The boutique digital marketing agency in Austin had eleven employees, a solid client roster, and no dedicated IT person. In late 2024, their systems froze during what everyone assumed was a routine network glitch. Six hours later, a ransom demand arrived: $25,000 in cryptocurrency, payable within 72 hours, in exchange for the decryption key to three years of client files, project assets, and financial records. They paid. They had no choice. There was no backup that had been tested recently enough to trust, no incident response plan to activate, and no cyber insurance to absorb the cost. The $25,000 was the ransom. The full recovery — including two weeks of lost productivity, emergency IT consultancy, and the clients they lost because deliverables went dark — cost several times more. They survived. Barely.
This is not a horror story about a careless company. It is a description of the median small business in 2026, facing a threat environment designed specifically around the predictable gaps in their defences. Forty-three percent of all cyberattacks now target businesses with fewer than 1,000 employees. Businesses with fewer than 100 employees are 2.5 times more likely to be targeted than those with more than 500. Employees at small businesses experience 350 percent more social engineering attacks than their counterparts at large enterprises. The reason is straightforward: attackers have done the same cost-benefit analysis that a rational investor would. Large enterprises have security teams, enterprise-grade tools, and incident response playbooks. Small businesses, more often than not, have a part-time IT generalist, a consumer-grade firewall, and passwords that have not changed since the company was founded.
In 2026, that asymmetry has become more dangerous, not less. Artificial intelligence has handed attackers capabilities that previously required significant technical expertise and time. Ransomware-as-a-service has industrialised the delivery of sophisticated attacks, making them accessible to criminals with no coding ability whatsoever. And the surface area that small businesses need to defend has expanded dramatically through cloud adoption, remote work, and the proliferation of connected devices — none of which came with security as a default setting.
This guide is the complete small business cybersecurity reference for 2026. The threat landscape, the financial consequences that make ignoring it an existential business risk, the ten controls that deliver the most protection per dollar, the human dimension that technology alone cannot solve, the managed service question, compliance obligations, and a practical plan for getting from where most small businesses are to where they need to be — without requiring an enterprise security budget or a CISO.
Why Small Businesses Are the Preferred Target in 2026
The old assumption — that hackers focus on large corporations because that is where the money is — has been functionally obsolete for years, and in 2026 it is dangerously wrong. The economics of modern cyberattacks no longer require attackers to go after a single large target. Automation allows a single actor or a small criminal group to attack thousands of small businesses simultaneously, each yielding modest returns that aggregate to substantial criminal revenue without attracting the regulatory and law enforcement scrutiny that a high-profile enterprise breach would trigger.
Small businesses are structurally attractive targets for precisely the reasons they feel safe. Forty-seven percent of businesses with fewer than 50 employees have no cybersecurity budget whatsoever. Seventy-four percent of SMB owners self-manage their cybersecurity — meaning a business owner with core expertise in restaurant operations, interior design, legal services, or engineering is making the security decisions that a dedicated security team would handle at a larger organisation. Twenty-eight percent of SMB respondents in Proton AG’s 2026 SMB Cybersecurity Report — which surveyed 3,000 business leaders across six global markets — admitted that the person managing their cybersecurity does not have sufficient training. In most cases, that person is the respondent themselves. These are not failures of will or ambition. They are structural realities of small business operation: limited bandwidth, limited budget, and an entirely reasonable prioritisation of the functions that directly generate revenue over the functions that prevent loss.
Attackers model this reality and exploit it at scale. Small businesses receive the highest rate of targeted malicious emails of any business size category — one in 323 emails at small businesses is malicious. The attack patterns that hit small businesses are not primitive versions of enterprise attacks. They are attacks calibrated to the specific vulnerabilities most likely to be present: weak passwords that have never been rotated, accounts without multi-factor authentication, unpatched software running on systems that nobody has reviewed since installation, and employees who have received one security awareness briefing two years ago and nothing since. In 2025, small and mid-sized organisations accounted for 70.5 percent of data breaches globally — a figure that should end the conversation about whether small businesses are genuinely targeted.
The Financial Reality: What an Attack Actually Costs
The most common reason small business owners give for underinvesting in cybersecurity is cost. The data on the cost of attacks versus the cost of prevention makes that reasoning very difficult to sustain.
