US small businesses are fighting off a wave of cyber attacks

More than four-in-ten US small businesses have experienced a cyber attack, but they're not necessarily going the right way about avoiding one in the future.

A survey by cybersecurity platform Guardz found that 80% of respondents believe the need for cybersecurity in their industries has increased over the past year, with 43% of all US-based SMBs having already experienced a cyber attack.

Just over six-in-ten said they're expecting greater overall cyber risks in the year to come.

However, 52% of SMBs still rely on an untrained internal staff member or the business owners themselves to manage critical security functions, without support from professionals.

Only 34% of SMB owners have a formal incident response or continuity plan developed with a cybersecurity professional, and 27% lack cyber insurance. In one-third of cases, the business owner personally handles alerts and incident resolution.

Another 13% of SMBs rely on untrained employees to handle alerts.

“In 2025, SMBs are confronting the reality that cyber threats are no longer distant possibilities, but daily risks with the potential to disrupt or even destroy a business,” said Dor Eisner, CEO and co-founder of Guardz.

The threats facing SMBs

SMBs cited phishing, ransomware, and employee mistakes as the most common threats. For 45%, employee negligence was their biggest cybersecurity concern, particularly in the education sector.

While 43% of SMBs report they experienced a cyber attack in the past five years, 27% said it had happened in the past 12 months.

On a more positive note, 64% of business owners reported recovering quickly, marking a sign of improvement in recent years, the study noted. Just 3% said they faced severe, lasting damage.

Still work to be done

The study from Guardz warned there’s still plenty of work to be done in terms of bolstering security capabilities, however.

Although 58% of SMBs use network firewalls, 52% employ email spam filters, and 41% have endpoint protection, 26% don't conduct regular penetration tests or security assessments.

Nearly half (42%) of SMBs are also worried about outdated technologies, with healthcare businesses the most concerned.

Half of SMBs reported increasing their cybersecurity budgets, with 17% significantly increasing their spend – but not too much, with 16% allocating less than $50 per user per year.

Nearly a third, meanwhile, don’t know exactly how much they spend on cybersecurity at all.

SMBs are turning to partners

As threats mount, SMBs are increasingly looking to external partners for help. Those working with a managed service provider (MSP) cited a fear of cyber attacks and a sense of responsibility to customers and stakeholders as their main reasons.

Researchers also found 80% of SMBs with a formal incident response plan in place were able to avoid major damage during an attack.

”This research confirms that businesses increasingly recognize the value of experienced service partners. Those that try to manage risk on their own lack the expertise, resources, and tools needed to stay resilient," said Eisner.

"The data shows that organizations with strong preparation, grounded in clear processes and trusted partners, are far better positioned to avoid disruption and maintain continuity.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.