Small businesses are the lifeblood of the economy, driving growth, innovation and employment. But according to a recent Mastercard survey ¹, the rapidly evolving digital environment “…brings risks as well as opportunities — risks that small business owners, who long considered themselves beneath the notice of cybercriminals, are now painfully, and in many cases, personally, aware.” This blog profiles the problem and an approach to a cyber security solution.

Why are small businesses the biggest target of cybercrime?
“Small and medium sized businesses lack the financial resources and skill set to combat the emerging cyber threat,” says Scott E. Augenbaum, former supervisory special agent at the FBI’s Cyber Division, Cyber Crime Fraud Unit, in Cybercrime Magazine.² The numbers bear this out:

• 66 percent of SMBs had at least one cyber incident in the past two years, according to Mastercard. ¹
• 82% of ransomware attacks targeted companies with less than 1000 employees. 55% of ransomware hit businesses with fewer than 100 employees. 75% of attacks targeted companies making less than $50 million in revenue. ³
• Top SMB cybersecurity studies reveal that only 14% of SMBs are prepared to face cyber attacks.⁴

What are the types of cybercrime?
Cybercrime takes many forms and it’s virtually impossible to predict how a company could be attacked. Threats include:

• Malware compromises data integrity or privacy
• Ransomware encrypts data files and holds them hostage for ransom payments
• Spam is bulk, unsolicited or unwanted messages and emails
• Phishing exploits personal relationships to steal data or account access
• Distributed Denial of Service (DDoS) shuts down online services with overwhelming traffic
• Insiders including employees or partners can damage services and data integrity
• Corporate Account Takeover (CATO) is business-identity theft for financial gain

According to the 2025 Verizon report on cybercrime ⁵, small businesses are most susceptible to malware and ransomware, although one of the more worrying trends is the vulnerability of employees who inadvertently expose credentials and data, or who intentionally cause damage.

What are the methods of attack?
Over half of breaches are the result of human engagement or intervention, and about a third are instigated by third party persons, organizations or software ⁵. Attack vectors include botnet-driven trial- and-error, fake websites, email phishing, third parties (customers, partners), leverage of stolen or lost laptops, phones, flash drives or credit cards. Generative AI is contributing to frequency and to perceived authenticity. Remote, work-from-home employees are always online and significantly enlarge the company’s security risk profile.

NEXT: Part 2: Scoping the Risks

References:

1. Mastercard, “Too small to be ignored? Not anymore. Why shoring up cyber defenses for small businesses is crucial”. March 27, 2025.
2. CyberCrime Magazine, Steve Morgan, Editor in Chief, “Cybercrime To Cost The World $10.5 Trillion Annually By 2025”. November 13, 2020.
3. Astra IT, Inc., Nivedita James Palatty, author. “51 Small Business Cyber Attack Statistics 2025 (And What You Can Do About Them)”. June 16, 2025.
4. Accenture, Ninth Annual Cost of Cybercrime Study, March 6, 2019.
5. Verizon, 2025 Data Breach Investigations Report.
6. PCMag, Alan Henry, Managing Editor, Security. “$6.7M Ransom, 700 Jobs Lost, and a 158-Year- Old Business Destroyed—All Thanks to One Bad Password”. September 26, 2025.

Author: Jake Krakauer, an independent business technology consultant based in Pleasanton, California.