HomeResearch › SMB Threat Atlas 2026
Research Hub · Citation-Grade Sourcing

SMB Security Threat Atlas 2026

12 attack patterns actively targeting small businesses this year. Every statistic has an inline citation. No hallucinated data — if a source wasn't accessible, it's noted.

Published: May 10, 2026
Last verified: May 10, 2026. Sources verified monthly.
Primary sources: Verizon 2025 DBIR · FBI IC3 2025 · IBM Cost of Breach 2025 · CISA KEV
⚠️ This page cites only verifiable, publicly available data. Where SMB-specific statistics don't exist, general population data is noted as such.
88%
of SMB data breaches involve ransomware
Verizon 2025 DBIR
$3.31M
average breach cost for orgs under 500 employees
IBM Cost of Breach 2025
$3B
in Business Email Compromise losses in 2025
FBI IC3 2025
1,484
known-exploited vulnerabilities in CISA KEV catalog
CISA KEV, Dec 2025
30%
of all breaches now involve a third-party supplier
Verizon 2025 DBIR

Threat Severity & Frequency Matrix

Threats ranked by SMB impact. Severity = potential damage if attack succeeds. Frequency = how often SMBs are targeted.

# Threat Pattern Severity SMB Frequency Primary Entry Point
1 Ransomware Critical
88% of SMB breaches		 Credential theft, unpatched VPNs, phishing
2 Business Email Compromise (BEC) Critical
$3B in 2025 losses		 Compromised email accounts, social engineering
3 Credential Theft & Account Takeover Critical
22% of all breach vectors		 Password reuse, phishing, infostealer malware
4 Vulnerability Exploitation (Edge Devices) Critical
34% YoY increase		 Unpatched VPNs, firewalls, remote access tools
5 Phishing & Social Engineering High
16% of initial vectors		 Email, SMS, voice (vishing)
6 Third-Party / Supply Chain Attack High
Doubled to 30% of breaches		 Compromised SaaS vendors, MSP attacks
7 AI-Enhanced Phishing / Deepfake BEC High
$893M in 2025 AI scam losses		 AI-generated voice, video, email impersonation
8 Web Application Attacks High
Top breach vector category		 Credential stuffing, SQL injection, exposed APIs
9 Insider Threat High
$4.92M avg breach cost		 Disgruntled employees, accidental data exposure
10 Cloud Misconfiguration Medium
43% of cloud secrets = API keys		 Exposed storage buckets, leaked API keys
11 DDoS / Availability Attacks Medium
Growing frequency vs. SMBs		 Botnet traffic floods, UDP/TCP amplification
12 Physical & Device Theft Medium
Declining but persistent		 Unencrypted laptops, stolen mobile devices

Attack Pattern Deep Dives

Each pattern includes: what it is, SMB prevalence data, typical cost, blocking controls, and a board-ready summary.

