As 2024 winds down, yearly cybersecurity reports are rolling in from all corners of the globe, provided by organisations of all sizes, including public organisations, private companies, vendors, and independent research institutes alike. It’s the perfect time to look back at the year in numbers, reflect on lessons learned, and plan. This is when many businesses set their goals, targets, and budgets (including headcount!) for the new year, especially those focused on preventing and tackling cybersecurity threats. It’s an ideal moment for a cybersecurity “year in review”.
A big takeaway stands out from these reports, namely that cyberattacks remain one of the most expensive threats to businesses. In 2023 alone, cybercrime cost companies an estimated $8 trillion globally—a jaw-dropping figure projected to skyrocket to nearly $24 trillion by 2027.
While these numbers might make you think cybercrime only benefits from those massive, publicly traded companies, the reality is different. Attacks on small and medium businesses (SMBs) are rising. In fact, for certain types of attacks, SMBs are at even greater risk. The impact on smaller businesses can be devastating—limited resources, tighter budgets, and often a lack of in-house cybersecurity expertise make them especially vulnerable.
In this article, we will overview some relevant numbers for SMBs in terms of cybersecurity and financial losses related to cybersecurity - not to sensationalise the risks but to provide a clear understanding of the challenges and actionable strategies for resilience. By examining real-world cases and exploring the broader consequences of cyberattacks, we hope to offer valuable lessons for SMBs navigating today’s complex cybersecurity landscape and give you some fresh ideas for your 2025 cybersecurity strategy.
In 2024, the troubling trend of SMBs becoming prime targets for cyberattacks has only gained momentum, bringing to light the profound financial and operational implications for these organisations. The numbers paint a stark picture: between March 2023 and February 2024, the global average cost of a data breach hovered around a staggering USD 4.88 million - an amount that varies but applies regardless of organisation size. While larger enterprises may have the resources to absorb such blows, the impact on SMBs can be devastating, often threatening their very survival.
Certain industries continue to bear the brunt of these attacks. According to a 2022-2023 Statista report on basic web application attacks, the most targeted sectors include financial services, information technology, professional services, public administration, manufacturing, and healthcare. These are followed closely by education, transportation, retail, and entertainment industries. This breadth of targeted sectors underscores the pervasive nature of cyber threats, but furthermore, in their annual 2024 report, Verizon shares that there is no substantial difference between large organisations (55%) and small organisations (47%) in the basic web application attack patterns.
A study by Okta, Inc. sheds further light on the financial aftermath of cyberattacks for SMBs. Alarmingly, one in five SMBs reported spending $200,000 or more on cybersecurity measures in the wake of an attack—compared to less than 5% of SMBs who made similar investments without experiencing an attack. This stark disparity highlights a reactive rather than proactive approach to cybersecurity among many SMBs, often driven by the false assumption that they’re too small to be targeted.
The cost of cyberattacks is not in any case limited to immediate impact reduction or remediation. Victims also face indirect financial losses from downtime, disrupted operations, and diminished customer trust. Recovery, both financial and reputational, is rarely swift. The same Okta study reveals that while over 50% of SMBs managed to recover financially within one month, fewer than half reported regaining their reputation in the same time frame. For many SMBs, reputation recovery can take months, if not years, as they grapple with the lingering effects of breached customer trust and tarnished brand image.
These insights emphasise the critical need for SMBs to adopt a more proactive stance on cybersecurity. By investing in robust preventive measures, employee training, and incident response plans, businesses can not only reduce the likelihood of attacks but also minimise the devastating ripple effects when they do occur. Cybersecurity is no longer a luxury or an afterthought for SMBs—it’s a strategic imperative in today’s threat-filled digital landscape.
The mental toll also trickles down through organisations. Smaller companies, with limited staff and stretched resources, find it even harder to rebuild trust and morale after a security breach, with 41% citing a direct impact on employee morale. Nearly one-fourth of SMBs with larger workforces (100-499 employees) noted significant impacts, finding it harder to rebuild internal trust and morale after a cyberattack.
The 2024 Cybersecurity Outlook Insights Report from the World Economic Forum (WEF) highlights an interesting trend: organisations with strong cyber resilience often have highly engaged executive leadership when it comes to managing cyber risks. On the flip side, among organisations that admit they aren’t cyber resilient, a whopping 77% of respondents either don’t trust or are unsure if their CEO even understands the company’s cyber risks.
