The 88% Number
Why the story you're telling yourself about cyber risk is mathematically backwards.
Eighty-eight percent of small and mid-sized business breaches in 2025 involved ransomware. The figure for large enterprises was thirty-nine percent (Verizon, 2025).
That gap is not a margin of error. It is a market.
Ransomware operators have, with the cold efficiency of any other industry, identified their ideal customer. Small businesses hold real data and real money. They process payments. They have customer records. And they spend a fraction of what a Fortune 500 spends on the controls that would make extorting them harder. The attack economy has noticed. Sixty-four percent of small business owners still don't believe they are an attractive target (Identity Theft Resource Center, 2025).
Both statements cannot be true. Either the attackers are wrong, or the owners are. The data is unambiguous about which.
You are not too small. You are exactly the right size.
The mental model most owners carry โ we're too small to be worth their time โ was accurate in 2015. It was already wrong by 2020. In 2026 it is upside-down.
Verizon's 2025 Data Breach Investigations Report found that small businesses experienced approximately four times as many confirmed breaches as large organisations in 2024, controlling for organisation count (Verizon, 2025). Employees at small businesses are subjected to 350 percent more social engineering attacks than employees at large enterprises (Barracuda Networks, 2024). Eighty percent of small businesses suffered at least one cyberattack in 2025 (CrowdStrike, 2025).
This is not the pattern of an attacker community that has decided you are not worth pursuing. It is the pattern of one that has decided you are the easiest pursuit available.
The reasons are structural and unflattering. Sixty-five percent of SMBs do not use multi-factor authentication and have no plans to implement it (Cyber Readiness Institute, 2024). Fifty-two percent rely on untrained internal staff or the business owner to manage cybersecurity entirely (ConnectWise, 2025). Only thirty-four percent have a formal incident response plan (ConnectWise, 2025). For an attacker comparing two targets โ a bank with a 24/7 security operations centre, and a 60-person business where the office manager handles IT โ the choice is not difficult.
The asymmetric economics
The gap between attack cost and recovery cost is what makes this market work.
IBM's 2024 Cost of a Data Breach Report puts the average cost of a breach for organisations with fewer than 500 employees at $3.31 million (IBM, 2024). Verizon's wider data set gives a more typical SMB range of $120,000 to $1.24 million per incident (Verizon, 2024). Even at the floor of that range โ $120,000 โ the figure exceeds the entire annual cybersecurity budget of most small businesses by an order of magnitude, sometimes two.
The downtime is often worse than the ransom. The average ransomware-related downtime is 24 days (Sophos, 2025). Downtime costs small businesses approximately 50 times more than the ransom itself once lost productivity, recovery, and reputational damage are tallied (Datto, 2024).
Paying the ransom, the option that owners reach for under pressure, does not solve the problem either. Of the SMEs that paid in 2025, only 60 percent successfully recovered their data. Thirty-one percent of those received subsequent demands for more money. Sixty-nine percent of paying businesses were attacked again within twelve months (Sophos, 2025).
The statistic everyone uses is wrong. The truth is worse.
You have probably read, on a competitor's blog or a vendor pitch deck, that sixty percent of small businesses close within six months of a cyberattack. The figure is everywhere. It has been cited in congressional testimony, trade press, and procurement justifications for the better part of a decade.
The National Cybersecurity Alliance, the body most commonly credited as the source, formally stated in May 2022 that they never produced the statistic and recommended that it no longer be used (National Cybersecurity Alliance, 2022).
It does not, however, need to be true to be informative. Seventy-five percent of SMBs say they could not continue operating if hit with a ransomware attack (CyberCatch, 2022). Seventy-eight percent fear that a major cyber incident could put them out of business entirely (ConnectWise, 2025). The actual closure rate is unknown โ but the share of owners who believe their business would not survive an attack is overwhelming. They have priced the risk. They have not, in most cases, acted on it.
The gap between aware and prepared is where the 88 percent number actually lives.
What the data says actually works
The same research that produces the alarming statistics also produces an unusually clear picture of which interventions matter. The list is shorter than the cybersecurity industry would like its buyers to believe.
Multi-factor authentication blocks 99.9 percent of automated account compromise attacks (Microsoft, cited in Cyber Readiness Institute, 2024). It is the highest-impact, lowest-cost control available, and adoption among SMBs sits between 27 and 34 percent compared with 87 percent at large enterprises (Cyber Readiness Institute, 2024). If your organisation has not deployed MFA on email, remote access, and financial systems, nothing else on this list matters yet.
