CODEDAGGER
43% of cyberattacks now target small business — what actually reduces the risk
Security

43% of cyberattacks now target small business — what actually reduces the risk

← All posts
CODEDAGGER Team6 min read

Small businesses aren’t a secondary target anymore — they’re the primary one. 43% of all cyberattacks now target small businesses, which are roughly three times more likely to be targeted than larger firms. In 2026, small businesses report a 49% annual attack rate, which works out to an incident attempted somewhere roughly every seven seconds.

Ransomware is the sharpest end of it. Verizon’s breach data found ransomware present in 88% of small business breaches, compared with 39% of breaches at large organisations — attackers know smaller companies are less likely to have segmented backups or a tested recovery plan.

Ransomware shows up in the large majority of small business breaches — far more than at larger, better-resourced organisations.
Ransomware shows up in the large majority of small business breaches — far more than at larger, better-resourced organisations.

Why the stakes are higher for smaller companies

75% of small businesses say they couldn’t continue operating if hit with a serious ransomware attack, and that’s not an exaggeration — 60% of small businesses that suffer a cyberattack shut down within six months of it. Average breach costs for firms under 500 employees run as high as $3.31 million, though the more typical range sits between $120,000 and $1.24 million — still enough to be existential for most small businesses.

AI is making it worse before it makes it better. 83% of small businesses say AI has raised the threat level they’re facing, and 72% of workers say phishing attempts look more convincing than they did a year ago, largely because AI-written phishing no longer reads like a bad translation.

How we can help

IT Consulting & Support

On-demand and ongoing IT support for growing teams.

Explore this service

What actually moves the needle

The businesses that recover from an incident — or avoid one entirely — tend to have the unglamorous basics in place: patched systems, tested backups that are actually isolated from the production network, and a support relationship that catches configuration drift before it becomes an opening, rather than a vendor that only shows up after something’s already gone wrong.

Isolated, tested backups are consistently the difference between a bad week and a business-ending one.
Isolated, tested backups are consistently the difference between a bad week and a business-ending one.

None of it requires an enterprise security budget. It requires treating security review as ongoing maintenance rather than a project that finishes once and gets revisited only after an incident.

Ready when you are

Not sure where to start?

Tell us what you’re working with and we’ll tell you honestly whether it’s worth fixing now or later.

Get in touch