The average cost of a small business data breach is $200,000. Restoring normal operations after a successful breach averages $955,429 when all costs are accounted for — direct remediation, legal fees, regulatory fines, customer notification, reputational damage, and the productivity lost during recovery. The average ransomware payment has climbed from $2.5 million to $3.6 million. Average business downtime following a ransomware attack reached 16.2 days in 2025. Sixty percent of small businesses that suffer a significant cyberattack go out of business within six months. Among firms that experienced a breach in the past 18 months, 17 percent were no longer operating as of mid-2025. Proton AG’s 2026 report found that a majority of breached SMBs reported financial losses ranging from £7,500 to £75,000, with some incidents exceeding their entire annual cybersecurity budget.
Against these figures, the cost of meaningful preventive security — MFA implementation, a managed endpoint protection platform, regular employee training, a tested backup system, and a basic incident response plan — is a fraction of the average breach cost for any business above the smallest scale. The industry benchmark for cybersecurity spending is 10 to 15 percent of total IT budget. The median small business spends well below that. The gap between what prevention costs and what recovery costs is the most compelling business case for small business cybersecurity investment, and it is a gap that the statistics consistently and starkly illustrate.
Cyber insurance does not fill the gap that prevention leaves. Only 35 percent of small businesses carry cyber insurance coverage. Of those that do, 48 percent did not purchase it until after they had already experienced an attack. This sequence — breach first, insurance second — is obviously suboptimal. But it also understates the limitation of insurance as a substitute for prevention, because insurers have significantly tightened underwriting requirements as claims have increased. In 2026, obtaining cyber insurance coverage at reasonable premiums requires demonstrating implementation of baseline security controls: MFA, endpoint protection, backup procedures, and employee training. A business that has done nothing on the prevention side may find either that it cannot get coverage or that the premium reflects the elevated risk. Insurance is a financial backstop for residual risk, not a replacement for the security controls that reduce the probability of having to file a claim.
The 2026 Threat Landscape: What Small Businesses Are Actually Facing
The threats facing small businesses in 2026 are not the same as those of five years ago. The attack categories — phishing, ransomware, credential theft, business email compromise — are familiar. The execution has been fundamentally altered by artificial intelligence and the industrialisation of cybercrime infrastructure, and understanding those changes is essential to understanding which defences matter most.
AI-powered phishing has closed the quality gap that made phishing detectable. The phishing email of 2019 was often identifiable by awkward phrasing, grammatical errors, and generic salutations. Generative AI has eliminated those signals. In 2026, attackers use large language models to craft phishing emails that precisely replicate the writing style of a vendor your business has worked with for years, an HR department communicating about a benefits change, or a bank raising a routine security alert — all personalised, grammatically flawless, and contextually convincing. Phishing-as-a-service platforms further reduce the technical barriers to launching sophisticated campaigns, enabling attackers with no coding ability to deploy personalised phishing at scale. Phishing now accounts for 80 percent of reported security incidents at small businesses. Ninety-one percent of all cyberattacks begin with a phishing email. The human being reading that email is the primary defence — and the primary vulnerability.
Deepfake-enabled social engineering has introduced an entirely new attack surface. More than a quarter of SMBs — 29 percent — reported experiencing a deepfake scheme in the past year, according to VikingCloud’s 2026 research. Deepfake video and audio technology can now generate convincing impersonations of executives, clients, or financial institutions in real time. In practice, this means a finance employee receiving a video call that appears to show their CEO authorising an urgent wire transfer to a new vendor account, or an audio message that sounds exactly like a senior partner confirming a payment change. Business Email Compromise caused over $2.9 billion in reported losses in 2024, and deepfake augmentation is accelerating the sophistication and success rate of these attacks. Verifying financial requests through a separate, pre-established channel — a phone call to a known number, not a number provided in the suspicious communication — is the procedural control that blocks this attack regardless of how convincing the deepfake is.
Ransomware-as-a-Service has industrialised what was previously a specialist criminal operation. Ransomware-as-a-service platforms allow operators to lease attack infrastructure and ready-to-deploy malware to criminal affiliates who conduct intrusions and split the proceeds. This model has dramatically lowered the skill floor for ransomware deployment, producing a volume of attacks that no longer requires the attacker to write code or understand the technical details of the malware they are deploying. Eighty-eight percent of ransomware attacks now target small businesses. Modern ransomware campaigns combine encryption — locking the victim out of their own data — with data exfiltration before encryption, creating a double extortion dynamic where paying the ransom decrypts the data but does not prevent the threat of publishing exfiltrated information. Seventy-five percent of SMBs could not continue operating if hit with ransomware, and 51 percent that fall victim to it pay the demand.
