Cyber Attacks Are On The Rise: How Businesses Are Adapting

Has your business fallen victim to a cyber attack?

If so, you’re not alone.

A new Clutch survey shows just how often cyber threats are impacting business operations. Out of 400 businesses, nearly three quarters (73%) have been impacted by a cyber incident, but many still don’t have the resources to effectively protect their business or their data from looming threats.

With AI-driven cyber attacks becoming more prevalent (and more effective), it's crucial for business leaders to fully understand the threats facing their organizations so they can take action to strengthen their cybersecurity. 

Key Takeaways:

• 73% of businesses have experienced a cyber incident, and 55% of all businesses have had a cyber incident in the last year.
• Malware and ransomware (65%) were the most common types of cyber incident over the last 12 months.
• In response to a rise in cyber crime involving AI, 77% of business managers are concerned about AI-driven cyber threats.
• 83% of respondents plan to invest in cybersecurity in the next 12 months
• Only half (50%) of respondents say they plan to invest in employee training, even though their team is one of the biggest threats to cybersecurity.
• While 13% believe that small businesses are less vulnerable to cyber threats, 58% of businesses with less than 200 employees have been the victim of a cyber attack. 

Most Businesses Have Experienced a Cyber Incident Within the Last Year

Cyber attacks are on the rise, and small businesses aren’t immune. The majority (73%) of businesses have experienced a cyber incident, and 55% have experienced a cyber incident within the past year. This indicates a sharp rise in the number of cyber attacks against small businesses, likely driven by AI.

With easy access to AI tools, cybercriminals are automating their operations to launch widespread cyber attacks without much effort or technical skill.

A single cyber incident can lead to significant financial losses, disrupt operations, and damage the business’s reputation, making it hard to recover.

In early 2020, the foreign exchange company Travelex experienced a ransomware attack that eventually led to them going out of business. The attackers accessed the computer network and downloaded 5GB of customer data, forcing the company to turn off all of their computer systems.

Source

The attackers demanded $6 million to restore the company’s data, but they settled for a payment of $2.3 million. Despite having a cyber insurance policy in place, Travelex still needed to restructure and wasn’t able to cover the losses it incurred from the disruption to their operations. Their problems were then only compounded by the Covid-19 pandemic.

Unfortunately, Travelex’s story isn’t unique. Businesses of all sizes are impacted by cybercrime, highlighting the need for companies to prioritize cybersecurity.

Some Small Businesses Are Not Prepared

There is a common misconception that small businesses are less attractive targets for cybercriminals, but new data shows that this is false. In fact, 58% of businesses with less than 200 employees have been the victim of a cyber attack.

This statistic highlights a critical gap between perception and reality, leaving countless small and medium-sized businesses dangerously exposed.

The impact of these attacks can be devastating to SMBs, who often lack the resources to prevent or effectively respond to them. Unlike larger corporations with dedicated IT security teams, substantial budgets, and comprehensive incident response plans, SMBs may not have critical assets like security software, employee training, or cybersecurity personnel.

Data suggests that a single cyber attack could force nearly 1 in 5 SMBs to shut down. Other resources estimate that as many as 60% of businesses that experience a cyber incident close within 6 months of being breached.

Given these risks, SMBs need to recognize the threat posed by cybercriminals and take action to protect their businesses.

Most Common Types of Cyber Attacks from 2024-2025

Ransomware attacks like the one that Travelex fell victim to are one of the most common types of cyber attacks, with 65% of respondents saying that they have experienced a malware attack in the last 12 months.

Other common cyber incidents reported include business email compromise (61%), phishing (59%), and website compromises (49%). 

These types of cyber incidents are common because they’re very scalable and highly effective. One malware campaign, for instance, can target thousands of businesses at once. Hackers can then use malware to debilitate business operations until they’re paid.

Phishing is also very effective because it requires minimal skill to put in place and can be quite convincing. Now, attackers using AI can easily create personalized emails and email thousands of potential targets at once. 

The Rise of AI-Driven Cyber Attacks 

Cyber attacks have been a growing threat for businesses over the last few decades, but the increasing use of AI is particularly concerning for small and medium businesses. In fact, 77% of respondents said they were concerned about AI-driven cyber threats.

Between AI-generated phishing emails that can scrape public data to create personalized messages, adaptive malware that can change its behavior to avoid detection, and tools that can easily scan systems to identify weak points, cybercriminals now have the ability to launch highly targeted, sophisticated attacks at scale.

This dramatically increases the threat to businesses, especially small and mid-sized ones that may not have the resources or expertise to keep pace with evolving threats.

“[Businesses] should be alert, but not overwhelmed,” says Mike Murphy, CEO at IT Goat. “AI is accelerating the speed and reach of attacks—making phishing, spoofing, and malware more convincing and scalable.”

Oishya, a small online retailer that sells Japanese knives fell victim for an AI-powered scam that targeted its social media followers. The scammers used a generative AI tool to send fraudulent offers through Instagram, claiming that recipients of the message won a “free” knife set. “Winners” were directed to a cloned version of Oishya’s website and were told they just needed to pay a small shipping fee. 

Source

Roughly 100 people fell for the scam, causing confusion and upsetting customers who were wondering where their prizes were. Oishya’s leadership team had to intervene to help customers file refund claims. They were able to salvage the situation by launching education campaigns about detecting fake communications. This helped them retain their clients despite the incident. Other businesses aren’t always as lucky.

