SMB cybersecurity statistics and trends in 2025: What MSPs need to know

Cybercrime is big business. Threat actors are now AI-powered and highly organized. If cybercrime were a nation, it would have the third-largest GDP in the world, trailing behind only the United States and China. The stakes have never been higher for small and midsized businesses (SMBs).

In this blog, we unpack the latest SMB cybersecurity statistics and explore what they mean for MSPs who want to lead in this critical moment.  

Key takeaways

• AI is supercharging cyberattacks: 83% of SMBs believe AI has raised the cybersecurity threat level. The concern is justified as threat actors are using AI to scale and refine attacks, such as phishing and business email compromise.
• SMBs are underprepared for AI risks: Only 51% have implemented AI security policies, leaving them vulnerable to data loss through improper or risky use of AI solutions.
• SMB cybersecurity budgets are increasing: 58% of SMBs spent more than planned on cybersecurity in 2024, and 57% now say it’s their top business priority in response to continuous and rapid changes in the threat landscape.
• MSPs must deliver AI-ready security: While SMBs increasingly rely on MSPs for protection, trust is fragile. About 73% aren’t fully confident in their MSP’s ability to defend them from a cyberattack, and nearly half would switch providers for more robust cybersecurity solutions.

The rise of AI-powered cyberthreats

Cybercriminals are leveraging AI to automate and scale their attacks, making them harder to detect. According to The State of SMB Cybersecurity Report, 83% of SMBs state that AI/genAI increases the cybersecurity threat level for their organization, yet many remain underprepared. SMBs and MSPs alike must understand how AI is intensifying familiar attack methods to better defend against them.

The top threats using supercharged by AI include:

Phishing

Phishing remains one of the most common and dangerous entry points for attackers. AI now enables cybercriminals to create highly realistic emails, messages, and websites that often impersonate trusted vendors or contacts. Whether it’s a spoofed login page or a well-written message from a “CEO,” phishing is designed to trick users into surrendering credentials,  sharing confidential data, or providing access to systems.

• According to the FBI’s 2024 Internet Crime Report, there were 193,407 phishing and spoofing complaints in 2024, resulting in over $70 million in losses.
• Over 3.4 billion phishing emails are sent every day in 2025, underscoring the scale and persistence of this threat.
• According to The State of Phishing report by SlashNext, email phishing surged following the launch of ChatGPT, marking a new era of AI-fueled cybercrime.  

Business email compromise (BEC)

BEC attacks are highly targeted attempts to impersonate a trusted individual or organization to trick employees into taking an action that results in financial loss or sharing confidential information. These AI-enhanced scams often take the form of an “urgent” request via convincing emails with accurate tone, language, and timing, making scams hard to spot.

• In 2024, the FBI received 21,442 BEC complaints, resulting in a staggering $2.77 billion losses, second only to investment fraud.
• BEC attacks increased by 48% in May 2025 compared to April 2025.
• Gift cards (25.2%) and credential phishing (23.2%) were the most common BEC cash-out methods.
• Darktrace researchers noted a 135% spike in “novel social engineering attacks” in 2023, coinciding with widespread ChatGPT adoption.

Malware

From spyware and trojans to rootkits and keyloggers, malware is designed to infiltrate systems, steal data, monitor activity, or give attackers remote control over business networks.

• The average cost to recover from a malware attack was $2.73 million in 2024, up from $1.82 million in 2023.
• According to a report from OpenAI, a threat actor used ChatGPT to iteratively build and refine multi-stage Go-based malware. They leverage it for debugging, evasion tactics, PowerShell scripting, and integrating Telegram alerts, demonstrating how AI can accelerate malware development.

Ransomware

Ransomware was once thought to primarily target large enterprises. But threat actors are increasingly focusing on SMBs because attackers perceive that SMBs have less cybersecurity protection and lack the robust backup and recovery capabilities of larger organizations.

