In early 2024, a finance worker at the engineering firm Arup joined a video call with what looked like his CFO and several colleagues. Every face on the screen was real to him. Every one of them was an AI-generated deepfake. By the end of the call he'd transferred roughly $25 million to the attackers.
If a global firm with serious resources can be fooled that convincingly, here's an uncomfortable question: how would your business hold up?
For years, everyone assumed attackers only cared about the big fish. That's no longer true. Small and mid-sized businesses aren't getting caught in the crossfire - they're the intended target.
Small business security posture by the numbers
Here's where things actually stand for companies your size:
- 88% of SMB breaches now involve ransomware, compared with 39% at large organizations (Verizon DBIR 2025). Attackers know smaller teams are less likely to recover quickly - which makes them more likely to pay.
- 81% of small businesses suffered a breach in the past year (ITRC 2025). At this point it's closer to a routine cost of doing business than a rare event.
- The average recovery runs about $638K for companies with 100–250 employees (Sophos 2025) - often more than the breach itself ever "saved" anyone.
- 30% of breaches now involve a third party, double the year before (Verizon DBIR 2025). Your vendors' weak points are quietly becoming your weak points.
And the kicker: 47% of businesses with fewer than 50 employees have no cybersecurity budget at all (StrongDM). The target on your back has never been bigger, and yet nearly half of small firms are walking around with no plan whatsoever.
You don't need an enterprise budget. You need three things done well.
The good news is that posture isn't about buying the most expensive tools. The businesses that weather attacks tend to get three fundamentals right - and you can too, regardless of size.
1. Visibility into your environment
You can't protect what you can't see. That means knowing which devices connect to your network, which apps hold your data, and what "normal" actually looks like - so that "abnormal" stands out instead of slipping by. Most breaches aren't sophisticated. They simply happen in places nobody was watching. That's exactly why many SMBs partner with a managed security provider for 24/7 monitoring and threat detection.
2. Access control everywhere
Multi-factor authentication on every account that matters. Permissions scoped to what people actually need, not everything they might one day touch.
When a stolen password is the spark behind most incidents, tight access control is the single cheapest, highest-impact move you can make.
3. A response plan you've actually practiced
The question isn't whether something gets through - it's how fast you contain it. A plan that lives in someone's head doesn't count.
Who gets called? What gets isolated first? How do you keep operating while you clean up? A breach is a terrible time to be improvising the answers. Running a tabletop exercise with a security partner is the best way to build muscle memory before something happens.
The bottom line
The threat landscape has shifted, and small businesses are now squarely in the center of it. But strong posture has never been about outspending the attackers. It's about getting the fundamentals right before you need them - visibility, access control, and a response plan that works under pressure.
Done well, those three turn you from the easy target into the one that's simply not worth the effort.
Want to see where you actually stand? Book a 15-minute security check - no sales pitch, no strings. Just a straight look at your risk profile and the one thing worth fixing first.