Most “SMB cybersecurity statistics” posts are a graveyard of recycled, unsourced numbers. This one is different: every figure below is tied to a named, primary 2024–2025 source, and we call out the most popular myth — the one even its supposed author has disowned — so you don’t repeat it. Here’s what the data actually says about small-business security in 2026.

The scale of the problem

  • The FBI’s Internet Crime Complaint Center logged a record $16.6 billion in reported cybercrime losses in 2024 — up 33% in a single year — across 859,532 complaints. (FBI IC3, 2024)
  • Phishing was the most-reported crime type of 2024, with 193,407 complaints. (FBI IC3, 2024)

Where the attacks actually land

  • Stolen credentials are the single most common way into a breach (22%), with vulnerability exploitation right behind at 20% — up 34% year over year. (Verizon 2025 DBIR)
  • Business Email Compromise drove $2.77 billion in reported losses across 21,442 complaints in 2024. (FBI IC3, 2024)

The front door is almost always a login or an inbox — not exotic malware.

Why small businesses get hit harder

  • Ransomware was present in 88% of breaches at small businesses, versus just 39% at large enterprises — SMBs are more than twice as likely to face ransomware as the outcome. (Verizon 2025 DBIR)
  • Ransomware appeared in 44% of all breaches reviewed, up from 32% — a 37% jump. (Verizon 2025 DBIR)
  • The median ransom payment was $115,000, and 64% of victims refused to pay. (Verizon 2025 DBIR)
  • 59% of small and mid-sized businesses said they experienced a cyber-attack in the prior 12 months, and 27% were hit by ransomware. (Hiscox Cyber Readiness Report 2025)

The real reason: a resource gap, not a size problem

  • 76% of SMBs say they lack the in-house skills to properly address security issues. (ConnectWise / Vanson Bourne, 2024)
  • 47% of SMBs would switch providers for stronger security, and 73% aren’t fully confident their current provider could stop an attack. (ConnectWise / Vanson Bourne, State of SMB Cybersecurity 2025)

Attackers haven’t decided small companies are valuable. They’ve decided small companies are undefended — and the data agrees.

What downtime and breaches cost

Two honest caveats here, because most posts get this wrong:

  • The global average data-breach cost was $4.44M in 2025 (IBM Cost of a Data Breach 2025) — but that’s an average across mostly-large organizations, not an SMB figure. Treat it as the ceiling of the market, not your bill.
  • For 90%+ of mid-size and large enterprises, a single hour of downtime now exceeds $300,000 (ITIC 2024) — again an enterprise figure, but the proportional hit to a small business that can’t take orders, invoice, or operate is just as existential.

The myth to stop repeating

You’ve seen it everywhere: “60% of small businesses close within six months of a cyberattack.” Don’t use it. The National Cybersecurity Alliance — the organization most often credited as the source — has explicitly disavowed it, stating the statistic “was not generated from NCSA research” and that it “cannot verify its original source,” and has removed it from its site. The real SMB impact data above is alarming enough without a zombie stat.

What the numbers say to do

The data points consistently at the same short list of controls:

  1. Watch identity and email first — that’s where 2 in 5 breaches begin.
  2. Get behavioral endpoint coverage — because ransomware is the SMB breach outcome 88% of the time.
  3. Have 24/7 eyes — attacks deploy off-hours, on purpose.
  4. Correlate across surfaces — so the chain gets caught, not four disconnected blips.
  5. Close the skills gap with a service, not a hire — since 76% of SMBs don’t have the in-house skills, and most never will.

How Centeye fits

Centeye gives a small business the security team it can’t hire: an AI SOC watching email, identity, endpoints, web, DNS, and AI tools 24/7, correlating attacks into one incident and containing them at the autonomy level you choose — with a human in the loop and a plain-English explanation of every action. It’s enterprise-grade coverage without an enterprise-grade team.

See the product overview, or read why SMBs are now the primary ransomware target. Ready to close the gap? Get a demo.

Figures cited from the FBI IC3 2024 Annual Report, the Verizon 2025 Data Breach Investigations Report, the Hiscox Cyber Readiness Report 2025, the ConnectWise / Vanson Bourne State of SMB Cybersecurity surveys (2024 and 2025), IBM’s Cost of a Data Breach 2025, and the ITIC 2024 Hourly Cost of Downtime Report. The IBM and ITIC figures are global/enterprise averages, not SMB-specific, and are labeled accordingly. The “60% close within six months” claim is debunked per the National Cybersecurity Alliance’s own statement.