Critical 88% of SMB breaches
Threat #1
Ransomware
Attackers encrypt your files and systems, then demand payment to restore access. For SMBs, this typically means days of downtime, data loss, and an impossible choice: pay or rebuild from scratch.
SMB Prevalence
Ransomware is present in 88% of SMB data breaches, compared to 39% for large enterprises. SMBs are not secondary targets — they are the primary target.
Verizon 2025 DBIR · analyzed 12,195 confirmed breaches across 139 countries
Average Cost When It Succeeds
Median ransom payment: $115,000. Total breach cost for SMBs (under 500 employees): avg $3.31M including downtime, recovery, and lost business. 64% of organizations now refuse to pay.
IBM Cost of a Data Breach 2025 · Verizon 2025 DBIR
Blocking Controls
NIST CSF: RC.RP-1 NIST CSF: PR.DS-1 NIST CSF: PR.AC-1 CIS Control 11: Data Recovery CIS Control 6: Access Control
Immutable offline backups (3-2-1 rule) · MFA on all accounts · Patch edge devices within 7 days of CISA KEV listing · Network segmentation to contain spread
Active Exploit Targets (CISA KEV)
CISA KEV grew 20% in 2025 to 1,484 entries, with 24 vulnerabilities specifically exploited by ransomware groups. VPNs and edge devices saw an 8-fold increase in targeting.
CISA Known Exploited Vulnerabilities Catalog, Dec 2025 · SecurityWeek analysis
Board-Ready Summary Ransomware now hits 88% of small business breaches — not large enterprises — because attackers target weaker defenses and faster payouts. A single attack costs SMBs an average of $3.31M in total impact. Offline backups and MFA are the two controls with the highest return on preventing catastrophic losses.
Run Security Audit →
Critical $3B in 2025 losses
Threat #2
Business Email Compromise (BEC)
An attacker gains access to a business email account (or impersonates one) and tricks employees into wiring money or sharing sensitive data. Often zero malware involved — just convincing emails.
SMB Prevalence & Losses
BEC caused $3 billion in losses in 2025 — the second-largest cybercrime category in the FBI's annual report. With 24,700 BEC complaints in 2025, median loss per incident is approximately $50,000.
FBI IC3 2025 Internet Crime Report
Attack Mechanics
Wire transfer fraud accounts for 88% of BEC proceeds. Attackers spend weeks building familiarity before requesting transfers. AI is now generating highly convincing impersonation emails and voice calls at scale.
Verizon 2025 DBIR
Blocking Controls
NIST CSF: PR.AT-1 NIST CSF: PR.AC-3 CIS Control 9: Email Defense CIS Control 14: Awareness Training
DMARC/DKIM/SPF on all domains · MFA on email accounts · Out-of-band payment verification (phone call to known number) · Wire transfer approval policy with dual authorization
AI Amplification Factor
FBI IC3 received 22,000+ AI-related complaints in 2025 with $893M in losses. AI-generated voice cloning and deepfake video of executives are now deployed in high-value BEC attacks targeting finance teams.
FBI IC3 2025 Internet Crime Report
Board-Ready Summary BEC costs US businesses $3 billion per year — more than ransomware ransom payments combined. It requires no malware, just convincing emails. The highest-ROI defenses are DMARC email authentication and a phone-verification policy for any wire transfer over $5,000.
BEC Training →
Critical #1 initial attack vector
Threat #3
Credential Theft & Account Takeover
Attackers obtain valid usernames and passwords — via phishing, data breaches, or infostealer malware — and log in as legitimate users. No hacking required. They have the keys.
Prevalence
Credential abuse is the leading initial attack vector at 22% of all breaches. 54% of ransomware victims had domains found in credential dumps. BYOD devices accounted for 46% of compromised systems.
Verizon 2025 DBIR
Average Cost When It Succeeds
Credential-based breaches average $4.44M globally (general population; SMB-specific data unavailable). Median time to remediate leaked third-party credentials: 94 days.
IBM Cost of a Data Breach 2025 · Verizon 2025 DBIR
Blocking Controls
NIST CSF: PR.AC-1 NIST CSF: PR.AC-6 CIS Control 5: Account Management CIS Control 6: Access Control
MFA on all accounts (authenticator app, not SMS) · Password manager enforced company-wide · Phishing-resistant authentication (passkeys) · Dark web credential monitoring
SMB-Specific Risk
