Every vendor pitch and MSP sales page throws around cybersecurity statistics. Half of them are made up, outdated, or ripped from a 2019 blog post that cited a 2016 report that misquoted a 2013 survey.

This page is different. Every number here comes from a named source report published in 2024 or 2025. We link directly to the original research at the bottom so you can verify anything yourself. No paywalled summaries, no "studies show" without saying which study.

We update this page as new reports come out. Bookmark it.

Ransomware

Ransomware hits small businesses harder than anyone else, and it's not particularly close.

88% of small business breaches involve ransomware, compared to just 39% for large enterprises. And 82% of ransomware attacks in 2024 targeted businesses with fewer than 1,000 employees. If you're running a company under that threshold, you're squarely in the crosshairs.

The money side is brutal. Median ransom payments hit $2 million in 2024, five times the $400,000 median from 2023. More than half of organizations (56%) that had their data encrypted ended up paying. And even if you don't pay, the average recovery cost sits at $2.73 million, up 50% from $1.82 million the year before.

How are attackers getting in? For small businesses, 30% of ransomware incidents started with compromised credentials and another 29% with exploited vulnerabilities. Stolen passwords and unpatched systems, the basics. We covered the specific ransomware groups targeting businesses in the Seattle-Tacoma area if you want names and TTPs.

Here's the part that should keep you up at night: 75% of SMBs say they couldn't continue operating if ransomware hit them. And 60% of small businesses that suffer a cyberattack shut down within six months. These aren't scare tactics. That's what the claims data shows.

Phishing and Social Engineering

Phishing is still the single most common attack vector, and it's getting worse. AI-generated phishing emails are making it harder than ever to spot fakes, and the numbers reflect that.

The FBI logged 193,407 phishing complaints in 2024, making it the most reported cybercrime category by a wide margin. Enterprise users were 3x more likely to click phishing links in 2024 compared to 2023, hitting 8.4 clicks per 1,000 users per month, up from 2.9. Training programs clearly aren't keeping pace.

The speed is what really stands out. Median time from opening a phishing email to clicking the link? 21 seconds. Another 28 seconds to hand over credentials. Under a minute, start to finish.

Small businesses get the worst of it. Employees at smaller companies experience 350% more social engineering attacks than their counterparts at larger organizations, and small businesses receive the highest rate of targeted malicious emails: 1 in every 323.

Business Email Compromise (BEC) remains one of the most profitable attack types. It cost $2.77 billion in 2024 across 21,442 reported incidents, with a median transaction of $50,000. Over three years (2022-2024), BEC losses totaled $8.5 billion.

The good news, if you can call it that: security awareness training actually works. Before any training, 33.1% of employees click phishing links. After 12 months of continuous training, that drops to 4.1%. An 86% reduction. The problem is most small businesses never start. On the credential side, passkeys are finally replacing passwords for organizations ready to make the jump.

Data Breach Costs

The average global data breach cost hit $4.88 million in 2024, a 10% jump from 2023 and the highest number IBM has recorded in 19 years of tracking. In the U.S. specifically, that average climbs to $9.36 million, the most expensive country for breaches 14 years running.

Healthcare leads every other industry at $9.77 million per breach on average. It's held that top spot for 12 straight years. If you're in healthcare, HIPAA compliance isn't optional and the enforcement priorities are tightening.

For SMBs, the average cost of a cyberattack lands around $254,445, though some incidents reach $7 million. Data breaches specifically range from $120,000 to $1.24 million depending on scope.

Two numbers worth flagging for the "is this really worth the investment?" conversation:

  • Organizations using AI and automation in their security programs saved $2.2 million per breach compared to those without.
  • Breaches with lifecycles over 200 days cost $5.46 million on average. Catch it faster than 200 days and that drops to $4.07 million.

Speed and tooling both pay for themselves.

How Long Breaches Go Undetected

This is where things get uncomfortable for small businesses.

