What Are Cyberattacks on Small Businesses? Threats and Defenses
Cyberattacks on small businesses are intrusions (phishing, ransomware, credential theft, and fraud) that target smaller organizations because their defenses, budget, and staffing are thinner than those of large enterprises.
The 40-person company that calls in an incident response firm has the same story almost every time. No dedicated security staff. One IT person who also runs the help desk. Backups that nobody had restored from in a year. A finance clerk who wired $90,000 to a "vendor" whose email looked exactly right. The attacker did not need a zero-day. They needed an inbox, a reused password, and a target that was not watching.
Small and midsize businesses are not too small to attack. They are easier to attack and increasingly worth attacking. The 2026 Verizon Data Breach Investigations Report found that about 96% of ransomware victims, where organization size was known, were SMBs. That is not a coincidence of sampling. It is the predictable result of attackers picking the path of least resistance and finding it inside the small business.
This guide is for the defender at that company, or the MSP, MSSP, or SOC analyst who covers a roster of them. It covers why SMBs get hit, the attack types that actually show up in their incidents, the real cost of an event, and a budget-aware order of operations: what to do first when you cannot do everything.
Why attackers target small businesses
The reasoning is economic, not personal. Attackers run a business too, and SMBs offer a good return for low effort.
Defenses are thinner. Most SMBs have no full-time security team, no SOC, and no 24/7 monitoring. Patching slips because the same person who patches also resets passwords and orders laptops. The ISC2 workforce research has tracked a global shortage of roughly four million cybersecurity workers, and the people who do exist concentrate at large enterprises that can pay for them. The small business gets whatever attention is left over.
Budget is limited and spent late. Security competes with payroll and rent. Spend tends to arrive after the first incident, not before, which means the window an attacker exploits is the one before the company has been hurt enough to invest.
The data is valuable. A 30-person business still holds customer payment data, employee records, health information, banking credentials, and intellectual property. None of that is worth less because the company is small. Stolen credentials and personal data resell the same way regardless of the victim's headcount.
They are a path to bigger targets. SMBs sit in the supply chains of larger organizations as vendors, contractors, and managed providers. An attacker who compromises a small IT services firm inherits its access into every client it manages. This is the supply chain attack pattern, and the small partner is the soft entry point precisely because it is small.
They are unprepared to respond. Many SMBs have no incident response plan, no offline backups, and no relationship with a responder before the day they need one. That turns a containable intrusion into a full outage, which is exactly the leverage a ransomware operator wants.
The most common cyberattacks against small businesses
The threats that show up in SMB incidents are not exotic. They are the common ones, aimed at the weakest version of a normal target.
Phishing and business email compromise. Email is the front door. Phishing tricks a user into handing over a credential or running an attachment. Business email compromise goes further: the attacker impersonates an executive, a vendor, or a partner and convinces someone to wire money or change payment details, often with no malware at all. The FBI Internet Crime Complaint Center counted $2.77 billion in BEC losses in 2024, second only to investment fraud, and SMBs absorb a large share of it because they rarely have a callback-verification process for payment changes.
Ransomware. The defining SMB threat. A ransomware operator encrypts the company's systems, exfiltrates data first to add an extortion threat, and demands payment. The 2026 Verizon DBIR found ransomware present in 48% of breaches and about 96% of ransomware victims (where size was known) were SMBs. For a small business with no tested offline backup, encryption of the file server and the accounting system is a stop-trading event.
Stolen-credential account takeover. Attackers log in more than they hack in. Verizon's 2026 DBIR puts the use of stolen credentials at 36% of breaches. Credentials come from phishing, password reuse, and infostealer malware, and an account without multi-factor authentication is a single guessed or stolen string away from takeover. Where credentials are not stolen, attackers fall back to a brute-force attack against exposed logins like RDP and webmail.
Malware. Beyond ransomware, SMBs face infostealers that harvest saved passwords and session cookies, banking trojans, and loaders that pull in further payloads. A single infected workstation becomes the foothold for everything that follows.
Web and application attacks. Small businesses run websites, customer portals, and e-commerce that are often built on unpatched plugins and frameworks. The 2026 DBIR reported that exploitation of vulnerabilities has risen to 31% of breaches as an initial access vector, now the leading one. An internet-facing app that has not been patched is a standing invitation.
Insider mistakes and misuse. Not every loss is an outsider. A misdirected email, a public cloud bucket, a disgruntled employee, or a careless contractor causes a real share of SMB data exposure. The 2026 DBIR found the human element present in 62% of breaches.
Supply-chain compromise. The flip side of being a path to bigger targets is being downstream of one. SMBs absorb attacks that arrive through their software vendors, their managed service provider, or a compromised update, and they have the least capacity to detect a trusted channel turning hostile.
The real impact of an attack on a small business
The cost of an SMB incident is rarely the ransom alone. It is the sum of everything that stops.
Downtime. When the file server is encrypted or the point-of-sale system is down, the business stops earning while still paying staff and rent. For a small company without redundant systems, days of outage are common, and days of outage for a thin-margin business are existential.
Ransom and recovery. Even where a ransom is not paid, recovery costs money: responders, new hardware, rebuilt systems, overtime. Paying does not guarantee clean decryption, and it marks the company as one that pays.
Data breach exposure. A data breach brings regulatory notification duties, legal exposure, and customer loss. For a business whose value is its customer relationships, the trust damage outlasts the technical cleanup.
Fraud loss. A successful BEC wire often cannot be recovered. The money leaves, moves through mule accounts, and is gone before the fraud is noticed.
Closure risk. Some small businesses do not survive a major incident. The widely repeated claim that "60% of small businesses close within six months of an attack" is not supportable, the organization originally credited with it has disavowed it, so treat it as folklore rather than data. The honest version is narrower and still serious: a severe incident can end a thin-margin business, and a meaningful fraction never fully recover.