Another key takeaway from this year’s WEF report is that most leaders (81%) feel just as vulnerable - or even more vulnerable—to cybercrime compared to last year. This feeling persists despite Fortinet’s annual threat report showing a 75% drop in exploitation attempts per organisation. While that might sound like good news, it’s not necessarily cause for celebration. Fortinet, who observes the same tendency, points out that this decline likely reflects two factors: defenders are getting better at spotting attacks, but cybercriminals are also becoming more precise and targeted in their approach.
Building on the challenges of leadership engagement and precision-targeted cyberattacks, there’s another critical issue gaining attention: the balancing act between adopting disruptive technologies and managing legacy systems. At the start of the year, much of the cybersecurity conversation revolved around the risks and opportunities posed by emerging tech. However, this focus has often overshadowed the significant strain on outdated systems and the cultural hurdles organisations face when trying to modernise.
It’s not just about embracing the new; organisations also need to confront the vulnerabilities of their older, legacy technologies. For larger companies, this isn’t just a technical problem but their biggest challenge, which gives small and medium-sized businesses an advantage. In fact, the WEF report also reveals that 44% of respondents from high-revenue organisations identified securing legacy systems as their primary roadblock to cyber resilience. Yet, there’s a clear disconnect between how cyber leaders and business leaders perceive this problem. While 29% of security leaders see legacy systems as a major barrier, only 14% of business leaders agree. Similarly, 25% of security leaders cite cultural resistance to change as a top issue, compared to just 8% of their business counterparts.
Ultimately, while shiny new technologies grab headlines, the less glamorous work of addressing legacy vulnerabilities and fostering a culture that embraces change is just as critical—if not more so—for achieving true cyber resilience. It’s a tough balancing act, but one that organisations can’t afford to overlook, which brings as much importance to the table as the leadership factors influencing security decisions.
At the same time, there’s a troubling trend emerging: the number of organisations maintaining even a basic level of cyber resilience is shrinking. Small and medium-sized businesses (SMBs), which form the backbone of many national economies, are being hit the hardest. In fact, the number of organisations meeting minimum cyber resilience standards has dropped by 30% (WEF), and the gap between large enterprises and SMBs is growing wider.
While big companies have made impressive strides in boosting their cyber resilience, SMBs are moving in the opposite direction. Shockingly, SMBs are more than twice as likely as larger organisations to report that they lack the resilience needed to keep critical operations running. This stark disparity underscores just how vulnerable smaller businesses are in today’s cyber landscape.
What makes this even more alarming is that SMBs don’t just face the same challenges as their larger counterparts—they face them with far fewer resources. Yet, they often bear a disproportionate share of the consequences when they can’t bounce back from attacks. For SMBs, inadequate cyber resilience isn’t just a technical setback; it’s an existential threat.
So far, results from this year’s cybersecurity reports do not show too many deviations and surprises as opposed to 2023, with one of the key challenges for SMBs being that vulnerabilities are often compounded by resource limitations, a lack of in-house expertise, and slower adoption of advanced cybersecurity measures compared to larger organisations.
Once again, phishing and related tactics (such as pretexting) take the cake, representing a significant vulnerability for SMBs, as detailed in the 2024 Data Breach Investigations Report (DBIR), accounting for 73% of breaches in certain sectors. Credentials are the most commonly compromised data in phishing-related breaches, appearing in 50% of incidents.
The report also reveals that phishing attacks unfold alarmingly fast. The median time for a user to click a malicious link after opening a phishing email is just 21 seconds. Within another 28 seconds, users often input sensitive information, making the total time to compromise less than one minute. While organisations have improved at detecting and reporting phishing, the rapid success rate of attackers underscores the importance of ongoing user education.
The same report also notes a 180% increase in breaches stemming from exploited vulnerabilities, many of which are zero-day or near-zero-day. SMBs, with limited patch management resources, often struggle to stay ahead of these threats. Zero-day vulnerabilities, such as those exploited in the MOVEit file transfer system, have become a favoured tool for ransomware and extortion actors. Attackers leveraged a SQL injection vulnerability to install backdoors, enabling data theft and manipulation of legitimate user accounts. These attacks show a trend of shifting from traditional ransomware deployment to more nuanced exploitation strategies, often leveraging vulnerabilities in internet-facing platforms.
Organisations using managed file transfer systems and other internet-exposed technologies were particularly impacted, with multiple sectors such as education, healthcare, and government facing disproportionate risk. A survival analysis of patch management practices revealed that while some organisations remediate 50% of critical vulnerabilities within 55 days of patch availability, many fail to address them for over a year. This delay leaves organisations increasingly exposed.
