Cyber Threats Are Rising — Here’s What SMBs Must Do to Protect Themselves

Cybersecurity isn’t just an enterprise problem anymore. Small and mid-sized businesses (SMBs) are now prime targets, and the numbers are staggering.

A recent report highlights that 98% of cyber insurance claims come from SMBs, with the average ransomware breach costing around $432,000. For many, that’s a devastating hit. Unlike large enterprises, SMBs don’t always have the cash reserves, in-house security teams, or redundant systems to absorb the blow. One breach can mean weeks of downtime, lost customers, reputational damage, or even shutting the doors for good.

And the threats aren’t slowing down. Cyberattacks are growing more sophisticated, more automated, and more focused on the very businesses that drive nearly half of the U.S. economy.

Why SMBs Are So Vulnerable

• Limited resources: smaller budgets mean fewer tools and staff dedicated to cybersecurity.

• Attractive targets: hackers know SMBs often hold sensitive data but lack enterprise-level defenses.

• Ripple effects: compromising one SMB often opens the door to larger partners and supply chains.

The expiration of the Cybersecurity Information Sharing Act (CISA 2015) in September 2025 adds another layer of concern. CISA created a framework for companies and government agencies to share real-time threat intelligence without fear of liability. If it’s not reauthorized, SMBs may lose critical access to early warnings and collaborative defenses.

What SMBs Should Be Doing Now

Regardless of what happens in Washington, SMB leaders can take concrete steps today to protect their businesses:

1. Implement basic cybersecurity hygiene

   • Strong, unique passwords with multifactor authentication (MFA).

   • Regular patching and updates for all systems.

   • Network segmentation to limit spread if breached.

2. Back up your data (and test your restores)

   • Offsite and immutable backups are the best defense against ransomware.

   • A backup is only useful if you can actually restore it quickly.

3. Train your team

   • Most breaches start with a phishing email.

   • Make cybersecurity awareness part of your culture, not just a once-a-year exercise.

4. Invest in monitoring and detection

   • Even small businesses benefit from managed detection and response (MDR) services.

   • Catching an intrusion early often means the difference between a minor incident and a major outage.

5. Review your vendors and partners

   • Your security is only as strong as your weakest link.

   • Require vendors to meet basic security standards.

6. Plan for the worst

   • Have an incident response plan in writing.

   • Know who you’ll call, how you’ll respond, and how you’ll communicate with customers if something goes wrong.

The Bottom Line

Cyber threats aren’t going away, they’re multiplying. For SMBs, the question isn’t if you’ll be targeted, it’s when. The businesses that survive will be the ones that treat cybersecurity as a core business function, not an afterthought.

While laws like CISA 2015 are critical for broader national defense, every SMB owner should take steps now to strengthen their own defenses. The health of your business and by extension, the economy depends on it.