Skip to content.

Fragile or volatile supply chains, increases in regulatory obligations and enforcement, natural disasters, inflation, political turmoil – all complicated issues for any business to navigate.

Among the myriad business threats, are cyberattacks: an issue with an outsized impact on small- and- medium-sized businesses due to the costly nature of a breach both financially and reputationally.  

In the 2024 Risk Barometer report, Allianz identified cyber incidents as the top business risk for companies worldwide. According to the report, cyber incidents rank as the risk of most concern in the Americas, Africa and Middle East, Asia Pacific, and Europe regions. Cyber incidents also rank as a top concern across all company sizes, defined in the report as large ($500+ million USD annual revenue), mid-size ($100-$500 million annual revenue), and smaller (less than $100 million annual revenue).

Threats and hope

The rise of AI capabilities surely comes with hope and significant benefits for specific industries. Still, AI capabilities also have the “power to cause significant harm,” as the World Economic Forum claims. While AI comes with cutting-edge technologies like 5G or quantum computing, these functionalities also offer new possibilities for bad actors who will find a fertile breeding ground for exploiting these technological advances.

The ranking of cyber incidents in this survey (and in many others) highlights how well-aware companies are of these risks  – but the gap between understanding the risk and taking risk mitigation actions can be huge.

Often, the strategy is defined by pragmatism or simply limits like budget, human resources or scope of action. In this case, small and medium businesses (<1,000 employees or <$100 million annual revenue) often appear as prime targets for cybersecurity exploits, given the fact they often don’t have the same means of defending themselves as larger organizations.

Cybersecurity awareness

SMBs largely declare themselves to be risk-averse, and knowledge is key to avoiding risk. A variety of survey responses show that SMBs are generally informed of the latest regulations and the technological evolutions that could impact their industry. But how much information do they factor in their cybersecurity strategy? Here’s a look at some of the data around SMB cybersecurity awareness:

  • Cyber incidents are the number one threat for 78% of the smaller organizations surveyed in 2024, while 32% of the companies see the “lack of qualified IT or security staff” as the top challenge
  • 71% of SMB managers claim to be the sector most at risk for attacks
  • 69% say cybersecurity is part of their culture but is mostly discussed when occurred after a change or an incident
  • 76% regularly review their cybersecurity defense
  • 59% of small businesses without a cybersecurity plan believe their organization is too small to be targeted

The cost of cyberattacks

Cybersecurity attacks such as phishing and ransomware are the most common threats SMBs are facing. The lower quantity (and quality) of protection encourages hackers to target priority employees instead of the system. Thus, 9 out of 10 security breaches are caused by human errors. So, exactly how much does a cyberattack cost on average?

  • In 2023, 61% of cyberattacks were aimed at SMBs
  • 48% of SMBs experienced a cybersecurity incident between 2022 and 2023
  • The average data breach cost for companies with fewer than 500 employees was $3.31 million in 2023. This is an annual increase of $390K (+13.4%). The cost of a breach is similar for companies with 500 to 1,000 employees ($3.29 million), but annual increase for SMBs is much higher at $580K, or a 21.4% increase
  • System intrusion, social engineering and basic web application attacks represent 92% of breaches for SMBs
  • 54% of the data compromised are credentials and 37% are internal information

What are the consequences of a cybersecurity incident for SMBs?

Regardless of the scale, cyber breaches mark an important milestone in the history of the companies targeted: the time before an attack and the aftermath.

Whether they are technical, financial or legal, what are the outcomes of cyberattacks on businesses? Let’s take a look at some of the data around the outcomes following an SMB cyber incident.

  • 50% of SMBs state that it took at least 24 hours to recover from an attack
  • 51% of small organizations announced their website was down between eight and 24 hours
  • Almost 40% of small businesses lost crucial data after a breach
  • 75% of SMBs couldn’t operate following a ransomware attack
  • 42% of cyberattacks led to a financial loss and 32% to a loss of customer trust
  • 60% of the businesses shut down within six months after being attacked

Response and compliance

SMBs largely acknowledge the cyber threats facing their business but are often at a loss on how to respond. Thus, what can they do to ensure their defense system is sound while complying with their policies and managing a limited budget?

  • 52% of SMBs want support with training and education
  • For 51% of SMBs surveyed, keeping on top of new threats is the main challenge, followed by 45% of ensuring employees understand what is needed of them, 44% about educating staff on cyber security, and 43% on cost
  • 91% of SMBs plan to increase or stabilize their cybersecurity investment in 2024
  • Only 17% of small companies have cyber insurance. Including the mid-sized businesses, the rate goes up to 64%
  • 46% of SMBs don’t use firewalls and 42% don’t back up data


Cybersecurity is not a matter to be taken lightly: the losses can be high, data can sometimes be irretrievable, and the reputational damage can be long lasting. These breaches often result in financial or consumer trust-based consequences, making the stakes even higher for SMBs. And more so than larger organizations, the ability of an SMB to defend themselves depends on numerous internal (budget, workforce skills) and external (inflation, cost of living) factors.

One aspect of improving your cybersecurity posture is having a comprehensive IT risk management strategy and tools to support your efforts. If you’re looking for a solution to help you better understand your IT risks, NAVEX has your back. Check out the NAVEX IRM Out-of-the-Box solution to get started quickly.

Let's get started!