Ransomware, often paired with extortion techniques, continues to dominate across industries, accounting for 32% of breaches, with extortion alone rising to 9% of all incidents. Attackers frequently use stolen credentials or exploit web application vulnerabilities to gain initial access. In some cases, pure extortion tactics are employed, where data theft replaces encryption, leaving businesses with limited recovery options even if they have backups.
Credential-related attacks have also remained common, including credential stuffing (using previously stolen credentials from breaches) and brute force attempts on weak or default passwords. Attackers have favoured APIs and web applications in 2024, which provide broad access if compromised. And despite the availability of mitigations like enforcing stronger password policies and implementing MFA, SMBs often lag in adopting these due to resource constraints. Stolen credentials appear in 31% of breaches over the last decade, making them a key enabler for attackers. Many SMBs lack multi-factor authentication (MFA) or advanced monitoring systems, leaving them exposed.
Supply chain interconnections were implicated in 15% of breaches, marking a 68% increase year-over-year. Many breaches involve attackers exploiting vulnerabilities in vendor software or third-party systems, as seen in high-profile incidents like MOVEit and 3CX.
Zero-day vulnerabilities in widely used platforms (e.g., file transfer systems) are increasingly targeted by attackers. SMBs relying on third-party services are particularly at risk when vendors fail to patch promptly. Vetting vendors for security practices, prioritising updates for third-party software, and monitoring for signs of exploitation in partner systems remain the best preventative techniques when it comes to supply chain security in 2024.
Outdated systems create significant risks, particularly in industries with operational technology (OT) environments. These systems are not only vulnerable to direct attacks but also lack integration with newer security tools. Attackers increasingly exploit these weaknesses, leading to breaches that could have been mitigated with updated infrastructure and better vulnerability management.
Although, as discussed above, this problem is more severe in the cases of larger organisations, many SMBs also continue to rely on older systems, libraries and dependencies that are difficult to secure against modern cyber threats.
These legacy systems often lack vendor support for critical updates, leaving them vulnerable to exploitation and cultural resistance to change. This compounds the problem, as employees and even leadership may be reluctant to invest in overhauling established technologies.
Human error is and has been a leading cause of breaches, with incidents of misconfigurations and accidental data exposure seeing substantial increases in 2023. For example, misdelivery (sending information to the wrong recipient) accounted for more than 50% of errors, while misconfiguration was a common factor in 10% of breaches.
Common errors include:
These mistakes result not only in data breaches but also in significant financial and reputational damage for SMBs. The report emphasises universal controls to catch these errors, such as automated tools for configuration management and systems that prevent unintentional data sharing. Employee training remains critical to reducing the frequency of these incidents.
Think of cybersecurity like maintaining a car. Skipping the oil change may seem fine for now, but it’s going to cost you big later. The statistics and the 2024 cybersecurity year in review remind us that breaches aren’t just about stolen data—they mean downtime, reputational damage, and hefty recovery costs.
Investing in modern security tools, patching legacy systems, and increasing security budgets aren’t optional anymore. SMBs often avoid these expenses, assuming their smaller size makes them invisible to attackers. The reality? Cybercriminals love SMBs. Prioritise cybersecurity in your budget, not as a one-time spend, but as part of your long-term survival strategy.
So, besides investing in cybersecurity, what else can you do?
There is one thing that remains unchanged throughout the years, which is that the faster you respond, the less damage you’ll suffer. Yet, 2024 reports show that many SMBs don’t even have a basic incident response plan (IRP). This isn’t just about tech - it’s about knowing who does what when things go sideways. And don’t just write it down - practice it. Simulated drills help iron out confusion and prepare your team for the real thing.
Another thing that is hard to see from the data is that there is a desperate need to close skills gaps and a remaining need for education. Your staff doesn’t need to be cybersecurity experts, but they do need to know how to spot “suspiciousness”, how to report it and who to ask for help. Regular, bite-sized training sessions work better than overwhelming lectures.
This year, we have seen supply chain attacks on the rise, as well as in multiple high-profile cases. Supply chain vulnerabilities are the gift that keeps on giving to attackers. As the DBIR notes, many breaches originate not in the targeted company but in a vendor or partner’s systems. Understandably, SMBs often rely heavily on third-party software and services, making this a serious concern. And because attackers know that smaller businesses often lack the resources to vet or monitor these connections thoroughly, they see supply chains as a soft target.
Every vendor or partner that connects to your systems expands your attack surface. Each one represents a potential doorway for attackers, whether through poorly secured APIs, misconfigured access controls, or vulnerable software. Some practical steps you can take to strengthen your posture in relation to supply chain risks include:
