Cyberattacks don't just target Fortune 500 companies. According to the Verizon DBIR 2025, 88% of SMB breaches involve ransomware — compared to 44% across all breaches. That's double the overall rate.
Yet the IPA's 2024 survey found that 62.6% of small businesses in Japan spend nothing on cybersecurity . And global data paints a similar picture: most SMBs lack dedicated security staff, budgets, or even a basic incident response plan.
This guide covers why small businesses are prime targets, how AI has transformed the threat landscape, and five concrete steps you can take today to protect your company.
Why Cybercriminals Target Small Businesses
Weak security posture
Most SMBs don't have a CISO, a security team, or even a written security policy. The IPA survey found that roughly 70% of Japanese SMBs have no formal security structure in place. For attackers, that's a door left wide open.
Supply chain entry point
The Verizon DBIR 2025 reports that third-party breaches doubled year-over-year, now accounting for 30% of all breaches . Attackers find it far more efficient to compromise a small vendor than to attack a well-defended enterprise directly.
When your company gets breached, the damage cascades. IPA data shows that about 70% of cyber incidents at SMBs affected their business partners .
The cost is fatal for small firms
| Statistic | Value | Source |
|---|---|---|
| Median ransomware payment | $115,000 | Verizon DBIR 2025 |
| Credential-based breach cost | $4.67M per incident | IBM Cost of Data Breach 2025 |
| Days to detect credential breach | 246 days | IBM Cost of Data Breach 2025 |
A $115,000 ransom might be a rounding error for a large corporation. For a small business with $1M in annual revenue, it's an existential threat.
How AI Changed the Threat Landscape
Since 2023, generative AI has fundamentally altered both the scale and sophistication of cyberattacks.
The phishing explosion
According to SlashNext, phishing emails have surged 1,265% since the emergence of generative AI . KnowBe4 reports that 82.6% of phishing emails are now AI-generated .
The phishing emails of five years ago were easy to spot — broken grammar, generic greetings, suspicious links. Today's AI can analyze a target company's industry, tone, and relationships to craft emails that are virtually indistinguishable from legitimate ones — in just 5 minutes (IBM Security). A human expert takes 16 hours to create the same campaign.
Shadow AI risk
Employees using unauthorized AI tools — "Shadow AI" — represent a growing blind spot. IBM's Cost of Data Breach 2025 found that breaches involving Shadow AI cost an additional $670,000 on average .
An employee pasting customer data into ChatGPT. Feeding proprietary code into an AI assistant. No malicious intent, but the data leaves your perimeter all the same.
Attack ROI has skyrocketed
For attackers, AI is a force multiplier that lowers cost and raises success rates. A phishing campaign that takes 5 minutes to create and yields $115,000 in ransom — the economics are irresistible. SMBs, with their thin defenses and higher likelihood of paying, are the most efficient targets.
The Real Cost of a Breach
The financial damage extends far beyond the ransom payment or recovery costs.
Regulatory penalties
In Japan, the 2022 amendment to the Act on the Protection of Personal Information (APPI) made breach reporting mandatory for all businesses , including SMBs.
| Requirement | Detail |
|---|---|
| Preliminary report | Within 3–5 days of discovery |
| Full report | Within 30 days (60 days for unauthorized access) |
| Individual notification | Mandatory notification to affected individuals |
| Maximum penalty | Up to ¥100M (~$670K) for non-compliance |
Globally, GDPR fines and US state privacy laws carry similar or heavier penalties. Regulatory exposure is not optional for SMBs anymore.
Credentials are the master key
In 2024 alone, 2.8 billion passwords were traded on criminal forums (Verizon DBIR 2025). Of those leaked credentials, only 3% met basic complexity requirements . That means 97% of passwords in the wild are trivially crackable.
Credential-based breaches take an average of 246 days to identify and contain (IBM). By the time you notice, the damage has been spreading for eight months. To check whether your credentials have already been exposed, see our password breach check guide.
5 Security Steps You Can Take Today
"I don't know where to start" — this is the number one reason SMBs delay security investments. Here are five steps, ranked by cost-effectiveness, that any small business can implement now.