SMBs rarely have dedicated identity teams. Password reuse across personal and corporate accounts is common. Attackers buy credential dumps for pennies per record and systematically try them against business accounts.
General population data; SMB-specific rate unavailable
Board-Ready Summary Credential theft is the #1 way attackers get into SMBs. They don't hack in — they log in. Requiring MFA on every account and a company password manager eliminates the majority of credential-based intrusions at minimal cost.
Check Exposure →
Critical 34% YoY increase
Threat #4
Vulnerability Exploitation (Edge Devices & VPNs)
Attackers exploit unpatched software flaws in internet-facing systems — especially VPNs, firewalls, and remote access tools — to gain initial access without any user interaction required.
Prevalence
Vulnerability exploitation as an initial access vector jumped 34% year-over-year, now present in 20% of breaches. Edge device and VPN targeting increased 8-fold in 2025 (from 3% to 22% of exploitation incidents).
Verizon 2025 DBIR
CISA KEV Context
CISA's KEV catalog lists 1,484 confirmed exploited vulnerabilities, growing 20% in 2025. Median time for organizations to remediate known vulnerabilities: 32 days — too slow for the current threat tempo.
CISA KEV Catalog, Dec 2025 · Verizon 2025 DBIR
Blocking Controls
NIST CSF: PR.IP-12 NIST CSF: DE.CM-8 CIS Control 7: Continuous Vuln Management CIS Control 12: Network Infrastructure
Subscribe to CISA KEV alerts · Patch KEV-listed items within 7 days (not 30) · Replace end-of-life VPNs · Disable unused remote access services
High-Risk Vendors (2025)
Microsoft had the most KEV additions in 2025 (39 CVEs). CitrixBleed 2 (CVE-2025-5777) and Oracle E-Business Suite flaws were the most broadly exploited by ransomware groups.
Cyble KEV analysis, 2025
Board-Ready Summary Attackers are increasingly exploiting known vulnerabilities in VPNs and firewalls — the very devices meant to protect the network. If your team takes 30 days to patch, you're giving attackers 3–4 weeks of open access. Patching known-exploited vulnerabilities within 7 days eliminates the majority of this risk.
Pentest Readiness →
High 60% of breaches involve human element
Threat #5
Phishing & Social Engineering
Attackers manipulate employees into clicking malicious links, opening infected attachments, or revealing credentials through convincing fake emails, texts, or calls. Often the first step in a larger attack chain.
Prevalence
Human involvement drives 60% of all breaches (social engineering, credential abuse, error). Phishing is the most frequent initial attack vector at 16% of breaches. AI-generated phishing emails doubled over two years — detection via grammar/style is now unreliable.
Verizon 2025 DBIR
Average Cost
Phishing-initiated breaches average $4.8M in total breach cost (general population — SMB-specific breakdown unavailable from public sources). Phishing is the #1 entry point for ransomware and BEC attack chains.
IBM Cost of a Data Breach 2025 · General population, not SMB-specific
Blocking Controls
NIST CSF: PR.AT-1 CIS Control 9: Email & Web Browser Defense CIS Control 14: Security Awareness Training
Deploy DMARC/DKIM/SPF · Block suspicious domains at DNS layer · Run quarterly phishing simulations · MFA as the last line of defense when click happens
AI Escalation
15% of employees accessed generative AI on corporate devices with personal accounts, creating data exfiltration risk. AI-crafted spear-phishing now personalizes messages using scraped LinkedIn, company websites, and social media data.
Verizon 2025 DBIR
Board-Ready Summary Phishing is how most attacks start — it's the front door. AI makes phishing emails indistinguishable from legitimate ones by grammar alone. A quarterly phishing simulation program and MFA on all email accounts cut the damage potential of successful clicks dramatically.
Test Your Team →
High Doubled to 30% of all breaches
Threat #6
Third-Party & Supply Chain Attacks
Attackers compromise a vendor, SaaS provider, or software supplier your business depends on — and use that access to reach you. The target isn't the vendor; you are.
Prevalence
Third-party involvement in breaches doubled to 30% in 2025 (from 15% in 2024). Industries relying heavily on vendors — healthcare and finance — saw 40% of their breaches tied to third-party failures.
Verizon 2025 DBIR
Average Cost