Credential theft has become the most reliably effective entry point into small business systems. Attackers have learned it is easier to log in than to break in. Compromised credentials were involved in 42 percent of breaches in 2025. The reasons are structural: 68 percent of employees reuse passwords across platforms, which means a single credential compromise from any service — even an unrelated personal account — can cascade into corporate system access. MFA fatigue attacks — bombarding an employee with authentication approval notifications until they approve one just to stop the notifications — have become a documented and effective technique for bypassing MFA implementations that rely on push notifications rather than phishing-resistant methods. The 2025 breaches at Marks & Spencer and the Co-Op, estimated to have caused £300 million and £270–440 million in losses respectively, both began with credential-focused social engineering against organisations whose defences should have caught them. Small businesses, with less monitoring and fewer controls, are substantially more exposed.
Supply chain and third-party risk has become a tier-one concern for businesses of every size. At least 29 percent of all data breaches involve third-party attacks. A compromised software vendor, managed service provider, or business partner can provide attackers with access to every downstream customer simultaneously. For small businesses, this threat is present in both directions: as potential victims of their vendors’ security failures, and as potential entry points into the larger organisations they supply or partner with. The attackers know that a well-defended enterprise is most efficiently compromised through its smaller, less-defended supply chain partners. Small businesses that dismiss their own security as a concern only for themselves have not fully thought through what it means to be a data custodian for their clients’ information.
The Human Problem: Why Technology Alone Solves Nothing
Ninety-five percent of cybersecurity breaches are attributed to human error, according to the World Economic Forum. This is not an argument against technology controls — it is an argument for understanding that technology controls are necessary but insufficient, and that the human layer requires its own investment and its own strategy.
Forty-one percent of cybersecurity incidents at small enterprises are caused by employee mistakes. Fifty percent of small business owners cannot identify a phishing email. Thirty-five percent of small business employees clicked on a malicious link in the past year thinking it was legitimate. These figures describe a workforce that has not received adequate preparation for the threat environment it operates in daily — not because the employees are careless or unintelligent, but because they have not been given the specific knowledge and practice that transforms security awareness from an abstract concept into reliable behavioural instinct.
Annual security training is not security training. A one-hour annual session covers compliance requirements and establishes a checkbox in an audit, but it does not produce durable behavioural change. Research shows that organisations with continuous security training programmes experience 70 percent fewer successful phishing attacks compared to those with annual-only training. The current best practice is monthly micro-training sessions of five to ten minutes covering a specific current threat, quarterly phishing simulations with immediate feedback for employees who click, role-specific training for positions with elevated risk such as finance staff handling payment authorisations, and immediate training triggers when an employee fails a simulation or reports a near-miss. Phishing simulations in 2025 showed a 38 percent employee failure rate on average across small businesses — meaning more than one in three employees clicked a simulated phishing link. Monthly training has been shown to reduce breach incidents by 40 percent. The return on investment from training programmes is among the highest of any security control.
Security culture is not built through policy. It is built through leadership behaviour, consequence, and repetition. An organisation in which the owner or senior leadership demonstrably ignores security policies — sharing passwords for convenience, skipping MFA because it slows them down, using personal email for business communications — communicates through that behaviour that the policies are theatre rather than expectation. Conversely, an organisation in which leadership models the security behaviours it expects, where reporting a suspicious email is rewarded rather than treated as an interruption, and where near-misses are discussed openly rather than buried, creates the conditions in which employees make security-conscious decisions instinctively rather than under compulsion. Raphael Auphan, COO at Proton, summarised the shift required: cybersecurity in 2026 is no longer just an IT expense — it is directly tied to revenue, reputation, and long-term growth. That framing, adopted genuinely at the leadership level, changes the culture in ways that policy documents cannot.
The Ten Controls That Deliver the Most Protection Per Dollar
Small businesses cannot implement everything at once, and they should not try. The most effective approach to small business cybersecurity is a sequenced investment in the controls that address the highest-probability, highest-impact risks first — building from a solid foundation outward rather than attempting comprehensive security from a standing start. The following ten controls are sequenced by a combination of impact and accessibility, starting with the measures that block the most attacks for the least cost and complexity.
