Study Finds Small Businesses Underestimate Cyber Risk Reality

When Coalition first embarked on our mission to protect the unprotected, we started by focusing on the most vulnerable and under-resourced organizations: small businesses. And while the cyber threat landscape has evolved dramatically, the smallest organizations remain the most vulnerable.

In early 2025, Coalition commissioned a Small Business Cybersecurity Study (the “Study”), which surveyed cybersecurity decision-makers at 1,000 small businesses across the globe to gain a deeper understanding of their cybersecurity practices and perspectives. The Study revealed a stark disconnect between awareness, perception, and real-world protection among this business cohort. 

Over the next several months, we'll be sharing insights gleaned through the Study in a series, which unpacks cyber risks for small businesses. To begin, we examine how small businesses perceive their cyber risk and their cybersecurity practices. The Study uncovered that small businesses recognize cyber risk as a serious problem. Yet, they aren’t prioritizing making informed decisions about where and how to thoughtfully invest their time and money to prevent attacks. 

Awareness isn’t the issue: Small business leaders know cyber attacks are increasing

Small businesses largely agree that cyber attacks are increasing. Most respondents (87%) expressed that they are very or somewhat concerned about exposure to cyber threats over the next 12 months. 

This may be because cyber attacks are becoming increasingly prevalent (see below), infiltrating consumers’ lives and prompting them to assess both their own cyber health and that of their businesses. Notably, cyber threats have become the top risk that business leaders report feeling concerned about globally.

And 83% noted that they believe their risk has grown over the past year alone. However, awareness and concern that the risk is increasing do not necessarily mean that cyber is a priority or that cyber risk is being proactively considered. 

Despite high awareness, most small businesses still believe they’re too small to be attractive targets for threat actors 

Although 79% of small businesses experienced at least one cyber attack in the last five years, 64% still don’t think they're an attractive target for threat actors. High concern and real experience are not enough for small business leaders to see themselves as high-risk. 

Sure, large companies are likely bigger targets of choice for cyber attackers: bad actors know that an attack on a major retailer, for example, will be highly disruptive and potentially highly lucrative. But to assume “I’m not attractive, so I’m not at risk,” ignores the other key factors that cyber attackers consider when evaluating ways to steal money: targets of opportunity. 

The reality? Cyber attackers often seek the path of least resistance, not necessarily the flashiest prize. Attacks on targets of opportunity often begin with attackers scanning the internet and looking for the easiest ways to penetrate an organization’s systems, and those are often companies that have left their proverbial doors and windows open.

While the Study found that most businesses have experienced an attack, a clear disconnect exists between their perception of their overall cyber risk and the reality of the broader cyber threat landscape. 

These findings were particularly surprising given the idea that small businesses are not targets has proven to be widely false (with recent estimates noting small businesses are the target of 43% of attacks).

The big problem: Misunderstanding of risk leads to a lack of preparedness and proactive cybersecurity investment

Perhaps because small businesses believe they’re not targets, they’re not prioritizing cybersecurity investments. The Study found that most small businesses (59%) spend less than 10 hours per week on cybersecurity activities, and 74% allocate less than 10% of their total business budget to cybersecurity.

Small businesses may not prioritize cybersecurity as a key investment area because they are uncertain about the potential financial costs associated with a cybersecurity incident.

The Study found that 30% of respondents expected an attack to cost less than $500,000, 39% expected it to cost between $500,000 and $2 million, and 31% expected it to cost more than $2 million. This distribution of responses and lack of consensus are surprising, given that a vast majority of respondents had recently experienced a cybersecurity event (only 10% reported never having experienced a cyber attack).

This dispersion also demonstrates that small businesses may not perceive the total cost of an incident. A cyber attack involves tangible financial impacts with immediate consequences, such as business interruption, forensic investigations, and fines and legal fees arising from notifying and compensating customers whose data may have been stolen. But an attack also leads to longer-term impacts that may contribute to the cost, including damage to brand reputation, mental stress on leaders, and lost trust from customers and employees.

Regardless of whether the true cumulative cost of an attack is less than $500,000 or more than $2 million, the amount is often insurmountable for a small business to bear. By underestimating the gravity of the problem and the potential direct impacts, small businesses are often underprepared for the impact resulting from a cyber attack.

Rethinking cyber risk and reprioritizing resources

The Study revealed that 59% of small businesses believe their cybersecurity spending is the right amount. (Remember, only about 26% of the polled small businesses spend more than 10% of their budget on cybersecurity.)

Of course, as cyber risks become more sophisticated each day, small businesses must understand that even the most fundamental cybersecurity practices can mean the difference between a minor business disruption and permanent closure. Investing in proactive defenses before a cyber attack can significantly reduce the potential costs of an incident, rather than paying the price with no controls or mitigating technologies in place.

We’re not suggesting that small business decision-makers dedicate 100% of their time and money to cybersecurity, but this pulse check reveals a dissonance between real and perceived risk that requires small businesses to take a step beyond awareness to actual action. 

While attacking a single small business may not be as lucrative as targeting a major corporation, attacking multiple small businesses may reap similar financial rewards for cyber attackers and likely require a lot less heavy lifting. 

Ransomware as a Service (RaaS) is a thriving cybercrime business model that often leverages automation to identify vulnerable systems. By using botnets, for example, cyber attackers can scan the internet for vulnerable systems (those open windows and doors mentioned earlier) to subsequently attack and compromise.

The “smaller fish” are often the easiest catch, and while most small businesses do not think they’re at risk because they’re not attractive targets, Coalition has seen firsthand that this is not the case.

In the coming months, we’ll share further insights from the Small Business Cybersecurity Study, analyzing the practices and perceptions of a subset of small businesses around cybersecurity, as well as the steps they can take to reduce their risk.

Study results were generated by an online survey commissioned by Coalition and conducted by Wakefield Research, involving decision-makers responsible for cybersecurity investments at 1,000 small businesses (with annual revenues of less than $100 million) across the United States, Australia, Canada, Germany, and the United Kingdom.

Coalition Insurance Solutions, Inc., an affiliate of Coalition, Inc., is a leading cyber insurance insurance provider and a licensed insurance producer and surplus lines broker (Cal. license # 0L76155) in the U.S., acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company a licensed insurance underwriter (NAIC # 29530). Coalition Incident Response, Inc dba Coalition Security, an affiliate of Coalition Inc., provides security products and services globally. Coalition Security does not provide insurance products. Products and services may not be available in all countries and jurisdictions and insurance coverage is subject to underwriting requirements and actual policy language. Non-insurance products and services may be provided by independent third parties. See licenses and disclaimers. Coalition is the marketing name for the global operations of affiliates of Coalition, Inc.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. This blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. 

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.