SMBs Are 63% of All Data Breaches. Most Think They’re Too Small to Target.

There’s a conversation that happens in almost every small business:

“We’re not big enough to be a target. Hackers go after the big companies — the ones with millions of customers and deep pockets. We’re just a 50-person company. Who’s going to bother with us?”

The data says: everyone.

The Numbers Don’t Lie

Since January 2025, small and medium-sized businesses have accounted for 63% of all data breaches. That’s not a rounding error. That’s the majority.

Those breaches have exposed 352 million records. Customer data. Employee information. Financial records. Healthcare files. All from companies that thought they weren’t worth attacking.

Meanwhile, the big enterprise breaches make headlines. Target. Equifax. MGM. Those are the ones everyone remembers. But for every Fortune 500 breach that hits the news, there are dozens of SMB breaches that never get reported — because they’re not legally required to, or because nobody’s paying attention.

Why Attackers Love Small Businesses

Enterprise companies have security teams. They have budgets. They have EDR and SIEM and SOC analysts watching dashboards 24/7.

Small businesses have Dave from IT who also manages the phone system.

Attackers know this. They’re not looking for the hardest target with the biggest payout. They’re looking for the easiest target with any payout.

A 50-person company still has:

• Customer credit card numbers
• Employee Social Security Numbers
• Bank account information
• Healthcare records (if you’re a clinic, dental office, or pharmacy)
• Vendor credentials and API keys
• Enough data to sell, ransom, or exploit

And they usually have:

• Outdated software
• Weak or reused passwords
• No dedicated security staff
• Limited visibility into where sensitive data lives
• Insurance that makes paying ransoms easier than fighting

That’s not a small target. That’s an easy target.

The “We’re Not a Target” Mindset Is the Target

The most dangerous thing about SMB security isn’t the lack of budget. It’s the assumption that security doesn’t apply to you.

That assumption leads to:

• Sensitive data scattered across unmanaged file shares
• Credentials stored in spreadsheets and sticky notes
• No inventory of what customer data you actually have
• No idea which employee laptops contain PII
• Backups that haven’t been tested (or don’t exist)

When attackers scan the internet for vulnerable systems, they’re not checking company size first. They’re checking for open RDP ports, unpatched VPNs, and weak credentials. Small businesses have all three — often more than large ones.

What a Breach Actually Costs an SMB

Enterprise companies absorb breaches. They pay the fines, hire the PR firm, and move on. Their stock dips for a quarter and recovers.

For an SMB, a breach can be existential.

Direct costs:

• Incident response and forensics: $50,000 - $200,000
• Legal fees and regulatory fines: varies wildly, often $100,000+
• Customer notification and credit monitoring: $10-30 per record
• Ransomware payment (if you pay): median is now $250,000

Indirect costs:

• Lost customers who don’t trust you anymore
• Vendor relationships that get re-evaluated
• Contracts you lose because you can’t pass security reviews
• Employee time spent on recovery instead of revenue

60% of small businesses that suffer a major cyber attack go out of business within six months. That stat gets repeated so often it sounds like a cliché. It’s not. It’s what happens when a company with thin margins eats a six-figure unplanned expense and loses customer trust simultaneously.

The Visibility Problem

Here’s what makes SMB breaches worse: most small businesses don’t know what data they have or where it lives.

Ask a 100-person company:

• Where is all your customer PII stored?
• Which file shares contain Social Security Numbers?
• Are there any credentials saved in documents on your network?
• What sensitive data is on employee laptops?

Most can’t answer. They’ve never inventoried it. They assume it’s “in the database” or “in the CRM” — but data spreads. Exports get saved. Backups get copied. Reports get emailed.

You can’t protect data you don’t know you have. And you can’t assess your risk if you don’t know what’s exposed.

What SMBs Should Actually Do

1. Accept that you are a target. The first step is dropping the “not us” mentality. You have data worth stealing. Act like it.

2. Know where your sensitive data lives. Run a data discovery scan. Find out where PII, credentials, and confidential files actually exist — not where you assume they are.

3. Fix the basics first. MFA everywhere. Patched systems. Tested backups. Unique passwords. These aren’t advanced security measures — they’re table stakes that most SMBs still haven’t fully implemented.

4. Get visibility before you get breached. The companies that recover fastest from breaches are the ones that knew what they had. They could scope the incident, notify the right customers, and contain the damage. The ones that didn’t know? They’re still figuring it out months later.

5. If you’re using an MSP, ask them about data risk assessments. A good MSP should be able to tell you where your sensitive data lives, what’s exposed, and what to fix first. If they can’t, find one who can.

63% of breaches. 352 million records. All from companies that thought they were too small to matter.

Risk Finder helps SMBs and the MSPs that serve them understand where sensitive data lives — so you can protect it before it becomes a headline.

Find your sensitive data →