There’s a persistent myth among small-business owners: “We’re too small for hackers to bother with.” The 2025–2026 data demolishes it. Attackers haven’t just noticed SMBs — they’ve deliberately pivoted toward them, because large enterprises got harder to breach and small companies pay, panic, and rarely have a SOC.

The data: attackers moved downmarket on purpose

This isn’t speculation. It’s measured across every major threat dataset:

  • Over 70% of human-operated ransomware attacks now target organizations with fewer than 1,000 employees. (Microsoft Digital Defense Report 2025)
  • The median ransomware victim is now a 200-employee company — a 45% drop in a single quarter. 38% of victims have 11–100 employees. (Coveware Q4 2025)
  • Ransomware is present in 88% of SMB breaches vs. 39% at large enterprises — SMBs are more than twice as likely to face ransomware as the breach outcome. (Verizon 2025 DBIR)
  • The average sub-500-employee breach now costs $3.31M — the only company-size band whose cost rose in 2025. (IBM Cost of a Data Breach 2025)

Coveware is blunt about the reason: large enterprises invested in EDR, backups, and IR retainers, so the economics pushed attackers toward “poorly defended sub-1,000-employee organizations.”

Why “too small to target” was always wrong

Huntress, whose telemetry is almost entirely SMBs, put it plainly: “the gap in attack sophistication between large enterprises and small businesses has all but disappeared.” The same toolkits, the same RMM-abuse techniques (65% of incidents, a 277% YoY surge), the same infostealers (24% of all detections) now hit a 40-person company and a 40,000-person company alike. The only difference is the smaller company usually has no one watching.

How modern SMB ransomware actually plays out

The kill chain has shifted away from “malware on a laptop”:

  1. Identity foothold. Stolen or reused credentials — often bought from an infostealer dump — get the attacker in. Coveware names identity as the primary intrusion surface.
  2. Quiet expansion. RMM tools and living-off-the-land scripts spread access. Huntress counts ~18 malicious actions before encryption.
  3. Exfiltration, then extortion. 94% of ransomware incidents now involve data theft (Coveware Q4 2025) — the encryption is increasingly secondary to the threat of leaking your data.
  4. The clock. Average time-to-ransom is ~17 hours — almost always spanning a night or weekend nobody’s watching.

What the data says actually works

The good news: defenses are working for the companies that have them. 86% of ransomware victims now refuse to pay (Coalition 2026) — but only because they have tested backups and a plan. The load-bearing controls are consistent across every report:

  • Identity hardening — MFA everywhere plus ITDR to catch what gets around it (MFA blocks 99% of identity attacks).
  • Behavioral EDR across Mac, Windows, and Linux — because 60% of ransomware strains are now unknown to signature AV.
  • Email/BEC detection — to close the most common foothold.
  • Tested backups + a real IR plan — the difference between the 86% who don’t pay and the rest.
  • 24/7 watch — because the attack happens at 3 a.m.

How Centeye covers the modern SMB kill chain

Centeye watches all seven surfaces and correlates them, so an identity foothold, an RMM-abuse process, a DNS beacon, and a mass-encryption signal become one incident — not four blips no one connected. Kavach provides the around-the-clock watch and seconds-fast containment that a 200-person company can’t staff, and the Endpoint/EDR ransomware trifecta (canary files, mass-encryption detection, shadow-copy tamper monitoring) targets exactly the behavior modern ransomware exhibits.

You’re not too small to be a target. But you’re not too small to defend, either.

See the full product overview, or read why MSPs need an AI security team. Ready to harden your environment? Get a demo.

Figures cited from Microsoft Digital Defense Report 2025, Coveware Q4 2025 Ransomware Report, Verizon 2025 DBIR, IBM Cost of a Data Breach 2025, Huntress 2025 Cyber Threat Report, and the Coalition 2026 Cyber Claims Report.