Multi-factor authentication is the single highest-impact control available to small businesses. Microsoft reports that MFA blocks 99.9 percent of automated credential attacks. Organisations using MFA cut ransomware attacks attributable to compromised credentials by 82 percent. Despite this, only 14 percent of SMBs have deployed MFA across all accounts. The implementation is straightforward: enable MFA on every service that supports it, prioritising email, cloud applications, remote access tools, and financial platforms. For accounts managing sensitive data or financial authorisations, move beyond SMS-based or push-notification MFA — which are vulnerable to interception and MFA fatigue attacks respectively — toward phishing-resistant FIDO2 security keys or passkeys. The cost is minimal. The impact is transformative. There is no more cost-effective security investment available to a small business than universal MFA deployment.
Email security configuration prevents the majority of phishing attacks before they reach employees. Email is the primary attack vector for the vast majority of small business breaches. Implementing SPF, DKIM, and DMARC — three email authentication standards that verify the legitimacy of emails claiming to come from your domain and block spoofed messages — is a technical configuration that most email platforms support through their administration panel. A DMARC policy set to reject prevents attackers from impersonating your domain in emails sent to your clients and partners, and combined with a quarantine or reject policy on inbound filtering, significantly reduces the volume of malicious email that reaches employee inboxes. These configurations cost nothing beyond the time to implement them, yet 57 percent of small businesses lack employee cybersecurity training and correspondingly underinvest in the email security configuration that reduces the training burden.
Patch management closes the vulnerabilities that automated scanners exploit within hours of disclosure. In 2025, IBM found that 56 percent of tracked vulnerabilities were exploited without any login needed — attackers simply scanned the internet for systems running unpatched software and exploited the known flaw automatically. Fifty-seven percent of small businesses take more than three months to patch a critical vulnerability. The gap between vulnerability disclosure, when a flaw becomes publicly known and attack tools are developed, and patch application, when the fix is actually deployed, is the window of exposure. Automating operating system updates and enabling auto-update for all software and plugins eliminates the operational burden and closes that window as rapidly as technically possible. For software that cannot be automatically updated, a weekly patch review cycle for critical vulnerabilities and a monthly cycle for others is the operational minimum.
The 3-2-1 backup rule, with tested restoration, is the primary defence against ransomware. Three copies of data, on two different types of media, with one copy stored off-site and disconnected from production systems — this is the backup standard that makes ransomware a disruption rather than a catastrophe. Seventeen percent of small businesses have no data backup solution whatsoever. Seventy-two percent do not have an automated backup system. Backup systems were compromised in 18 percent of ransomware incidents precisely because the backups were connected to the same network as the production systems — meaning ransomware that encrypted production data also encrypted the backups. An air-gapped or immutable off-site backup, whether physical media stored offsite or a cloud backup service with immutable storage and no direct network connection to production systems, is the control that determines whether a ransomware attack ends in recovery or in the decision to pay. The backup is not complete until a full restoration test has been successfully executed. A backup that has never been tested is an assumption, not an asset.
Endpoint Detection and Response deployed across all devices provides visibility and automated threat containment. Traditional antivirus software, which identifies threats by matching known signatures against a database, is demonstrably insufficient against modern attacks that use novel malware variants, fileless execution techniques, and living-off-the-land approaches that use legitimate system tools for malicious purposes. Endpoint Detection and Response platforms continuously monitor device behaviour, identify anomalous activity that signature-based tools miss, and can automatically isolate a compromised device from the network before the attack propagates. For small businesses, managed EDR services — typically delivered through a managed security service provider — provide enterprise-grade endpoint protection without requiring in-house security expertise to operate and interpret the output. Ninety-five percent of small businesses use antivirus software inconsistently; replacing inconsistent traditional antivirus with a consistently managed EDR solution addresses both the coverage gap and the quality gap simultaneously.
The principle of least privilege applied to access management limits the damage any single compromised account can cause. Every user account and application should have access to exactly the data and systems required for its function, and no more. Administrative accounts should be separate from daily-use accounts, used only for administrative tasks, and never used for email or web browsing. Access reviews should be conducted quarterly, with permissions revoked when an employee changes role or leaves the organisation. The specific failure pattern this control addresses — a compromised account that has broad access because nobody reviewed its permissions since it was created — is among the most common paths from initial credential compromise to full system access. Fourteen percent of internal data leaks at small enterprises are attributed to access mismanagement. Role-based access control is not an enterprise concept. It is a basic operational hygiene measure that any business managing customer data should implement.
