Cybersecurity in 2025: Simple Steps for Small Businesses

“58% of SMBs spent more on cybersecurity than planned. Simple safeguards keep teams safe.”

Small businesses are under cyber siege as we approach 2025. In 2024, a staggering 58% of SMBs ended up spending more on cybersecurity than they had originally planned. Why? Because cyber threats – from data breaches to ransomware – are forcing even smaller companies to beef up defenses. Nearly half of all cyber attacks now target small businesses, yet only a small fraction of these companies feel fully prepared to defend against them. The good news is that with some basic cyber hygiene practices, even a lean small business can significantly boost its protection.

SMBs Face Rising Cyber Threats in 2025

Attackers have increasingly shifted their attention to SMBs over the past few years. In 2021, 82% of ransomware attacks were aimed at organizations with under 1,000 employees – and 37% of those struck companies with fewer than 100 employees. Cybercriminals are turning away from “big fish” targets to focus on small and mid-sized companies, since weaker defenses make them easier prey and breaches draw less law enforcement scrutiny. Phishing and email scams also hit SMBs disproportionately. One report found that 1 in every 323 emails sent to employees of small businesses is malicious – the highest rate of any sector. In fact, staff at companies with under 100 people experience 350% more social engineering attacks (phishing, baiting, etc.) than those at larger enterprises.

The consequences of these attacks can be devastating. Without strong defenses, a single incident can cripple a smaller company. Studies indicate that 83% of SMBs are not prepared to recover from the financial damage of a cyber attack, and as many as 75% of small businesses would be forced to shut down if hit by a major ransomware attack that encrypts all their data. Beyond immediate losses, breaches can also erode customer trust – more than half of consumers say they would be less likely to do business with a company that suffered a data breach. Faced with this rising threat landscape, small business owners are recognizing the need for better security.

Even emerging technologies are raising the stakes. Take artificial intelligence (AI) as an example – 83% of SMB leaders believe AI has escalated the cyber threat level for their organizations. Attackers can leverage AI to automate attacks, craft more convincing phishing messages, or find software vulnerabilities faster. This means the typical “spray-and-pray” phishing campaigns are getting smarter and more dangerous, further increasing risks for businesses that aren’t prepared.

Cybersecurity Budgets Are Increasing – But Gaps Remain

Small businesses are not oblivious to these challenges. In fact, cybersecurity is now a top priority for over half of SMBs – 57% say that cybersecurity is their organization’s number-one priority going into 2025. Many companies have started investing more into protection. In one survey, 76% of SMBs that increased their cybersecurity spending did so due to a growing fear of new threats. On average, SMBs today allocate between 5% and 20% of their total IT budget toward security measures, covering things like security software, services, and training.

However, despite rising awareness and bigger budgets, a significant security gap remains among small enterprises. Nearly half of very small businesses (those with under 50 employees) have no dedicated cybersecurity budget at all. A startling 51% of small businesses have no cybersecurity measures in place – no firewalls, no anti-malware, no data encryption, nothing. Many owners still assume “we’re too small to be a target,” with 59% of businesses lacking any cyber protections believing that hackers wouldn’t bother with them. Unfortunately, this complacency doesn’t match reality. Only 14% of small businesses consider their cyber defenses highly effective – the vast majority are essentially rolling the dice. And when an attack does hit, most aren’t ready: as noted earlier, 83% of SMBs admit they are not financially prepared to weather the fallout of a cyber incident.

The takeaway is clear: cyber threats are rising faster than many small businesses’ defenses. Yet, it’s not all doom and gloom. By focusing on a handful of fundamental security practices, even resource-constrained teams can dramatically improve their security. Microsoft’s latest cybersecurity report observes that basic security hygiene still protects against 99% of attacksmicrosoft.com – meaning the vast majority of threats can be thwarted by simple, well-known measures. Let’s look at some of those high-impact steps.

