The Future of Small Business: Security Trends to Watch in 2025

Have you heard? SMB spending on small business cloud security is set to rise from six (6%) to eight (8%) percent YoY by 2028.  

So, what’s fueling the increase in IT spending? 

Gartner says record IT spending in the world’s hottest tech markets is being fueled by AI. 

And Deloitte says AI will be embedded into every company’s IT footprint by 2027. 

Everywhere, SMBs are investing in IT solutions to enhance productivity, streamline operations, strengthen infrastructures, and increase profit margins. 

As AI reshapes the world economy and the digital revolution heats up, is your business positioned for success? Below, we discuss the state of small business security, how your business can navigate the age of AI, and the best small business cybersecurity solutions in 2025. 

The growing importance of cloud security for small business 

SMBs power both innovation and job creation – but they’re also a prime target for cybercriminals who think they lack the resources to fend off attacks. 

The state of small business security 

SMBs (small and medium-sized businesses) power our world economy, with over 400 million existing worldwide: 

• In the United States, SMBs make up 99.9% of all businesses and are responsible for 43.5% of the country’s GDP.  

• Worldwide, there are 196 million micro businesses and 11 million small businesses. 

• Between 1995 and 2021, SMBs were responsible for almost two-thirds of newly created jobs in the U.S.  

Industry reports show that 61% of SMBs experienced a cyber-attack in 2024 and up to 50% of attacks now target SMBs. Yet, many are woefully unprepared to fight back: 

• 59% of small business owners with no cybersecurity think their company is too small to be targeted.  

• 47% of businesses with fewer than 50 employees have ZERO funds allocated for cybersecurity. 

• 83% have NO cyber insurance – and are unaware that it exists. 

These statistics highlight the disconnect between perceived and actual risk as threats rise against SMBs. 

The top cyber-attacks targeting SMBs in 2025 

So, what does the risk landscape look like? 

• In 2024, SMBs experienced an average loss of US $1.6 million due to security incidents, up from US$1.4 million in 2023. 

• Nearly 40% of small businesses lost crucial data, and 51% said their website was down for 8 - 24 hours because of an attack. 

• 56% of SMBs fear new security risks stemming from AI, up from 48% in 2024. 

• Meanwhile, 85% of SMB leaders think they’re ready for an attack - but only 20-34% have implemented multi-factor authentication (MFA), strong passwords, and role-based access controls. 

• Most alarmingly, 71% haven’t deployed endpoint security and 78% have no Dark Web monitoring. 

And that’s not all: The reputation damage, lost revenues, lawsuits, and regulatory fines from just ONE attack can lead an SMB to shut its doors for good. 

So, what are the top attacks targeting SMBs in 2025? 

First are malware attacks: 

• Infostealer malware like Lumma saw a 369% surge in detections in the second half of 2024. Lumma steals usernames, passwords, financial info, browsing history, and crypto wallet data. It spreads through fake CAPTCHA pages, torrents, and phishing emails. 

• The XWorm malware can take remote control of infected computers and record keystrokes, capture webcam images, listen to audio input, and scan network connections. 

• 37% of SMBs that experienced a malware attack needed over a week to fully restore operations. 

A close second are attacks relating to ransomware (a type of malware): 

• SMBs are prime targets: 82% of ransomware victims are businesses with fewer than 1,000 employees.  

• Over 76% of SMBs experienced a ransomware attack in the past year. 

• Of those who experienced an attack, 31% of their ransom payments were between $1 million and $5 million. 

• By December 2024, Medusa ransomware operatives had attacked over 300 critical infrastructure organizations (many of them SMBs) across the world. 

• Triple extortion ransomware attacks are growing. This is where attackers encrypt business data, exfiltrate it, and then threaten any third parties (suppliers, customers, and partners) connected to the victim. Triple extortion attacks raise the stakes significantly for SMBs, as they face not only data breaches but also severe financial losses and damage to important business relationships. 

• Double extortion ransomware (data encryption + exfiltration) accounted for 81% of ransomware incidents in 2023. But triple extortion (adding direct victim contact) jumped to 14% of ransomware cases in H1 2023 and continues to climb. In 2025, new ransomware groups like DragonForce, Meow, and KillSec are increasing their use of multiple extortion techniques to attack SMBs. 

Next are AI-driven cyber-attacks: 

• AI-powered phishing scams are exploding and will be a top threat to SMBs in 2025 and beyond. 

• Modern AI-driven phishing attacks now take a multi-channel approach, using email, voice, and video manipulations to ensnare unsuspecting SMB employees. 

• In 2024, a 703% surge in credential-based phishing attacks was identified. 

Finally, we have supply chain attacks:  

• Supply chain attacks against SMBs are increasingly connected to ransomware. According to the 2024 Global Ransomware Survey, 62% of respondents said they experienced a ransomware attack originating from a software supply chain partner. 

• A majority (91%) of respondents are concerned about ransomware attacks on downstream software supply chain, third-party, and connected partners. 

The situation is dire - but you can fight back, and you can do it without breaking the bank. Below, we show you how you can leverage your existing resources to get cybersecurity right. 