Third-party/supply chain breaches average $4.91M in total cost — the second-most-expensive breach type after malicious insider attacks. Median time to remediate leaked third-party credentials: 94 days.
IBM Cost of a Data Breach 2025 · General population, not SMB-specific
Blocking Controls
NIST CSF: ID.SC-1 NIST CSF: ID.SC-4 CIS Control 15: Service Provider Management
Annual vendor security questionnaires · Minimum data access (least privilege) for all integrations · Monitor vendor breach disclosures · Contractual security requirements with critical vendors
SaaS-Specific Risk
43% of cloud-related leaked secrets were API keys. Over-permissioned OAuth tokens and dormant API keys in SaaS integrations are the primary attack surface. Most SMBs have 30–50 SaaS tools with vendor data access.
Verizon 2025 DBIR
Board-Ready Summary One in three breaches now traces back to a vendor, supplier, or SaaS provider. SMBs can't audit all vendors deeply — but they can ask: who has access to what data, and do they need it? Revoking unused vendor access and running annual vendor risk assessments is the minimum viable response.
Vendor Risk Assessment →
High $893M in AI scam losses (2025)
Threat #7
AI-Enhanced Phishing & Deepfake BEC
Criminals use AI to generate hyper-personalized phishing emails, clone executive voices for fake phone calls, and create deepfake videos to authorize fraudulent wire transfers. Detection-by-grammar is dead.
Scale in 2025
FBI IC3 received 22,000+ AI-related complaints with losses exceeding $893M. AI-generated phishing emails doubled over 2 years. Investment scams with confirmed AI involvement: $632M in losses alone.
FBI IC3 2025 Internet Crime Report
Attack Mechanics
AI tools scrape LinkedIn, company websites, and news to craft spear-phishing emails that reference real projects, real colleagues, and recent events. Voice cloning requires as little as 3 seconds of audio. Deepfake video calls have authorized $25M+ single transactions.
FBI IC3 2025 Internet Crime Report
Blocking Controls
NIST CSF: PR.AT-1 CIS Control 14: Security Awareness Policy: Out-of-band verification
Pre-agreed code words for sensitive requests · Out-of-band verification for any payment over threshold · AI-awareness training for finance and executive staff · DMARC enforcement
SMB Vulnerability
SMBs have fewer layers of payment authorization and smaller finance teams — a single convinced employee can authorize a fraudulent transfer. AI now makes impersonation convincing enough to fool experienced staff without technical red flags.
Trend synthesis from FBI IC3 2025 and Verizon 2025 DBIR
Board-Ready Summary AI allows criminals to impersonate executives convincingly via email, voice, and video at near-zero cost. The defense isn't better spam filters — it's requiring a separate, pre-established verification channel (a specific phone number) for any financial authorization, regardless of how convincing the request looks.
AI Awareness Training →
High Top breach vector category
Threat #8
Web Application & API Attacks
Attackers target your public-facing website, customer portal, or API endpoints using stolen credentials, SQL injection, or API key exposure. Your web app is often the most accessible attack surface.
Prevalence
Web application attacks are among the most frequently observed breach categories in Verizon's 2025 DBIR. Credential stuffing, brute force, and vulnerability exploitation on web apps drive broad data compromise. Unpatched systems see a 50% higher breach rate in some sectors.
Verizon 2025 DBIR
API Key Exposure
43% of cloud-related leaked secrets are API keys. Exposed API keys in public GitHub repos, SaaS integrations, and misconfigured cloud storage give attackers immediate access to customer data, payment systems, and backend infrastructure.
Verizon 2025 DBIR
Blocking Controls
NIST CSF: PR.IP-1 NIST CSF: DE.CM-8 CIS Control 16: Application Software Security CIS Control 7: Continuous Vuln Management
Web Application Firewall (WAF) · API key rotation and monitoring · Scan public repos for exposed secrets · Input validation on all web forms · Regular application penetration testing
Remediation Window
Median time to remediate known web vulnerabilities: 32 days (Verizon 2025). Organizations that take longer than 200 days to identify and contain a breach pay $5.01M vs $3.87M for faster responders.
IBM Cost of a Data Breach 2025 · Verizon 2025 DBIR
