By Vicky Sidler | Published 21 June 2025 at 22:00 GMT

The latest 2025 cybersecurity report just dropped—and if you own a small business, it reads less like a warning and more like a countdown.

According to a new QualySec report, hackers are now targeting small businesses every 11 seconds. That’s faster than you can microwave a leftover muffin.

So no, “we’re too small to hack” isn’t the shield you think it is. In fact, that assumption is why you’re on the menu.

As a Duct Tape Marketing Strategist and StoryBrand Certified Guide, I see this often: smart people who know how to run a business—but not how to secure one. If that’s you, let’s fix it.

TL;DR: 

If you run a small business, hate to tell you, but you are the target:

• 43% of all cyberattacks now hit small businesses

• 60% go out of business within 6 months of a breach

• Only 20% regularly check for vulnerabilities

• 75% were attacked at least once in the last year

• The average breach now costs $120,000

Yes, it's bad. But with the right moves, it's manageable.

Why Are Small Businesses in the Crosshairs?

Because you’re easier to hack than a teenager’s group chat. Here’s how the average attacker sees your business:

• Your IT budget fits in a coffee mug.
  Most small businesses can’t afford full-time IT support, let alone a security team. That means patchy firewalls, no monitoring, and outdated antivirus software that expired when BlackBerry was still cool.

• You’re still using “admin123” as a password.
  Weak passwords, reused logins, and no two-factor authentication make it far too easy for attackers to walk in the digital front door and help themselves to the good china.

• Your team thinks phishing is a new diet.
  Without regular training, employees are your biggest risk. One click on a fake invoice, and suddenly Janet from accounts is emailing ransomware to the entire client list.

• You outsource IT to “that guy who fixed the printer once.”
  Third-party vendors often have access to your systems—but if you’re not vetting their security practices, you’re basically inviting hackers to come in through the side window.

• Hackers know you’ll pay.
  Large companies can afford to ride out a breach. You can’t. Cybercriminals know a quick ransom demand is more likely to get a payout from a business that can’t afford downtime.

Basically, you’re super vulnerable. And attackers know it. That’s why they’re skipping the corporate vaults and heading for the front door of your bakery, design studio, or logistics firm.

What Happens If You Get Hit?

This isn’t just about losing a few spreadsheets. A cyber attack can gut your business from the inside out. Let these numbers sink in:

• 💸 $120,000 – That’s the average cost of a breach. Not just cleanup costs, but lost revenue, legal fees, and damage control with customers.

• 🛑 60% of small businesses shut down within 6 months – Because recovery isn’t just technical. It’s emotional, financial, and reputational. Most never bounce back.

• 🔐 29% lose customers permanently – People don’t forgive easily when their data leaks. Trust takes years to build, seconds to break, and forever to fix.

• 📈 Cyber insurance premiums have spiked 40% since 2023 – And that’s if you even qualify after an attack.

• 😩 70% say recovering is harder than dealing with a natural disaster – Because unlike a fire or flood, the damage from a breach keeps unfolding—quietly, and painfully.

Bottom line: It’s not a blip. It’s a business-ending event dressed up as a technical issue.

The Real Threats Are Hiding in Plain Sight

Forget the hoodie-wearing hacker cliché. The biggest risks look like your inbox, your laptop, and your suppliers. Here's what small businesses are actually dealing with:

• Phishing emails:
  92% of malware infections begin with one employee clicking the wrong link. If your team can’t spot a scam, you’ve already lost the game.

• Stolen passwords:
  30% of small business data breaches come down to weak or reused credentials. Still using “admin123”? Change it yesterday.

• Unprotected laptops and phones:
  45% of small businesses have no endpoint protection at all. That’s like leaving your front door open and hoping no one notices.

• Fake vendor emails (BEC):
  33% of small business fraud comes from Business Email Compromise. You think it’s your supplier asking for a bank detail change—it’s not.

• AI-powered scams:
  Deepfake-based fraud is up 25%. Criminals are cloning voices and faces to trick your staff into transferring money or sharing logins.

None of this is theoretical. It’s what Tuesday looks like now.

What’s Actually Working for Businesses Who Stay Secure?

You don’t need to hire a team of ex-NSA agents or build a bunker in the cloud. The small businesses staying ahead of attacks are doing a few key things right:

✅ Multi-factor authentication (MFA):
Adds an extra layer beyond passwords—cutting phishing success by 90%. Even if a hacker gets your login, they still can’t get in.

✅ Firewall + antivirus software:
The basics still work. A good firewall plus modern antivirus reduces malware infections by 85%. That’s a big drop from just ticking the “remind me later” box on every update.

✅ Regular cybersecurity training:
Not once a year. Monthly. This cuts employee mistakes by 70%—like clicking on fake invoice emails from “Accounts Dept” (that was never a thing).

✅ Working with security professionals:
Whether it’s a managed service provider or a freelance expert, getting real-time help and monitoring cuts your risk in half. No more waiting until “something looks weird.”

And here’s the kicker:
Businesses that spend at least 10% of their IT budget on cybersecurity see 60% fewer incidents. Not perfect—but way better than hoping “it won’t happen to us.”

3 Things to Do This Week (Before Someone Else Logs Into Your Email)

As a Duct Tape Marketing Strategist and StoryBrand Certified Guide, I’ve worked with businesses who thought cybersecurity was “someone else’s problem”—until it wasn’t. Here are three things you can do this week that could save your business from a headline-worthy disaster:

1️⃣ Train your team like it matters:
Half your staff can’t spot a phishing email. Start monthly training and simulate scam emails to test awareness.

2️⃣ Back up your data—then test it:
Most businesses don’t know if their backup works until they need it. Don't be most businesses.

3️⃣ Get ruthless with your passwords:
Reused passwords are still a top reason breaches happen. Use a password manager. Turn on 2FA. Say goodbye to “Admin123”.

Get Clear. Get Secure. Get Back to Business.

Trust starts with clarity—and that means your messaging. If your website reads like Chat GPT wrote it, customers won’t trust you with their data.

That’s where the 5-Minute Marketing Fix comes in. It’s a free, zero-BS tool that helps you explain what you do (and why customers should care) in under five minutes.

Because if your offer isn’t clear, no firewall in the world will save your sales funnel.

👉 Download it here.

Nobody Thinks They’ll Get Hacked. Until They Do.

Cyberattacks aren’t dramatic Hollywood scenes anymore. They’re quick, boring, and often undetected—until the invoice for $35,000 in ransomware shows up.

So if you’ve been putting this off, let this be your wake-up call.

And if you’re still using the same password for your laptop and Netflix account… change it before you finish this sentence.