Simple Cybersecurity Steps for Small Businesses

1. Enforce Strong Authentication (Passwords + MFA): User logins are the first line of defense. Every employee and admin account should use strong, unique passwords – and wherever possible, enable multi-factor authentication (MFA) for an extra layer of security. Given that roughly 80% of hacking-related breaches involve lost or stolen passwords, adding MFA (such as a one-time code from a phone or biometric login) can thwart attackers who manage to crack or steal a password. Microsoft estimates that MFA alone can block over 99% of account compromise attacks. Yet adoption among small businesses remains low – only about 20% of SMBs have implemented MFA so far. Setting up MFA is one of the easiest and most effective security moves you can make, drastically reducing the likelihood that a compromised password will lead to a breach.

2. Backup Your Data Regularly: Routine data backups are a lifesaver when ransomware or other disasters strike. If you have recent backups of all critical files (and those backups are stored securely offline or in the cloud), you can restore your data without paying a ransom or suffering irreversible loss. Unfortunately, many small businesses lack reliable backups – nearly 40% of SMBs have lost crucial data in an attack. And the stakes are high: an estimated 75% of SMBs would likely have to shut down if a ransomware attack completely wiped out their data with no way to recover its. Don’t become part of those statistics. Schedule automatic daily or weekly backups for your servers, databases, and even employee PCs. Just as important, test your backups periodically to make sure you can actually restore the information. A backup that hasn’t been tested might fail when you need it most. With solid backups in place, even a serious incident can become a temporary setback rather than a business-ending catastrophe.

3. Keep Software Updated (Patch Management): Keeping your software and devices up-to-date is a simple but critical step. Cybercriminals often exploit known vulnerabilities in operating systems, applications, or firmware – weaknesses that developers have already patched in updates. By running the latest versions and security patches, you close those holes before attackers can pry them open. In fact, one analysis found that 57% of data breaches could have been prevented by installing available software updates. Similarly, about one-third of cyber attacks stem from attackers exploiting an unpatched vulnerability in software. The lesson: enable automatic updates wherever feasible (for your computers, phones, websites, and any network equipment). When a notification to install updates appears, don’t put it off until “later.” Regular patching of systems – from your office PCs to your Wi-Fi router – drastically reduces the chances that an opportunistic hacker will penetrate your network through an old bug.

4. Use Antivirus, Firewalls, and Security Tools: Every business, no matter how small, should deploy basic security tools on its devices and networks. At minimum, use a reputable antivirus/anti-malware program on all computers to catch known threats, and keep it up to date. Enable your network’s firewall to filter out suspicious traffic. If employees work remotely, have them use a VPN (virtual private network) to securely connect to the office. Consider using a password manager to help staff create and safely store unique passwords for all their accounts. These measures aren’t high-cost – many quality antivirus and firewall solutions are affordable or even included with your operating system. And they make a big difference: recent surveys show that antivirus software (used by 58% of SMBs), firewalls (49%), VPNs (44%), and password managers (39%) are among the top cybersecurity tools small businesses are adopting. If your company is missing any of these basics, now is the time to implement them. (Notably, about 20% of small businesses don’t use any endpoint protection at all – a risky gamble that’s easily avoided by installing standard security software.)

5. Educate and Train Your Team: Technology alone can’t stop every threat – employees need to be vigilant and cyber-aware. Human error is a leading cause of security incidents; in fact, 85% of breaches involve a human element like falling for phishing or using a weak password. Make cybersecurity training a regular part of your business routine. Teach staff how to recognize phishing emails and fraudulent links, the importance of not reusing passwords or sharing credentials, and what to do if they suspect a security incident. Even a short awareness session or phishing simulation every few months can greatly reduce the chance that someone on your team will inadvertently open the door to attackers. Small businesses actually see a disproportionately high volume of social engineering attempts, precisely because attackers expect less training and awareness – employees at firms under 100 people face 3.5 times more social engineering attacks than those at larger companies. By prioritizing basic cyber hygiene at the human level, you turn your workforce into an asset in your security defense, rather than a liability.

Protect your data – consult Holistc™ on best practices.