace and scale of tech adoption. Cyber attacks are considered an inherent risk these days. However, this trend is creating a growing pile of security debt that MSPs and security professionals struggle to address. When cybersecurity teams leave last year’s vulnerabilities unaddressed, this year’s number becomes cumulative and significantly harder to remediate.

Here are some key statistics:

• Of the 29,000 CVEs issued last year, over 4,600 were rated critical and more than half could be exploited with minimal technical skill. (Source)
• Vulnerability exploits are the most common attack vector, accounting for over 30% of attacks. (Source)
• Only 38% of SMBs report having a formal vulnerability management program in place. (Source)

6. Cloud attacks are on the rise

Organizations of any size could experience an attack targeting their cloud data.

Trends toward the cloud have of course led to a trend in cloud-targeted cyberattacks. Since 2020, 79% of companies with data in the cloud have experienced at least one cloud breach. This is no small number, as reports show 94% of organizations in 2025 are currently hosting at least some of their data or IT environment in the cloud.

This is — yet again — an issue that can be traced back to the COVID-19 pandemic. The unanticipated speed at which many organizations have adopted cloud technology has created many unique vulnerabilities.

A report by the World Economic Forum shows that while 66% of respondents expect AI to impact cybersecurity within the next 12 months, only 37% currently have processes in place to ensure its safe deployment.

Furthermore, only 14% of companies are confident that their team has the skills to handle cybersecurity threats.

According to Nikesh Ashora, CEO of Palo Alto Networks, companies “struggle to stitch together dozens of disparate security solutions and enforce security policies across an enterprise’s network, cloud and endpoint environments.”

Updating cybersecurity operations and AI adoption protocols can help minimize the burden on IT teams who may still need to manually address attacks from various sources.

7. Digital supply chain attacks are considered a top risk

More threats are expected as vulnerabilities such as Log4j proliferate through the supply chain.

Even as organizational attack surfaces keep expanding, third-party risks become more critical. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. This represents a 300% increase from 2021, and high-profile breaches such as MOVEit prove that this prediction is materializing.

Due to recent high-profile threats, MSPs are all too familiar with supply chain attacks. Pressure on the digital supply chain demands more risk-based vendor/partner separation, tighter security controls, best practices, and a shift toward more security-minded development and distribution. That said, it’s widely regarded that IT providers and their vendors may struggle to get ahead of forthcoming regulations brought about by this increase in risk.

A video guide on 7 SMB Cybersecurity Statistics You Need to Know in 2025 is also available.

Don’t go cheap on risk mitigation.

These statistics may seem daunting, and many small businesses feel helpless in the face of these numbers. After all, sophisticated cybersecurity tools and qualified experts don’t come cheap and can be hard to justify, even when an SMB knows that a cyber attack could put their company out of business. So, where does this disparity between MSPs lie in the danger and risk mitigation cost?

Fortunately, this puts MSSPs and MSPs in a good position with businesses that realize they need security offerings but cannot afford in-house security professionals. Instead, the IT provider must convince end-user clients of the importance of a strong security posture.

Want practical answers to common MSP security challenges? Check out our RMM FAQs.

NinjaOne – The RMM That Helps Your Clients Stay Secure

• Control and Visibility
• Role-Based Access Control (RBAC)
• Drive Encryption
• Managed AV
• Password Management
• Device Approval

Learn more about leveraging NinjaOne’s built-in tools to improve endpoint security.