CrowdStrike’s latest survey on SMB cybersecurity shows smaller businesses are in the crosshairs. Phishing is surging. Ransomware is hitting the smallest businesses hardest. And most SMBs are still operating with outdated tools, limited budgets, and big execution gaps.
Below are some of the report’s findings.
“Small and medium-sized businesses (SMBs) are no longer flying under the radar of cybercriminals. Once considered too small to be worthwhile targets, SMBs are now being hit by increasingly sophisticated adversaries that are leveraging Al and automation to scale their operations to businesses of any size. Despite their growing awareness of cybersecurity threats, many SMBs remain underprepared and caught in a dangerous gap between recognizing cyber risks and implementing effective responses.”
“Ninety-four percent of SMB leaders say they’re “somewhat” or “very” knowledgeable about cyber threats, but that awareness doesn’t consistently translate into action.
A large majority (83%) report having a cybersecurity plan in place, yet only 42% provide regular employee training — a key component to cybersecurity literacy and knowledge and mission-critical to an effective cybersecurity strategy.”
“Unsurprisingly, phishing remains a leading attack vector across businesses of all sizes and industries, as evidenced by a 442% increase in voice phishing between the first and second half of 2024.”
“Without regular education, employees are easy targets.”
“Most SMBs continue to rely heavily on outdated tools.”
“Just 7% of all SMBs say their cybersecurity budget is ‘definitely sufficient.’”
“Ransomware was identified as the greatest cybersecurity concern by 21% of mid-sized SMBs and 24% of larger SMBs but only by 14% of those with 50 employees or fewer. However, among businesses that experienced a cyber incident, ransomware hit the smallest organizations harder: 29% of those with fewer than 25 employees reported a ransomware attack, compared to 19% of businesses with 150-249 employees. These attacks often exploit the weaknesses common among smaller businesses: limited in-house expertise, inadequate security controls, and reactive IT strategies.”
“Today’s adversaries are targeting smaller businesses with enterprise-level tactics, moving faster, striking harder, and exploiting even minor gaps in visibility or response.”
The bottom line?
Plans and reactive strategies aren’t enough — protection requires proactive steps.
In addition to employee training, personal data removal offers SMBs a practical, affordable way to reduce their risk of phishing, vishing, and ransomware attacks — especially when resources are limited and visibility is low.
Read the full report here: https://www.crowdstrike.com/explore/crowdstrike-content/report-state-of-smb-cybersecurity-survey?