Step 1: Deploy a password manager
With 22% of breaches starting from stolen credentials, managing your team's passwords is the highest-ROI security investment.
NordPass Business lets you monitor password health across your entire organization from a single admin console. It uses xChaCha20 encryption with zero-knowledge architecture — even NordPass itself cannot access your data.
| Feature | Detail |
|---|---|
| Pricing | From $3.59/user/month (2-year plan) |
| Minimum users | 5 |
| Free trial | 14 days (no credit card required) |
| Certifications | ISO 27001 / SOC 2 Type 2 |
Moving from spreadsheets and sticky notes to a proper password manager starts with a 14-day free trial. For individual use, the personal version is also excellent — see our NordPass review.
Step 2: Encrypt remote work traffic with a VPN
Remote work and coffee shop sessions are the norm now. Public Wi-Fi and home routers offer no security guarantees. A VPN encrypts all traffic, preventing eavesdropping and MITM attacks.
NordVPN supports up to 10 simultaneous device connections per account, so a small team can be covered with just a few licenses. The NordLynx protocol (WireGuard-based) keeps speeds high even with encryption enabled.
For a deep dive into securing remote workers, see our Remote Work Security Guide.
Step 3: Add anti-phishing protection
With AI phishing up 1,265%, relying on employee vigilance alone is a losing strategy. You need technical filtering.
NordVPN Threat Protection Pro blocks malicious sites and phishing URLs before your browser even loads them. It works independently of the VPN connection, providing always-on protection. It's included in NordVPN's "Plus" plan and above.
Step 4: Enable MFA on every account
Even if a password is compromised, MFA stops the attacker at the gate. Google Workspace, Microsoft 365, Slack, and every major business tool supports MFA.
It's free to set up, and the impact is massive. Just adding "password + authenticator app" as a second factor dramatically reduces account takeover risk. NordPass Business includes a built-in authenticator (NordPass Authenticator) for generating TOTP codes, so there's no need for a separate app.
Step 5: Run regular security awareness training
No tool can replace human judgment as the last line of defense. The Verizon DBIR 2025 found that 60% of breaches involve a human element — phishing clicks, social engineering, and simple mistakes.
Key training topics:
- Spotting phishing emails (check sender domain, hover over links)
- No password reuse — and how to use a password manager
- Shadow AI risks and company policy on AI tool usage
- Reporting procedures for suspicious emails and files
A 30-minute session once per quarter is enough. Consistency matters more than duration.
Password management for SMBs — 14-day free trial
- xChaCha20 encryption with zero-knowledge architecture
- ISO 27001 / SOC 2 Type 2 certified
- Admin console for company-wide management
Supply Chain Security Is Coming for SMBs
Japan's Ministry of Economy, Trade and Industry (METI) is targeting a late fiscal year 2026 launch for the Supply Chain Cybersecurity Assessment System (SCS). This framework will evaluate and score the security posture of companies across supply chains.
What this means for SMBs
Until now, cybersecurity has been treated as an internal matter. Under SCS, failing to meet your clients' security standards could mean being dropped from their supply chain . For SMBs embedded in large-enterprise supply chains, compliance may become a de facto requirement.
What you can do now
- Review IPA's SMB Information Security Guidelines and assess your current posture
- Implement the five steps above to build a baseline security framework
- Declare SECURITY ACTION (Two Stars) via IPA's official portal
In the US and EU, similar frameworks (NIST CSF 2.0, NIS2) are already shaping vendor requirements. Regardless of your geography, supply chain security expectations are tightening globally.
Wrapping Up
Small businesses are the primary target of modern cyberattacks — the data is clear.
- SMB ransomware involvement is ~2x the overall average (88% vs 44%)
- AI-powered phishing has surged 1,265% and now outperforms human experts
- 62.6% of Japanese SMBs invest nothing in security
- 50% of ransomware victims face recovery costs exceeding ¥10M (~$67K)
Your action checklist:
- Deploy a password manager (NordPass Business offers a 14-day free trial)
- Encrypt remote work traffic with a VPN
- Add anti-phishing protection
- Enable MFA on all accounts
- Start quarterly security awareness training
The era of "we're too small to be a target" is over. Attackers are armed with AI. It's time to arm your defenses too.