Cyber attacks on SMBs:
Current Stats and How to Prevent Them

As small business owners grapple with issues like inflation and economic uncertainty, it can be easy to lose sight of another important challenge that could potentially ruin your business: cyberattacks.

Data released from the 2021 Internet Crime Report, the latest figures released by the FBI’s Internet Crime Complaint Center (IC3), reveals that the total number of cyberattack complaints within the U.S. alone reached nearly 850,000 — a 7% increase compared to the previous year.

Unfortunately, frequency is not the only concern. The data also shows that estimated losses from reported attacks exceed $6.9 billion USD — up more than 64% YOY.

While business owners and executives may prioritize day-to-day operations and long-term growth plans, it’s also critical to make room on the agenda for cybersecurity given that both the likelihood and severity of attacks has increased in recent years for SMBs.

Why are small businesses at risk?

For many small business owners, the biggest risk factor is not realizing the risk they face!

Even though the latest IC3 data spells trouble for SMBs, the majority do not grasp the severity of this issue. Recent data from a CNBC and SurveyMonkey poll reveals that six in 10 small business owners (61%) said they were “unconcerned” that their organization would be targeted in an attack in the next year. Almost two-thirds (64%) reported that they were “confident” in their ability to quickly resolve an attack.

It is precisely this false sense of security and confidence that cybercriminals have learned to exploit. Companies that do not perceive a risk do not take the necessary steps to protect themselves — and that’s why SMBs are at particular risk of being the victim of a cyberattack.

Don’t cybercriminals have bigger fish to fry?

For years, many SMBs maintained a false sense of security due to the relative obscurity of their business. After all, why would a hacker target a small, local doctor’s office when they could just as easily infiltrate the network of a major hospital?

The answer today is that in fact, it has become much, much harder to take down large, notable targets. As large companies and enterprise organizations doubled down on security tools and systems in recent years, strengthening their defenses against attacks, hackers have set their sights elsewhere — namely, the SMB market.

Many small businesses may still fall into the trap of thinking that their organization isn’t large enough or high-profile enough to be the target for attackers. But the fact of the matter is that they have become an easy mark since many do not have advanced tools to defend the business, but they do have what hackers are after: data.

SMBs need to realize that cyberattacks usually aren’t personal to the hacker. They often don’t differentiate between stealing from small and large companies. At the end of the day, they are looking for data — like payment details, personal data, health information or anything at all that could be sold on the dark web or used to advance a more sophisticated attack.

Because many small organizations do not perceive their risk, they may not have taken critical steps to protect their assets and operations, like using encryption for all transactions or backing up files in a secure database. This makes it easier for cybercriminals to carry out their attack plan and maximize disruption once it is underway.

Further, because many attacks on small businesses do not garner national or global attention — or, in some cases, may not require immediate reporting to relevant agencies or customers — so many attacks fly under the metaphorical radar, allowing hackers to use the same tactics over and over at different companies without detection.

Which small businesses are at most risk?

The short answer is that any business can be the target of a cyberattack. Any organization that has data — be it customer data, intellectual property (IP), employee data or other sensitive information — is a potentially attractive target to a hacker.

Fast-growing smaller organizations are at particularly high risk, since security can be difficult to maintain or enhance during periods of rapid growth. Further, as the organization adds more employees and customers and expands the network and digital footprint to serve the business, so too does the company’s risk profile grow.

In the end, the organization most at risk is any organization — of any size in any sector — that does not take the necessary steps to protect itself. Thankfully, SMBs have the opportunity to improve their defenses. In today’s market, many reputable and knowledgeable cybersecurity vendors have adapted their product packages and pricing models to meet the needs and budgets of SMBs.

Deploying a comprehensive and sophisticated toolset that includes advanced solutions like next-generation antivirus (NGAV) and endpoint detection and response (EDR) can go a long way towards protecting the business, its assets and customers. Further, access to remediation and recovery services can greatly reduce the duration of an attack and the extent of its damage — helping SMBs get back to what they do best: serving customers.

What attacks are most common?

While cybercriminals leverage a variety of attack techniques and methods, some of the most common attacks include:


Malware — short for malicious software — is any program or code that is created with the intent to do harm to a computer, network or server. In malware attacks, hackers can employ phishing techniques to prompt users, including employees and customers, to hand over sensitive information, such as account credentials, which can be used to advance the attack or launch a new one.


Ransomware is a type of malware that denies legitimate users access to their system and requires a payment, or ransom, to regain access. Once a system is infected, the hacker either blocks user access to the device or system, or encrypts files, making them virtually useless to the owner.


Phishing is a type of cyberattack that uses email, SMS, phone or social media to entice a victim to share sensitive information — such as passwords or account numbers — or to download a malicious file that will install malware on their computer or phone.