• According to the FBI’s 2024 Internet Crime Report, 3,156 ransomware complaints were reported in 2024, with $12.5 million in losses, a figure that doesn’t account for intangible costs such as downtime, lost data, or reputational damage.
• 47% of small businesses (under $10 million in revenue) were hit by ransomware in the last year.
• The average ransom payment increased 500% to $2 million in 2024.

These statistics reveal a clear pattern: cyberattacks are rising in volume, severity, and financial impact. According to Vanson Bourne research, 61% of SMBs worry that a serious cybersecurity attack could be enough to put them out of business.

Cybersecurity awareness training and education for AI-era threats

The stakes are high. Phishing, BEC, and other social engineering attacks rely heavily on human error. Without proper training, employees can easily become the weakest link in an otherwise secure system. And as AI-generated phishing and deepfake scams grow more realistic, it’s becoming even harder for untrained users to distinguish between legitimate and malicious content.

Comprehensive cybersecurity awareness training can significantly reduce risk by helping employees:

• Recognize suspicious emails, links, and attachments
• Follow safe practices when using AI tools or sharing data
• Understand how attackers exploit human behavior, not just technology
• Know how to respond quickly and correctly when a potential threat is encountered

In addition, according to the State of SMB Cybersecurity Report, only 51% of SMBs have implemented security policies and practices for AI/genAI. This gap suggests that many organizations are not educating their employees on how AI tools can be exploited or how they may inadvertently misuse applications that could lead to confidential data leakage.

MSPs differentiate themselves by offering security awareness training that helps SMB clients create a strong “human firewall.” These programs lower the likelihood of successful attacks and reinforce a security culture that protects the business from the inside out.

Underprepared and overexposed: SMBs are investing more in cybersecurity

Based on the results of The State of SMB Cybersecurity Report, 58% of SMBs spent more on cybersecurity in 2024 than originally anticipated.

Why? Many surveyed SMBs underestimated the complexity, speed, and scale of modern cyberthreats.

From protecting remote endpoints to securing AI-driven systems, SMBs are now racing to close critical security gaps before attackers exploit them.

• 57% now say cybersecurity is their #1 priority, up from 43% in 2024
• 51% rank cybersecurity in their top three priorities for the next two years, higher than growth (40%) and customer retention (33%)  

Figure 1: SMB cybersecurity investment areas from March 2024 through March 2025

What these SMB cybersecurity statistics mean for MSPs

As SMBs scale their cybersecurity efforts, they’re turning to MSPs for help. However, expectations are also rising:

• 58% now view improved security as a key benefit of working with an MSP, up from 40% in 2024
• 73% of SMBs aren’t confident that their MSP could fully protect them in the event of an attack
• 47% would switch providers for a stronger cybersecurity solution
• 32% would hold their MSP solely responsible in the event of a breach, with 79% open to legal action

In other words, SMBs are ready to pay for protection, but they expect performance and accountability in return.

These stats reveal a clear mandate for MSPs:

• Provide proactive, AI-aware cybersecurity solutions
• Offer tailored guidance for securing endpoints, networks, applications, and AI environments
• Deliver transparent reporting and prove reliability
• Become a trusted advisor, not just a service provider

Holidays, weekends, and late nights are prime windows for cyberattacks, as they’re times when SMBs are least prepared. MSPs that offer always-on defense and proactive education will not only meet expectations, but they’ll become indispensable.

The SMB cybersecurity opportunity for MSPs: How ConnectWise can help

As the threat landscape continues to evolve, SMBs are feeling the pressure to strengthen their cybersecurity defenses. The State of SMB Cybersecurity Report reveals how SMBs are evolving their security strategies and expectations of MSPs.

With this in mind, ConnectWise is committed to equipping MSPs with the solutions, expertise, and support to meet those needs and lead in this new era. Together, we can help SMBs protect their businesses. 

Equip your team with the tools, training, and support to deliver unmatched cybersecurity outcomes for your clients and position your business as a leader in the next era of managed services. Connect with a cybersecurity expert today to explore how ConnectWise can power your cybersecurity and growth strategy.