Where to start: budget-aware defenses in priority order
You cannot buy your way to a SOC overnight, and you do not need to. The controls that stop the common SMB attacks are mostly configuration and discipline, not spend. Do them in this order.
1. Multi-factor authentication everywhere. MFA on email, remote access, VPN, cloud admin consoles, and any internet-facing login is the single highest-return control. It breaks the stolen-credential and brute-force paths that account for a large share of intrusions. It is free or near-free on most platforms. Do this first.
2. Patch what faces the internet. Prioritize anything exposed: the VPN, the firewall, the web app, the mail server. Vulnerability exploitation is now the leading initial access vector, so the unpatched edge device is the one most likely to be hit. Turn on automatic updates where you can.
3. Backups, offline and tested. Keep at least one backup copy that ransomware cannot reach: offline, immutable, or in a separate account with separate credentials. Then restore from it on a schedule. An untested backup is a hope, not a control, and the day of the incident is the wrong time to learn it never worked.
4. Email security. Layer a filtering gateway in front of the inbox, enable SPF, DKIM, and DMARC on your domain to make impersonation harder, and put a hard rule in place: any change to payment details or any wire request is verified by a callback to a known number, never by replying to the email. That rule alone stops most BEC.
5. Endpoint detection. Antivirus catches known malware; it misses the hands-on-keyboard behavior of a modern intrusion. Endpoint detection and response, or a managed detection and response service that runs it for you, is the affordable way for an SMB to get behavioral detection and someone watching the alerts. MDR is how a small business rents a SOC instead of building one.
6. Security awareness training. The human element is in most breaches, and short, regular, realistic training measurably lowers the click rate on phishing. It is cheap and it directly addresses the most common entry point.
7. Least privilege. Most users do not need local admin. Service accounts do not need domain admin. Cutting standing privilege shrinks what an attacker gains from any single compromised account, and it costs nothing but the discipline to review access.
8. An incident response plan. Write down who to call, how to isolate a machine, where the backups are, and which systems matter most, before you need it. A one-page plan and a responder's phone number on file turn a chaotic outage into a managed one.
The pattern across all eight: the cheap controls block the common attacks. An SMB that does the first four well has closed the doors most attackers actually walk through.
Top SMB threats, impact, and the first control
| Threat | How it hits the SMB | Realistic impact | First control |
|---|---|---|---|
| Phishing / BEC | Spoofed email, fake invoice, wire fraud | Direct funds loss, credential theft | MFA + payment-change callback rule |
| Ransomware | Encrypts systems, exfiltrates and extorts | Downtime, ransom, closure risk | Offline, tested backups |
| Stolen-credential takeover | Login with phished or reused password | Account and email compromise | MFA on every login |
| Malware / infostealers | Saved passwords and cookies harvested | Foothold for the next stage | EDR or managed detection |
| Web / app exploitation | Unpatched plugin, framework, edge device | Initial access, data exposure | Patch internet-facing systems |
| Insider mistake / misuse | Misdirected data, exposed bucket | Data breach, regulatory exposure | Least privilege + awareness training |
| Supply-chain compromise | Vendor or MSP access turned hostile | Inherited breach, hard to detect | Vendor access review + monitoring |
The bottom line
Attackers target small businesses for a simple reason: thin defenses, limited budget, valuable data, and a foothold into larger partners, with little capacity to respond. The attacks that hit them are the common ones, phishing and BEC, ransomware, stolen-credential takeover, malware, web exploitation, insider mistakes, and supply-chain compromise, aimed at the weakest version of a normal target. The impact is rarely the ransom alone; it is the downtime, the unrecoverable wire, the breach exposure, and for some businesses, closure.
The encouraging part is that the controls that stop the common attacks are mostly cheap. Multi-factor authentication everywhere, patch what faces the internet, keep an offline backup and test it, lock down email and payment changes. A small business that does those four well has shut the doors most attackers actually use, and earned the budget and time to build the rest.
Frequently asked questions
<p>Because the return is good for the effort. Small businesses usually have thinner defenses, no dedicated security staff, and limited budget, while still holding valuable customer, payment, and employee data. They are also a path into larger organizations through supply chains. Attackers pick the easiest target that pays, and that is often the small business, not the hardened enterprise.</p>
<p>Email-based attacks lead: phishing and business email compromise. They need no malware, exploit a person rather than a system, and the FBI recorded $2.77 billion in BEC losses in 2024. Ransomware is the most damaging, since the 2026 Verizon DBIR found about 96% of ransomware victims with known size were SMBs.</p>
<p>The cost is the sum of downtime, recovery, fraud loss, and breach exposure, not just any ransom. Downtime while systems are rebuilt often hurts more than the ransom itself, and a successful BEC wire is usually unrecoverable. A severe incident can end a thin-margin business, though the popular "60% close within six months" figure is not supportable and should not be cited.</p>
<p>Yes, because the highest-return controls are mostly free or low-cost. Multi-factor authentication, patching internet-facing systems, tested offline backups, email authentication, and least privilege are configuration and discipline more than spend. A managed detection and response service lets a small business rent monitoring instead of building a SOC.</p>
<p>Turn on multi-factor authentication everywhere, especially email and remote access. It breaks the stolen-credential and brute-force paths behind a large share of intrusions and costs little. Then patch internet-facing systems, set up offline tested backups, and add a payment-change callback rule to stop wire fraud.</p>
<p>Usually through a phished credential, an unpatched internet-facing system, or malware on a workstation. The attacker gains access, moves to the file server and backups, exfiltrates data, then encrypts. The defenses that block it are MFA, patching, and an offline backup the ransomware cannot reach.</p>