An incident response plan converts a crisis into a managed procedure. Twenty-eight percent of small businesses have no plan in place for responding to a security incident. The consequence of having no plan is not merely inefficiency during a crisis — it is paralysis during the hours when containment decisions determine whether a breach is contained to one system or cascades across the network. An incident response plan does not need to be complex. It needs to identify who makes decisions during an incident, who contacts law enforcement and regulatory bodies if required, how systems are isolated if compromise is detected, how communications to clients and stakeholders are managed, and what the restoration sequence is from backup. Running a tabletop exercise — a structured walkthrough of a simulated ransomware scenario — once a year with key staff reveals gaps in the plan and builds the muscle memory that prevents decision paralysis when the real event occurs.
Vendor and third-party risk management extends security controls beyond the organisation’s own perimeter. The supply chain attack pattern — in which attackers compromise a trusted vendor or software provider to gain access to their downstream customers — requires small businesses to treat their vendors’ security posture as an extension of their own risk. Practically, this means asking vendors who have access to your systems or data what security controls they have implemented, contractually requiring notification of any breach or security incident within a defined timeframe, limiting vendor access to only the systems and data they need for the contracted service, and monitoring for unusual activity from vendor-authenticated accounts. Forty-one percent of small business breaches involve third-party vendors. Vendor risk management does not require sophisticated tooling. It requires the discipline to ask the questions and act on the answers.
Security awareness training run continuously, not annually, is the human-layer control that amplifies every technical measure. As detailed in the human problem section above, the effectiveness difference between annual and continuous training is not marginal. The specific content that matters most in 2026 includes AI-generated phishing identification, deepfake voice and video recognition, the social engineering tactics used in business email compromise, safe password practices and the use of a password manager, and the procedure for reporting suspicious activity without fear of embarrassment or consequence. Quarterly phishing simulations with immediate, constructive feedback for employees who click provide the practice repetition that builds reliable recognition instinct. The investment is modest. The impact on the probability of a successful breach is significant.
Cyber insurance, properly structured, provides the financial backstop for residual risk that prevention cannot eliminate. Even a well-defended small business faces residual risk. No set of controls provides a guarantee against breach. Cyber insurance covers the costs that residual risk produces: incident response services, legal fees, regulatory fines, client notification costs, and business interruption losses. Sixty-four percent of small businesses are not familiar with cyber insurance; only 35 percent carry it. Obtaining appropriate coverage requires demonstrating the security controls described above — insurers now require evidence of MFA, endpoint protection, and backup procedures before issuing policies at standard rates. The process of preparing for a cyber insurance application is therefore itself a security improvement exercise: the controls required for coverage are the controls that most reduce the probability of needing to file a claim.
The MSP Question: When to Stop Self-Managing
Eighty-four percent of business owners say they self-manage their cybersecurity. The logic is understandable — bringing in external expertise costs money, and the need is not always visible until it is urgent. But the data on self-management outcomes makes a strong case for reconsidering this approach as a business scales beyond the smallest size.
The specific problem with self-managed cybersecurity at small businesses is not competence but bandwidth and specialisation. A business owner managing cybersecurity is also managing operations, finance, HR, client relationships, and dozens of other functions. Security decisions made in the margins of a full schedule by someone whose primary expertise is elsewhere produce the predictable outcomes the statistics describe: delayed patches, unchecked configurations, expired certificates, and security tools that were installed once and never properly maintained.
Managed Security Service Providers — MSSPs — deliver 24/7 monitoring, incident response capability, patch management, and security operations expertise on a subscription model that most small businesses can access for a fraction of what it would cost to hire equivalent capability in-house. The challenge, as noted in Heimdal Security’s February 2026 analysis, is the complexity of onboarding clients to security tools, which creates friction in the initial engagement. Finding an MSSP that specialises in small and medium businesses — rather than scaling down enterprise offerings — produces a better fit on both price and service model. The trigger for engaging an MSSP is not a specific revenue threshold or employee count. It is the honest recognition that the person currently managing security does not have the time and specialist knowledge to do it adequately, and that the business has reached the size where the consequences of a breach are existential.
Compliance and Regulatory Obligations in 2026
The regulatory environment for cybersecurity has grown significantly more demanding in 2026, and small businesses are not exempt from its reach simply by virtue of their size. The specific obligations depend on industry, geography, and the type of data handled — but the trend across every major jurisdiction and sector is toward more prescriptive requirements, faster incident reporting timelines, and steeper penalties for non-compliance.