CISA small business cybersecurity solutions other SMBs don’t know about – and they’re FREE 

According to CISA, SMBs are three times more likely to be targeted by cybercriminals than larger enterprises. Fortunately, it has a roadmap and FREE resources you can leverage to beat attackers at their own game: 

• First, you’ll want to establish a culture of cyber readiness. Download CISA’s free Cyber Essentials starter kit for step-by-step guidance on strengthening the human firewall at your business. Essential actions you and your staff must take (and resources for taking them) are clearly outlined in the kit. This includes implementing MFA, patch management, continuous data backups, and secure configuration baselines for all devices. 

• You’ll want to select a Security Program Manager to ensure your organization implements all key elements in Cyber Essentials. According to CISA, this person doesn’t need to be a security expert or IT professional.  

• The Security Program Manager will create a written IRP (incident response plan), as mentioned in the Cyber Essentials kit. Not sure what a good one looks like? Follow CISA’s roadmap for an effective IRP. This document reveals what your organization must do before, during, and after an attack. CISA also provides FREE incident response training and awareness seminars.  

• The Security Program Manager will host regular simulations called tabletop exercises (TTX), which should be attended by senior leaders. These discussion-based exercises explore hypothetical scenarios and solutions to help you identify gaps in existing crisis response plans. To get started, check out CISA’s roadmap for tabletop exercises. Tip: Consider enhancing TTX with an FTX (functional exercise), which requires real-time responses to realistic scenarios. An FTX is a better gauge of your organization’s ability to execute an effective response under pressure. 

Need a little extra help? These FREE CISA services can get you started on hardening your organization:  

• Connect with your regional CISA Cybersecurity Advisor.

• Sign up for CISA’s Cyber Hygiene Services.

• Use CISA’s CPG Assessment to prioritize investment in a limited number of essential actions with high-impact security outcomes.  

• If you’re in the critical infrastructure industry, check out CISA’s Shields Ready program and roadmap for mitigating AI-driven threats against critical infrastructure. 

Four (4) easy and affordable small business cybersecurity solutions to keep your business safe  

Password management 

Although malware remains a popular attack vector, there’s evidence it will become less central to cyber attacks as attackers pivot to identity-based attacks that rely on stolen credentials.  

Because attackers use valid credentials, identity-based attacks are harder to detect. 

With a password manager like LastPass, your employees can: 

• Generate strong passwords for each work account. This ensures professional credentials, personally identifiable information (PII), financial info, trade data, IP addresses, and identification cards are kept safe from attackers who would use them to escalate privileges and move laterally across your network. 

• Get instant alerts if any of their personal data has been identified on Dark Web sites. This service is continuous, working hard to protect your business 24/7. 

IAM (identity and access management)

IAM solutions ensures only authorized users can access sensitive systems and data. A key feature is role-based access control (RBAC), where permissions are assigned based on job roles. With the right IAM solution, you can manage every employee’s identity, gain greater visibility into what they’re accessing, and enforce stronger controls over that access.  

MFA (multi factor authentication) 

MFA adds an extra layer of security by requiring users to provide multiple forms of authentication to access resources. Many MFA solutions are low-cost or free, such as Google Authenticator, LastPass Authenticator, or Duo Securit 

Endpoint security 

With increasingly sophisticated attacks, standard antivirus protection is no longer sufficient to protect your business. Securing endpoint and network edge devices is critical to reducing potential entry points for attackers.  

Did you know Stellar Cyber’s Multi-Layer AI™ combines LastPass data with endpoint, network, and cloud telemetry to detect credential-based threats more effectively? 

This powerful integration provides end-to-end visibility into user identities and their interactions with endpoint and network edge devices. 

LastPass makes small business security easy and effortless  

With a Secure by Design password manager like LastPass, you can stay ahead of the curve in several ways: 

• Secure military grade AES-256 encryption ensures that even if a breach occurs, employee login credentials and other sensitive data remain inaccessible to attackers. 

• Easy password generation eliminates password fatigue (and reuse) among your employees. It also ensures unique, strong passwords for every work account and device. 

• Centralized access management ensures you can easily control access rights, enforce password policies, and maintain detailed logs – without adding more staff. 

• Simplified onboarding and offboarding ensures you can quickly grant new employees access to resources and revoke permissions for departing employees. 

• Autofill functionality automatically populates login info at legitimate sites only, making security effortless for all. 

• A variety of powerful MFA options, including CISA-recommended FIDO2-based MFA, ensure attackers can’t access work accounts even if they manage to steal login info. 

• Secure credential and info sharing ensures employees can maintain security effortlessly in collaborative environments. 

• Dark Web monitoring continuously scans underground marketplaces for compromised credentials so your employees can take swift action, such as changing their passwords and placing security freezes on their credit reports with all three credit reporting bureaus. 

As the threats increase, your business can thrive amidst the chaos. At LastPass, we want you to be so confident in your investment that we’ve created a special tool to help you discover the ROI of LastPass Business.  

Our password management ROI calculator is easy to use and can serve as a starting point to guide conversations with stakeholders at your company.  

When you’re ready, sign up for a free LastPass Business trial and experience the peace of mind enjoyed by millions of satisfied customers across the world.