Board-Ready Summary If your business has a customer-facing website or uses SaaS tools with API integrations, those surfaces are actively scanned by attackers. A Web Application Firewall and quarterly scan for exposed API keys and secrets costs a few hundred dollars per month and blocks the majority of opportunistic web attacks.
Audit Web Security →
High $4.92M avg breach cost
Threat #9
Insider Threat
Current or former employees, contractors, or partners misuse their access — intentionally (data theft, sabotage) or accidentally (sending sensitive data to wrong recipient, misconfiguring systems). Both cause real damage.
Prevalence & Cost
Malicious insider attacks produced the highest average breach cost of all initial vectors: $4.92M. Human error (non-malicious) drives 26% of all data breaches. For the second consecutive year, insider threats are the most expensive attack type by initial vector.
IBM Cost of a Data Breach 2025
SMB Context
SMBs are especially vulnerable to insider threats because they typically operate with minimal access controls, share credentials among staff, and lack employee activity monitoring. Departing employees with retained access are a common post-incident discovery.
Risk pattern from IBM Cost of a Data Breach 2025 applied to SMB context; specific SMB insider threat rate unavailable from public sources
Blocking Controls
NIST CSF: PR.AC-4 NIST CSF: PR.DS-5 CIS Control 5: Account Management CIS Control 3: Data Protection
Role-based access control (least privilege) · Immediate deprovisioning checklist on employee departure · Data Loss Prevention (DLP) monitoring · Activity logging on sensitive systems
Accidental vs. Malicious
Human error causes 26% of all breaches — misconfigured settings, accidental email to wrong recipient, or moving sensitive data to personal cloud storage. Training reduces but doesn't eliminate this risk; technical controls (DLP, access restrictions) provide a floor.
IBM Cost of a Data Breach 2025
Board-Ready Summary The most expensive breach type isn't ransomware — it's a disgruntled employee with admin access. Least-privilege access (people can only access what they need for their job) and a formal offboarding process that revokes access immediately are the two non-negotiable insider threat controls.
Access Control Gap →
Medium Growing — 43% of cloud secrets = API keys
Threat #10
Cloud Misconfiguration & Shadow IT
Publicly exposed storage buckets, overly permissive IAM roles, leaked API keys in code repositories, and unauthorized cloud services create attack surfaces that SMBs often don't know exist.
Prevalence
30% of all 2025 breaches involved data distributed across multiple environments (down from 40% in 2024). 43% of cloud-related leaked secrets were API keys. Shadow AI platforms (employees using AI on personal accounts) create untracked data exposure.
IBM Cost of a Data Breach 2025 · Verizon 2025 DBIR
Shadow AI Risk
IBM found 20% of organizations have shadow AI deployments — AI tools used without IT/security oversight. 72% of employees accessing AI on corporate devices used personal accounts. Organizations with shadow AI experienced $670K higher breach costs.
IBM Cost of a Data Breach 2025
Blocking Controls
NIST CSF: PR.DS-1 NIST CSF: ID.AM-2 CIS Control 4: Secure Configuration CIS Control 3: Data Protection
Cloud Security Posture Management (CSPM) · Scan public GitHub repos for exposed secrets · Inventory all SaaS tools quarterly · Block public access on all storage buckets by default
Cost Differential
Breaches involving multi-environment data cost $5.05M vs $4.01M for on-premises only. Organizations with ungoverned AI systems are significantly more likely to be breached and face higher costs when they are.
IBM Cost of a Data Breach 2025
Board-Ready Summary Cloud tools create data exposure risks that SMBs don't see because IT didn't deploy them — employees did. A quarterly inventory of who is using what cloud tools, combined with a policy that company data stays in company-controlled accounts, addresses the majority of cloud misconfiguration risk.
Cloud Gap Analysis →
Medium Growing frequency vs. SMBs
Threat #11
DDoS & Availability Attacks
Attackers flood your website, customer portal, or infrastructure with massive traffic volumes, making them unavailable to real users. Used to extort businesses or as cover while another attack occurs simultaneously.
SMB Impact
