The SMB Cybersecurity Gap: High Awareness, Low Readiness

Cybersecurity is a business risk — not just an IT issue. But many are still underestimating it.

Cybercrime isn’t just targeting large enterprises anymore — it is everywhere. Today’s attacks, powered by AI and automation, are rapidly evolving and affecting organizations of every size. Small and midsize businesses (SMBs), in particular, have become equal targets. But unlike larger enterprises that often have the infrastructure, teams, and experience to defend themselves, most SMBs are still playing catch-up.

CrowdStrike’s latest research, The CrowdStrike State of SMB Cybersecurity Survey, on companies with fewer than 250 employees makes this reality painfully clear: SMBs may understand the risks, but they’re struggling to act on them. The report shows a striking disconnect between cybersecurity awareness and actual execution — and the consequences are real. Here are the key findings:

1. Awareness High, Execution Low: Nearly all SMB leaders say they know cyber threats are a risk. But only 42% provide regular cybersecurity training to employees — the very frontline in defending against common threats like phishing. Even more concerning, the rate of cyber incidents is almost the same for businesses with a security plan (25%) and without one (24%).

2. The Smaller the Business, the Bigger the Risk: The divide becomes especially clear when you break it down by business size. Micro-businesses — those with fewer than 10 employees — are the least prepared. Fewer than half have a cybersecurity plan, and most spend less than 1% of their budget on security. Mid-sized SMBs are in a tough spot too: they’re growing fast and attracting more attention from attackers, but many haven’t scaled their security practices to match. The result? A maturity gap that puts critical systems at risk.

3. Cost concerns are real: Two-thirds of SMBs say cost is their top barrier to adopting better security tools. But here’s the catch: when cost becomes the primary driver, effectiveness often gets overlooked. That can lead to weak security solutions that offer little protection and create a false sense of safety. Many SMBs also lack the internal expertise to evaluate these tools properly, leaning heavily on outsourced IT or overstretched generalists to make decisions that carry real consequences.

4. Ransomware affects the smallest: 24% of larger SMBs consider ransomware as the biggest threat while only 14% of smaller SMBs say ransomware is their biggest concern, even though they are more likely to be hit by it. For micro-businesses (less than 25 employees), a ransomware incident can threaten their existence — three out of four say it could put them out of business altogether. Without recovery plans, insurance, or vendor support, these businesses are left exposed in ways that are hard to recover from.

5. SMBs want help: Many of the SMBs know cybersecurity is important, but they don’t always know what to do next. They want actionable guidance — not just dashboards and alerts. From clarity, simplicity, and real-world advice they can trust to partnering with vendors to step in and support them, it is about enablement and education, and not just products.

Cybersecurity today is as much about ecosystem resilience as it is about individual defense. While larger enterprises may have mature security programs, but the smaller vendors, suppliers, and partners they rely on often do not — and that creates risk across the supply chain. A breach at a single SMB can quickly become a breach of the entire network. This is why it is in every enterprise’s best interest to support SMBs in strengthening their defenses. Whether through shared threat intelligence, simplified tools, or proactive guidance, helping SMBs close their security gaps ultimately protects the entire ecosystem.