Man-in-the-Middle Attacks (MITM)

A man-in-the-middle (MITM) attack is a type of cyberattack in which a malicious actor eavesdrops on a conversation between a network user and a web application. The goal of a MITM attack is to surreptitiously collect information, such as personal data, passwords or banking details, and/or to impersonate one party to solicit additional information or spur action.

Denial-of-Service (DoS) Attacks

A denial-of-service (DoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. In a DoS attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network.

Learn More

Discover more of the top 10 most common cyber attacks by today’s adversariesRead: 10 Most Common Types of Cyber Attacks

The cost of a cyberattack

If the current rate of growth of cyber attacks continues, damages from such events will reach an estimated $10.5 trillion by 2025—a 300% increase from 2015 levels.

Losses and damages come in many forms for victims of a cyberattack. Direct costs, such as the need to pay a ransom or hire a cybersecurity firm to remediate the attack can be relatively simple to calculate, while other costs, such as reputational harm are far more difficult to measure.

Regardless, when SMBs weigh their options for cybersecurity coverage, it’s important to consider not just the costs of the services and tools, but the potential cost of doing nothing. In many cases, being the subject of a breach or other attack could easily exceed the cost of retaining the services of a reputable cybersecurity vendor.

Estimating the Cost of a Cyberattack

While the precise cost of a cyberattack varies based on the attack type and its duration, many attacks will result in both direct and indirect costs to the business. Below we outline some of the most common expenses associated with a breach:

Ransoms: As ransomware attacks become more common, one of the most prominent costs associated with breaches is the need to pay a ransom to restore system access. Demands stretch into the millions, even for SMBs. In fact, the CrowdStrike 2023 Global Threat Report shows that ransom payments went up by 63% in 2021.

System restoration: In addition to paying a ransom to restore an affected system, most companies will need to outright replace a corrupted network or toolset. This is notoriously expensive in that it comes along with potentially high-tech costs, as well as the IT team’s time. In many cases, it also requires the help of an outside vendor to rebuild or integrate any new systems or tools.

Forensic investigations: When an organization is the victim of a breach, it must act quickly to identify and categorize the attack, assess the damage and clean and restore all affected areas. In most cases, these services require highly specialized skills that do not come cheaply to businesses, regardless of size.

Legal counsel: In the event of a breach, organizations usually need to hire lawyers to ensure they comply with legal requirements, which can vary by country, region or even state. It is essential for SMBs to work with a trusted partner to outline the steps that organizations are required to take by law following a breach or cyberattack — or else face risk of potential penalties and fines for noncompliance later.

Notifications: After a cyberattack, organizations also bear the responsibility for identifying and notifying victims to inform them that their personal information may be at risk. This can include theft or exposure of personal information, such as customer or employee social security numbers, addresses, bank details, credit card numbers, driver’s license numbers, health records and more. The organization will also be responsible for notifying the relevant authorities and government agencies of such a breach and providing any necessary or requested documentation afterwards.

Victim credit monitoring: In some states, organizations may also be responsible for covering the cost of credit monitoring for affected customers or otherwise helping them restore their identities in the event of a breach.

Data recovery, business interruption and loss of revenue: Many major cyber attacks result in disruption of business-critical activities and loss of data that, in turn, leads to loss of revenue. Remember: When your system is down, you can’t do business. So not only are you potentially losing sales, but your employees are also losing time due to the interruption and restoration process.

Reputational harm: Following a breach, many companies will suffer from a tarnished image since customers, clients and partners may believe that the business did not take the proper steps to secure its network. In some cases, organizations may need to invest in marketing and public relations efforts, such as offering discounts or other promotions, to help incentivize customers to return.

How to Prevent a Small Business Cyberattack

By now, we’ve established the need for SMBs to protect their business and the kinds of attacks they should be on the lookout for. Now comes the most important part: What to do to prevent a cyberattack.

Here we outline the most important actions companies can take to reduce their risk of an attack and also help limit damage in the event of a breach.

Step 1: Train employees

Step 2: Identify a cybersecurity partner

Step 3: Embrace a culture of security

Learn More

Get more information about how to define and implement a robust and effective employee training program.Read: How to create employee cybersecurity awareness training program

Take Your Security to the Next Level with CrowdStrike

Comprehensive, top-tier coverage is possible for small businesses. CrowdStrike Falcon® Go is an easy-to-manage and affordable solution custom-built for small businesses that prevents ransomware, malware and the latest cyber threats and helps SMBs detect and respond to cyber threats at an affordable price.

  • Protect your business with the industry-leading, next-generation antivirus solution proven to stop advanced attacks.
  • Leverage device control to help you monitor and govern USB devices that could put your network at risk.
  • Deploy one lightweight sensor and start protecting your business instantly, no matter where your devices are.
  • Leverage a best-in-class firewall management solution to protect your company’s network and devices — and the people who use them.

Learn More

Get more information about these steps and other ways a cybersecurity partner can help SMBs advance their security postureRead: 2023 Small Business Cybersecurity Checklist