Security awareness training, measured across 67.7 million simulated phishing tests across 62,400 organisations, reduces employee phishing susceptibility by 86 percent over 12 months (KnowBe4, 2025). The median time for an employee to click a phishing link is 21 seconds (Verizon, 2025). Training is the only intervention that meaningfully changes that number.
A tested incident response plan determines whether a breach is a bad week or a business-ending event. Only 34 percent of small businesses have one (ConnectWise, 2025). Businesses with a tested plan recover materially faster, spend less, and are less likely to face a repeat attack.
These three controls โ MFA, training, and a tested response plan โ address the majority of the risk for a fraction of the cost of the products most commonly sold to SMBs. The reason they remain under-adopted is not that they are unknown. It is that they require attention from someone whose attention is already spoken for.
What to do about it
For most small businesses, the gap between the security posture they have and the security posture they need is not bridgeable by buying another product. It is bridgeable by getting someone competent to look at the whole picture for a few weeks, fix the unglamorous fundamentals, and leave behind a plan that someone in the business can actually follow.
That is the work that gets skipped. Vendors will happily sell tools. Auditors will happily issue reports. Neither closes the actual exposure, which is operational.
This is the kind of engagement Neurotic exists for. We work with growth companies, scale-ups, and corporates to fix the security gaps that vendors won't talk about and auditors won't catch โ pragmatic, engineering-led, without the overhead. If you are reading this and recognising your own organisation in the statistics above, the right next step is not another product demo.
Talk to us โ neurotic.co or contact me
[email protected]
References
Barracuda Networks (2024) Threat Spotlight: Email threat trends. [online] Available at: https://blog.barracuda.com/category/research/threat-spotlight [Accessed 11 May 2026].
ConnectWise (2025) State of SMB Cybersecurity 2025. [online] Available at: https://www.connectwise.com/resources/state-of-smb-cybersecurity [Accessed 11 May 2026].
CrowdStrike (2025) State of SMB Cybersecurity Survey 2025. [online] Available at: https://www.crowdstrike.com/en-us/resources/reports/state-of-smb-cybersecurity-survey/ [Accessed 11 May 2026].
CyberCatch (2022) SMB Vulnerabilities Report. Cited in Spacelift (2026) 60 Small Business Cybersecurity Statistics to Know in 2026. [online] Available at: https://spacelift.io/blog/small-business-cybersecurity-statistics [Accessed 11 May 2026].
Cyber Readiness Institute (2024) Global Multifactor Authentication (MFA) Survey Insights. [online] Available at: https://cyberreadinessinstitute.org/resource/2024-global-multifactor-authentication-mfa-survey-insights/ [Accessed 11 May 2026].
Datto (2024) Global State of the Channel Ransomware Report. [online] Available at: https://www.datto.com/categories/ransomware/ [Accessed 11 May 2026].
IBM (2024) Cost of a Data Breach Report 2024. [online] Available at: https://www.ibm.com/reports/data-breach [Accessed 11 May 2026].
Identity Theft Resource Center (2025) 2025 Business Impact Report. [online] Available at: https://www.idtheftcenter.org/publication/itrc-2025-business-impact-report/ [Accessed 11 May 2026].
KnowBe4 (2025) Phishing By Industry Benchmark Report 2025. [online] Available at: https://www.knowbe4.com/resources/reports/phishing-by-industry-benchmarking-report [Accessed 11 May 2026].
National Cybersecurity Alliance (2022) Statement Regarding Incorrect Small Business Statistic. [online] Available at: https://www.staysafeonline.org/press/national-cyber-security-alliance-statement-regarding-incorrect-small-business-statistic [Accessed 11 May 2026].
Sophos (2025) State of Ransomware 2025. [online] Available at: https://www.sophos.com/en-us/content/state-of-ransomware [Accessed 11 May 2026].
Verizon (2024) Data Breach Investigations Report 2024. [online] Available at: https://www.verizon.com/business/resources/reports/dbir/ [Accessed 11 May 2026].
Verizon (2025) Data Breach Investigations Report 2025. [online] Available at: https://www.verizon.com/business/resources/reports/dbir/ [Accessed 11 May 2026].
