In 2025, small and medium-sized businesses (SMBs) faced a significant surge in data breaches, underscoring their vulnerability in the evolving cyber threat landscape. According to Proton’s Data Breach Observatory, 71% of major breaches targeted organizations with fewer than 250 employees, resulting in the exposure of over 306 million records. ([scworld.com](https://www.scworld.com/brief/proton-report-small-businesses-targeted-in-794-major-data-breaches-in-2025?utm_source=openai))
The Identity Theft Resource Center’s 2025 Business Impact Report further highlights this trend, revealing that 81% of small businesses experienced a security or data breach within the year. Alarmingly, nearly 40% of these businesses passed the associated costs onto consumers through price increases, contributing to broader economic implications. ([idtheftcenter.org](https://www.idtheftcenter.org/post/2025-business-impact-report-cybercrime-costs-passed-consumers/?utm_source=openai))
The financial repercussions for SMBs are substantial. A report by TechRadar indicates that cyber breaches in the U.S. now cost an average of $10.22 million, emphasizing the critical need for organizations to manage cybersecurity as a governance and leadership concern. ([techradar.com](https://www.techradar.com/pro/usd10-22-million-and-counting-us-cyber-breaches-have-become-a-boardroom-issue?utm_source=openai))
The retail and wholesale sectors were particularly affected, accounting for 25% of breaches. Notable incidents in the UK resulted in recovery costs reaching hundreds of millions. ([techradar.com](https://www.techradar.com/pro/security/smbs-most-at-risk-of-data-breaches-billions-of-records-compromised-so-far-heres-how-to-stay-safe?utm_source=openai))
The increasing sophistication of cyberattacks, including the use of artificial intelligence, has exacerbated the situation. For instance, hackers employed AI tools to steal hundreds of millions of records from Mexican government agencies and private citizens, marking one of the largest cybersecurity breaches to date. ([livescience.com](https://www.livescience.com/technology/artificial-intelligence/hackers-used-ai-to-steal-hundreds-of-millions-of-mexican-government-and-private-citizen-records-in-one-of-the-largest-cybersecurity-breaches-ever?utm_source=openai))
Despite heightened awareness, many SMBs remain underprepared. CrowdStrike’s 2025 State of SMB Cybersecurity Report found that while 93% of SMBs acknowledge cybersecurity risks and 83% have plans in place, only 36% are investing in new tools, and a mere 11% have adopted AI-powered defenses. ([crowdstrike.com](https://www.crowdstrike.com/en-us/press-releases/crowdstrike-unveils-smb-cyber-report-highlighting-protection-gaps/?utm_source=openai))
The Verizon 2025 Data Breach Investigations Report underscores the urgency for SMBs to bolster their cybersecurity measures. The report analyzed over 22,000 security incidents, revealing that 68% of breaches involved a non-malicious human element, such as errors or social engineering. This highlights the need for comprehensive employee training and robust security protocols. ([xitx.com](https://www.xitx.com/2025-verizon-dbir/?utm_source=openai))
In response to these challenges, experts recommend that SMBs implement strong credential management with multi-factor authentication, restrict access to sensitive data, and utilize end-to-end encryption for communications and storage. Adopting a “build in private” approach, which integrates privacy and security from the outset, is also advised to mitigate risks and protect consumer trust. ([techradar.com](https://www.techradar.com/vpn/vpn-privacy-security/startups-listen-up-proton-says-youre-not-too-small-to-be-hacked?utm_source=openai))