
43% of cyberattacks now target small business — what actually reduces the risk
Small businesses aren’t a secondary target anymore — they’re the primary one. 43% of all cyberattacks now target small businesses, which are roughly three times more likely to be targeted than larger firms. In 2026, small businesses report a 49% annual attack rate, which works out to an incident attempted somewhere roughly every seven seconds.
Ransomware is the sharpest end of it. Verizon’s breach data found ransomware present in 88% of small business breaches, compared with 39% of breaches at large organisations — attackers know smaller companies are less likely to have segmented backups or a tested recovery plan.

Why the stakes are higher for smaller companies
75% of small businesses say they couldn’t continue operating if hit with a serious ransomware attack, and that’s not an exaggeration — 60% of small businesses that suffer a cyberattack shut down within six months of it. Average breach costs for firms under 500 employees run as high as $3.31 million, though the more typical range sits between $120,000 and $1.24 million — still enough to be existential for most small businesses.
AI is making it worse before it makes it better. 83% of small businesses say AI has raised the threat level they’re facing, and 72% of workers say phishing attempts look more convincing than they did a year ago, largely because AI-written phishing no longer reads like a bad translation.
How we can help
IT Consulting & Support
On-demand and ongoing IT support for growing teams.
Explore this serviceWhat actually moves the needle
The businesses that recover from an incident — or avoid one entirely — tend to have the unglamorous basics in place: patched systems, tested backups that are actually isolated from the production network, and a support relationship that catches configuration drift before it becomes an opening, rather than a vendor that only shows up after something’s already gone wrong.

None of it requires an enterprise security budget. It requires treating security review as ongoing maintenance rather than a project that finishes once and gets revisited only after an incident.
Ready when you are
Not sure where to start?
Tell us what you’re working with and we’ll tell you honestly whether it’s worth fixing now or later.
Get in touchMore from the blog

Why most enterprise AI projects still don’t pay off — and what the ones that do have in common
Adoption is nearly universal and value capture still isn’t. Here’s what separates the AI projects that ship real results from the ones that quietly stall.

SEO in 2026: why Core Web Vitals now decide whether AI search engines cite you at all
Google folded LCP, INP, and CLS into one score this year — and it’s now a factor in whether AI Overviews reference your site in the first place.

Cloud waste hit 29% of spend in 2026 — the review process that catches it before the invoice does
Five years of cloud waste declining just reversed. Here’s what’s driving it, and the FinOps habits that keep a cloud bill predictable.