While this attack was against Oishya’s customers and not their own business, this is a perfect example of AI being used for realistic phishing and impersonation. According to Clutch’s survey, phishing is the top concern (49%) when it comes to AI-driven cyber attacks.

Other top concerns include the volume and speed of automated attacks (18%) and the inability to detect threats with traditional tools (16%). 

While only 10% of respondents thought that their employees’ vulnerability to deceptive content was the most concerning aspect of AI-driven attacks, that may be misguided. Employees are often considered the greatest cybersecurity vulnerability in a business, as their unpredictability makes them easy to exploit.

This is particularly true when considering AI-driven phishing scams that often rely on hyper-realistic communications, known as deepfakes, and social engineering to convince employees that they’re real. With that in mind, one of the best ways for businesses to prevent a cyber incident and protect the company is by providing cybersecurity training for their employees. 

The Biggest Threat To Your Business: Your Employees 

While most employees probably aren’t planning to intentionally leak data or sabotage your systems, even well-intentioned employees can make mistakes, such as:  

• Falling for social engineering scams
• Clicking on phishing emails or malicious links
• Using weak or reused passwords
• Sending sensitive data to the wrong recipients
• Misconfiguring systems or devices
• Resisting safety protocols 

Even basic cybersecurity training can help prevent this from happening and reduce vulnerabilities. Despite this, only 50% of respondents say they plan to invest in employee cybersecurity training in the next year. 

“Until companies make cybersecurity part of everyday operations—not just an IT checklist—the trend will continue,” says Murphy. 

Most cybersecurity training programs cover the fundamentals of cybersecurity, common threats like phishing and malware, and best practices for staying safe online. It teaches users how to recognize and respond to threats, create strong passwords, and follow secure browsing habits. At the very least, employees should be expected to comply with company policies and data protection laws.

Businesses should be providing regular cybersecurity training. “At minimum, quarterly—and more frequently if you operate in a high-risk environment,” says Murphy. “Monthly phishing simulations are especially useful because they keep awareness sharp. The threat landscape is changing fast, and training needs to evolve with it. What worked last year—like “spot the spelling mistakes”—is already outdated.”

Employee training isn’t super expensive, either. One-off training programs may cost up to $100 per employee, but annual training subscriptions are roughly $20-$50 per year. While these costs can add up over time, many cybersecurity training companies offer lower rates for larger teams.

Where Companies Are Investing in Cybersecurity

As cyber threats continue to grow in scale and sophistication, companies are increasingly investing in advanced cybersecurity technologies and strategies to protect their data, systems, and reputation.

Businesses looking to invest in cybersecurity in the next year plan to update security software and tools (56%), update their policies (53%), and conduct cybersecurity audits (50%). These strategies can help them identify vulnerabilities and strengthen their defenses to become more resilient to evolving threats. 

“Training should be about creating habits, not passing quizzes,” Murphy says. For that reason, employee training should focus on four main things:  

• Modern phishing recognition, including voice and video deepfakes.
• Verification habits—especially double-checking requests involving money or access through secondary channels.
• Remote work security, like VPN use, device hygiene, and access control.
• Incident response clarity—what to do, who to contact, and how fast to act when something seems wrong.

Outsourcing Cybersecurity vs. In-House IT Teams 

To combat rising cyber threats, 58% of businesses have an in-house IT team handling cybersecurity. Still, 21% either don’t have a technical team member or don’t have anyone managing cybersecurity, meaning they likely don’t have the support they need to protect their business’s data, networks, or operations.

While hiring an internal IT team can be costly, there are alternatives that are more affordable and just as effective. External MSP and cybersecurity companies can provide round-the-clock threat detection and incident response at rates that fit all cybersecurity budgets and specific needs.

External IT companies provide teams of trained and certified cybersecurity professionals who are up-to-date on the latest threats and best practices. They also have access to advanced tools that may be too expensive for smaller businesses to purchase on their own.

Ultimately, outsourcing to an IT provider can help businesses comply with industry regulatory requirements and prevent dangerous cyber attacks. 

Evolving Cyber Threats Require SMBs to Adjust Their Strategies

Cybercriminals are leaning on AI to scale attacks and make them more effective, and businesses of all sizes are at risk. The impact of these cyber threats can be catastrophic for small businesses, necessitating increased investment in IT and cybersecurity.  

Yet, through employee training, security audits, and new tools, many businesses are able to quickly respond to cyber incidents and even prevent them from happening. If you are looking to strengthen your business’s cybersecurity, but don’t have the budget for an internal team, external IT services can help you reduce vulnerabilities.

Methodology

This report is based on a survey conducted on August 5, 2025, using the online polling platform SurveyMonkey. We surveyed 406 small business owners in the United States between the ages 18-99 of all income levels. The respondents were 54% male and 46% female.

Participants were asked a series of multiple-choice and single-selection questions about the decisions made and results seen from either having or not having a website for their business. Quotas were applied to ensure a balanced distribution across demographic segments. All respondents were required to complete the survey in full to be included in the final analysis.

The findings provide insights into the state of cybersecurity for small businesses in 2025.

About the Author

Hannah Hicklen Content Marketing Manager at Clutch

Hannah Hicklen is a content marketing manager who focuses on creating newsworthy content around tech services, such as software and web development, AI, and cybersecurity. With a background in SEO and editorial content, she now specializes in creating multi-channel marketing strategies that drive engagement, build brand authority, and generate high-quality leads. Hannah leverages data-driven insights and industry trends to craft compelling narratives that resonate with technical and non-technical audiences alike. 

See full profile