Cybersecurity coverage tends to swing between two useless extremes: breathless panic and comfortable denial. Neither helps a business owner make a budget decision. So here is the middle path — the numbers themselves, from sources that don't sell fear for a living, with a plain-English read on what each one means for a company your size. No hype. Just the current data and what it should change about how you spend and staff.
Who attackers actually target
- In the most recent Verizon data, 88% of breaches at small and mid-sized businesses involved ransomware — versus 39% at large enterprises (source).
- Roughly 29% of SMB breaches involved exploited vulnerabilities in edge infrastructure like firewalls and VPNs, per the 2026 DBIR (source).
What it means: The old comfort — "we're too small to be worth their time" — is the most expensive assumption in small business. Attackers aren't hand-picking Fortune 500 logos; they're running automated sweeps for exposed, unpatched systems, and smaller companies light up those scans because they patch slower and watch less. You are not below the radar. You are the radar's easiest hit.
How they get in
- For the first time in 19 years, vulnerability exploitation (31% of breaches) surpassed stolen credentials as the top way in (source).
- Credential abuse still showed up in about 39% of breaches, and the human element was involved in 62% of them (source).
- Third-party involvement now factors into 48% of breaches — nearly double the prior year (source).
What it means: There is no single door to lock. Attackers get in through an unpatched appliance, a reused password, a convincing email, or a vendor you trusted — often more than one in the same intrusion. That's why a lone tool never closes the gap. Defense has to cover patching, identity, the human layer, and your supply chain at the same time, or it just moves the weak point somewhere else.
What it costs
- The FBI's Internet Crime Complaint Center logged $16.6 billion in reported losses in 2024, up 33% year over year (source).
- Business email compromise alone accounted for about $2.8 billion of that (source).
- For organizations under 500 employees, the average breach cost was $3.31 million (source).
What it means: A $3.31 million average is not a number most 40-person companies survive. And the biggest dollar loss category — business email compromise — needs no malware at all. It's a wire transfer sent to the wrong account because an email looked right. The math is uncomfortable but clarifying: the cost of prevention is a rounding error against the cost of one bad Tuesday.
Ransomware reality
- Ransomware is now involved in nearly half of all breaches (source).
- The median ransom demand fell to $115,000, and 64% of victims now refuse to pay (source).
What it means: The good news is that more companies are refusing to pay — because they can. The ones that recover without paying are the ones with tested, isolated backups they can actually restore from. Refusing to pay isn't courage; it's preparation. If your backups are on the same network the ransomware just encrypted, you don't have a choice — you have a bill.
The AI accelerant
- Shadow AI — employees using unsanctioned AI tools — factored into 20% of breaches and added roughly $670,000 to average costs (source).
- 97% of AI-related breaches hit organizations without proper AI access controls (source).
- A majority of phishing emails now contain AI-generated content, making lures cleaner, faster, and harder to spot (source).
What it means: AI cuts both ways, and right now it's helping attackers more than most small businesses. The typo-riddled phishing email you trained staff to laugh at is gone — the new ones are grammatically perfect and personalized. Meanwhile your own team is quietly pasting client data into free AI tools. Both problems are governable, but only if someone is actually looking.
Why in-house defense falls short
- 43% of small businesses have no dedicated cybersecurity staff at all (source).
- Businesses without dedicated security support are reported to be roughly three times more likely to suffer a successful breach (source).
- Even among organizations that do staff security, 33% say they lack the resources to staff their teams adequately (source).
What it means: Attacks arrive at 2 a.m. on a holiday weekend, and they move in minutes. That's a genuinely hard problem for one overloaded IT generalist — or no one — to cover. This isn't a knock on your team; it's a math problem. Around-the-clock coverage, threat detection, and incident response are full-time disciplines, and almost no SMB can hire enough of them in-house to matter.
What the numbers add up to
Read together, the data tells one story: the threats got broader and faster, the entry points multiplied, and the price of a single incident climbed past what most small businesses can absorb — all while nearly half of them have no one dedicated to defense. The gap between what attackers can do and what the average SMB can defend against has never been wider.
That gap is exactly what a managed security partner exists to close. Torchsec runs the pieces no small business can staff alone: a 24/7 SOC with managed detection and response watching around the clock, Torchsec SIEM correlating the signals, EDR and application allowlisting on every endpoint, DNS filtering and email security to blunt phishing and business email compromise before they land, managed backup and BCDR so ransomware becomes a bad day instead of a closed business, and security awareness training plus vCISO and compliance guidance to shore up the human and governance layers. We don't just hand you a report on the numbers — we implement the fixes that change them.
Want an honest read on where your business actually stands against these numbers? Get in touch with Torchsec — we'll show you the gaps and close them.
Ready to talk?
If any of this sounds familiar, we'd be happy to walk your team through it. Book a no-obligation consultation or request a free risk assessment.