DDoS attacks are increasingly accessible to attackers via cheap botnet-for-hire services. Revenue-dependent SMBs (e-commerce, SaaS, professional services) face disproportionate impact from even a few hours of downtime. Ransomware groups increasingly layer DDoS with encryption for double-extortion.
Trend synthesis from CISA advisories and Verizon 2025 DBIR; specific SMB DDoS rate unavailable from public sources
Blocking Controls
NIST CSF: PR.IP-8 NIST CSF: RC.RP-1 CIS Control 12: Network Infrastructure Defense
CDN with DDoS protection (Cloudflare free tier blocks most attacks) · Rate limiting on all public-facing APIs · ISP-level DDoS mitigation for critical infrastructure · Incident response plan for availability events
Cost Reference
General industry data suggests DDoS incidents cost SMBs $22,000–$50,000 per incident in downtime, lost sales, and emergency remediation. No SMB-specific DDoS cost data is available in the public reports examined for this Atlas.
[Source unavailable for SMB-specific DDoS cost — general industry estimate only]
Mitigation Baseline
Cloudflare's free plan provides meaningful DDoS mitigation for most SMB websites. For businesses with uptime SLAs or revenue-critical web services, a paid DDoS mitigation service ($200-2,000/month) is appropriate risk management.
Vendor capability assessment; not a product endorsement
Board-Ready Summary DDoS attacks are increasingly cheap to launch and expensive to absorb. A CDN service with built-in DDoS protection is a $0–$200/month decision that protects against the majority of opportunistic attacks. Without it, a single afternoon of downtime can cost more than a year of protection.
IR Plan Builder →
Medium Declining but persistent
Threat #12
Physical & Device Theft
Lost or stolen laptops, phones, and USB drives containing unencrypted data. Less glamorous than hacking, but a single stolen laptop with customer records creates the same breach notification obligations as a network intrusion.
Context
Physical device theft and loss were responsible for nearly half of all breaches in 2005 — today they've declined sharply. However, unencrypted devices remain a compliance trigger. Healthcare, financial, and legal SMBs face regulatory penalties from unencrypted device loss regardless of whether data was actually accessed.
IBM Cost of a Data Breach 2025 (20-year trend analysis)
Blocking Controls
NIST CSF: PR.DS-1 NIST CSF: PR.DS-3 CIS Control 3: Data Protection CIS Control 4: Secure Config (encryption)
Full-disk encryption on all laptops (BitLocker/FileVault — free, built-in) · MDM for remote wipe capability · No sensitive data stored on local devices · Screen lock policy enforced
Regulatory Context
Under HIPAA, PCI DSS, and most state privacy laws, a lost unencrypted device containing regulated data triggers mandatory breach notification. Encryption is the safe harbor — an encrypted device is not a reportable breach in most jurisdictions.
HIPAA 45 CFR §164.312(a)(2)(iv) · PCI DSS v4.0 Requirement 3.5
Implementation Effort
Full-disk encryption via BitLocker (Windows) and FileVault (macOS) is built into the operating system at no additional cost. Enabling it across all company devices is a half-day IT task with zero ongoing cost. This is the single highest-ROI security control for this threat category.
Vendor capability assessment
Board-Ready Summary A stolen laptop without encryption is a breach. A stolen laptop with encryption is a lost asset. Enabling built-in disk encryption on all company laptops costs nothing and eliminates regulatory exposure from physical theft. This is a two-hour project, not a multi-month initiative.
Compliance Gap Check →

Primary Sources — Verification Status

All statistics on this page are drawn from the following public sources. URLs verified as accessible May 2026. Sources refreshed monthly.

Related Research & Tools

Research
CMMC 2.0 Readiness Guide for SMBs
DoD compliance requirements mapped to SMB reality. What's required, when, and how to close the gap.
Guide
SMB Ransomware Protection Guide
7 controls that block most ransomware attacks. Based on Verizon 2025 DBIR attack vector data.
Report
State of SMB Cybersecurity 2026
Benchmarks from 12 CyberStackHub assessments combined with Verizon DBIR and IBM data.
Tool
AI Security Audit
Run an assessment against the threats in this Atlas. Get a gap report with prioritized fixes.