The average time to identify a breach is 194 days. Containing it takes another 64 days. That's 258 days total from initial compromise to resolution. Over eight months of an attacker sitting in your network.

The timeline varies by attack type. Stolen credential attacks are the worst at 292 days total (229 to identify, 63 to contain). Phishing breaches average 261 days (195 to identify, 66 to contain).

SMBs take nearly 3x longer to detect breaches than larger organizations. Makes sense when you consider that most small businesses don't have a dedicated security team, a SIEM, or anyone watching logs at 2 AM.

The silver lining: organizations using threat intelligence identified breaches 28 days faster on average. Even basic monitoring beats flying blind.

Small Business Preparedness (or Lack of It)

46% of all cyber breaches impact businesses with fewer than 1,000 employees, and the trend is moving in the wrong direction. 69% of U.S. companies reported an increase in cyber attacks compared to the prior year, with an average of 62 incidents per business annually.

The preparedness numbers are grim. Only 14% of small businesses with 1-250 employees are adequately prepared for advanced cyberattacks. Over half (51%) have no cybersecurity measures in place at all. None. If your security stack still starts and ends with traditional antivirus, EDR is the new minimum standard.

Multi-factor authentication, one of the cheapest and most effective defenses available, is only in place at 46% of SMBs. And just 13% require employees to use it across most accounts. That means the majority of small businesses are one stolen password away from a breach. MFA alone isn't enough either; conditional access policies add the context-aware layer that catches the attacks MFA misses.

54% of businesses straight up admit their IT departments don't have the experience to handle complex cyberattacks. At least they're honest about it.

Human Error

People remain the weakest link, and the data backs that up every year.

68% of breaches involved a human element, whether that's an error, manipulation, or deliberate misuse. Phishing emails were the entry point for 57% of ransomware incidents. And here's a stat that should change how you think about security training: 8% of employees account for 80% of security incidents. Blanket training programs are less effective than identifying and focusing on that high-risk group.

When companies were asked why cyber risk increased, 41% blamed lack of employee awareness. Other culprits included failing to decommission old systems (47%) and not having adequate backups (35%). All three are fixable without massive budgets.

Cyber Insurance

Cyber insurance is growing fast, but most small businesses aren't on board yet.

Only 17% of small businesses carry cyber insurance, and 64% say they're not even familiar with what it covers. We broke down why Washington State's 30-day breach notification rule makes cyber insurance a near-requirement for local SMBs. Meanwhile, global premiums reached $15 billion in 2024, up 7% year over year.

There's actually some good news here: U.S. cyber insurance rates declined an average of 5% in Q4 2024, down 22% from the mid-2022 peak. The market is stabilizing and getting more affordable.

That said, claims grew 22% year over year in 2024 with 1,228 reported incidents across just one broker's client base. More businesses are filing claims, which means insurers are paying more attention to what controls you actually have in place before they'll write a policy.

Vulnerability Exploitation

Attackers are shifting tactics, and unpatched systems are getting hit harder than ever.

Vulnerability exploitation as an initial access method nearly tripled in 2024, a 180% increase year over year. Edge devices like routers, firewalls, and VPNs accounted for 22% of vulnerability-driven breaches, an 8x jump from the prior year. This is exactly why zero trust architecture is replacing perimeter-based security models.

The median time to patch edge device vulnerabilities? 32 days. That's 32 days of open access for anyone with a working exploit.

Supply chain attacks are also surging. 15% of breaches now trace back to the supply chain, a 68% increase from the year before. You can lock down your own network and still get hit through a vendor or software provider.

Sources

Every statistic on this page comes from reports published in 2024 or 2025 by these organizations:

Last updated February 2026. If you spot a broken link or outdated stat, let us know.

Rain City Techworks provides managed IT services for businesses throughout Seattle, Tacoma, and the Puget Sound region. We help companies implement the security controls that compliance frameworks and cyber insurers require. Learn more about our services or check your compliance readiness with our free tool.