SMBs Under Siege: Half of US Small Businesses Hit by Cyberattacks, New Report Reveals

MIAMI, FL – December 17, 2025 – A sobering new report reveals a stark reality for America's small and medium-sized businesses (SMBs): they are firmly in the crosshairs of cybercriminals. According to the 2025 SMB Cybersecurity Report published by Guardz, a cybersecurity platform for Managed Service Providers (MSPs), nearly half (43%) of all U.S. SMBs have experienced a cyberattack, with 27% being targeted in just the last 12 months. The findings paint a picture of a business sector under constant threat, caught in a dangerous paradox of rising awareness but inadequate preparation.

While a majority of business owners now recognize the escalating cyber risks, a significant number remain dangerously unprepared. The report indicates a critical disconnect between perception and action, where increased budgets do not necessarily translate into improved security, often because the responsibility for defense falls to those least equipped to handle it.

"In 2025, SMBs are confronting the reality that cyber threats are no longer distant possibilities, but daily risks with the potential to disrupt or even destroy a business," said Dor Eisner, CEO and Co-Founder of Guardz, in the press release. The data underscores an urgent need for a strategic shift in how small businesses approach their digital defenses, moving from a DIY mindset to professional management.

A Widening Gap Between Threat and Readiness

The vulnerability of SMBs is not just a perception; it's a statistical reality with devastating consequences. Independent industry data consistently shows that cybercriminals view smaller businesses as softer targets due to their limited resources. The financial and operational fallout can be catastrophic. According to IBM's 2024 Cost of a Data Breach Report, the average cost of an incident for a small business has climbed to over $254,000. Even more alarmingly, other industry studies suggest that as many as 60% of small businesses that suffer a significant cyberattack are forced to close their doors within six months.

The Guardz report digs into the internal factors fueling this vulnerability. A startling 52% of SMBs rely on an untrained internal staff member or the business owner to manage critical security functions. This hands-on, yet unskilled, approach is a recipe for disaster. The top cybersecurity concern cited by respondents was employee negligence (45%), a fear that is well-founded, as human error consistently ranks as a leading cause of breaches. Phishing and ransomware remain the most prevalent threats, attack vectors that directly exploit human fallibility and technical gaps.

This lack of professional oversight leads to a fragile defensive posture. While most businesses have some basic protections—58% use network firewalls and 52% employ email filters—many are missing crucial layers of a modern defense strategy. The report found that 26% of SMBs do not conduct any regular penetration tests or security assessments, leaving them blind to the very holes an attacker would exploit. Furthermore, 42% of business owners are worried about their own outdated technologies, a concern most acute in the high-stakes healthcare sector.

The Cybersecurity Spending Paradox

In a seemingly positive trend, the report notes that half of SMBs increased their cybersecurity budgets over the past year, with 17% making significant increases. However, this increased spending is failing to close the security gap, creating a dangerous spending paradox. The issue lies not in the willingness to spend, but in the lack of strategy and expertise guiding those investments.

The data reveals a startling lack of financial clarity and strategic planning. Nearly a third (31%) of SMB owners admit they don't know exactly how much they spend on cybersecurity. For those who do track spending, the investment is often minimal, with 16% allocating less than $50 per user annually. This level of spending is insufficient to counter sophisticated, AI-enhanced threats.

More telling is the absence of formal planning. Only 34% of SMB owners have a formal incident response or business continuity plan developed with a cybersecurity professional. In one-third of businesses, the owner personally handles security alerts and incident resolution—a time-consuming distraction that pulls them from their core duties and increases the risk of critical missteps. Another 13% delegate this task to other untrained employees, compounding the risk. This operational fragmentation means that even when security tools are in place, the alerts they generate may be misinterpreted or ignored entirely.

Compounding the risk, 27% of SMBs operate without any cyber insurance, leaving them fully exposed to the crippling financial costs of a breach, from recovery expenses to regulatory fines and customer lawsuits.

The MSP Lifeline: A Shift Toward Professional Management

As threats mount and the consequences become clearer, SMBs are increasingly recognizing the limits of their internal capabilities. The report highlights a decisive shift toward seeking external help, positioning Managed Service Providers (MSPs) as an indispensable lifeline in the fight for cyber resilience.

The primary motivations for engaging an MSP are visceral: a direct fear of cyberattacks (52%) and a sense of responsibility to protect customers and stakeholders (40%). This indicates that the decision to partner with an MSP is moving from a technical choice to a fundamental business strategy.

The impact of professional engagement is arguably the report's most critical finding: a staggering 80% of SMBs with a formal incident response plan—the kind typically developed with an MSP or other professional—were able to avoid major damage during an attack. This single statistic powerfully illustrates that preparedness, guided by expertise, is the determining factor in business survival.

"This research confirms that businesses increasingly recognize the value of experienced service partners," Eisner stated. "Those that try to manage risk on their own lack the expertise, resources, and tools needed to stay resilient."

The broader MSP market is growing to meet this demand, with a competitive landscape of providers offering unified platforms designed to simplify security for SMBs. These platforms consolidate essential controls for endpoints, email, and identity into a single framework, allowing MSPs to offer enterprise-grade protection that is both affordable and manageable for their smaller clients. For SMBs, this trend signals a crucial turning point. The data suggests that surviving the modern threat landscape is no longer about buying a tool, but about investing in a continuous, professionally managed security partnership.