In the European Union, the NIS2 Directive has extended cybersecurity obligations to a broader range of sectors and organisational sizes than its predecessor, and the EU Cyber Resilience Act, with reporting obligations beginning in September 2026, mandates security requirements for products with digital elements. In the United States, the Cyber Incident Reporting for Critical Infrastructure Act is coming into force, requiring rapid reporting of cyber incidents and ransomware payments for covered entities. The Payment Card Industry Data Security Standard version 4.0 — applicable to any business that processes payment card transactions — has updated requirements that include enhanced authentication controls and continuous security monitoring. Healthcare businesses in the US are subject to HIPAA requirements that include specific security rule provisions regardless of practice size.
The practical implication for small businesses is that compliance is no longer a concern only for large organisations in regulated industries. The controls required to meet current compliance obligations — MFA, encryption, access management, incident response planning, employee training — overlap significantly with the controls that make good security sense regardless of regulatory requirement. A business that implements security controls properly is largely compliant as a by-product. A business that treats compliance as the goal rather than security as the goal typically achieves neither effectively.
A Practical Starting Framework: The 30/60/90-Day Plan
The data on small business cybersecurity produces a clear picture: most businesses need to do substantially more than they are currently doing, across multiple dimensions simultaneously, with limited budget and bandwidth. The most common failure mode is attempting to address everything at once and making no real progress on anything, or becoming overwhelmed by the scope and doing nothing. A staged, sequenced approach addresses the highest-probability risks first and builds momentum through early wins.
In the first thirty days, the focus is on the controls that block the most attacks for the least effort. Enable MFA on every account that supports it, beginning with email, cloud services, financial platforms, and any remote access tools. Configure SPF, DKIM, and DMARC on your email domain. Audit user accounts and remove or disable accounts for departed employees and unused service accounts. Verify that all operating systems and critical software have automatic updates enabled. Confirm that a backup exists, is running on an automated schedule, and is stored somewhere separate from and not network-connected to production systems. These five actions address the credential theft, email spoofing, stale access, unpatched vulnerability, and ransomware survivability problems that account for the majority of small business breaches. They require no budget and minimal time.
In the next thirty days, the focus shifts to deepening protection and addressing the human layer. Deploy an endpoint protection platform across all devices — managed EDR through an MSSP if possible, or a reputable business-grade endpoint security solution at minimum. Run the first phishing simulation to establish a baseline employee click rate. Conduct a brief training session covering AI-generated phishing, deepfake social engineering, and the procedure for reporting suspicious communications. Implement a password manager for the organisation and enforce unique passwords across all business accounts. Document the access each employee role requires and begin adjusting permissions toward least privilege. Review vendor access and remove or restrict any third-party access that is broader than the service requires.
In the sixty-to-ninety-day window, the focus is on resilience and structure. Write and test the incident response plan — a tabletop exercise simulating a ransomware attack is the most efficient way to identify gaps. Test the backup restoration process to confirm that recovery from backup is operationally viable within an acceptable timeframe. Obtain or review cyber insurance coverage. Establish the monthly training and quarterly phishing simulation cadence that will maintain the human-layer improvement over time. If the organisation has not already engaged with an MSSP, evaluate options and determine whether the self-managed approach is sustainable given the business’s current size and risk profile. By the end of ninety days, a small business that starts from the typical baseline will have addressed the majority of the control gaps that make SMBs attractive targets — not because the risk has been eliminated, but because it has been reduced to the point where attackers will find easier targets elsewhere.
The Business Case, Plainly Stated
Cybersecurity for small businesses is not primarily a technical problem. It is a business decision with a financial logic that has become impossible to ignore. The average cost of a breach is $200,000. The average cost of restoring normal operations after a significant attack is nearly a million dollars. Sixty percent of small businesses that experience a significant cyberattack close within six months. Against these figures, the investment required to implement the controls that most reduce the probability of being in that category is modest — a fraction of what most small businesses spend on marketing, insurance for physical premises, or the equipment they use daily.
The small businesses that treat cybersecurity as an operational function rather than an IT cost, that make MFA and training and backup verification as routine as locking the door at the end of the day, and that have a plan for what to do when something goes wrong rather than discovering the plan’s absence in the middle of a crisis — these are the businesses that experience incidents as disruptions rather than as catastrophes. The gap between those two outcomes is not primarily a function of budget. It is a function of prioritisation, habit, and the decision to take the threat seriously before it makes that decision for you.
In 2026, with automation enabling attackers to target thousands of small businesses simultaneously and AI removing the technical barriers to sophisticated attack execution, the question is not whether a small business will be targeted. It is whether it will be the kind of target that an attacker moves on from quickly, or the kind that becomes the cautionary tale someone else reads about.
