The 2025 State of SMB Cybersecurity Report from CrowdStrike reveals a growing disparity between small and medium-sized organizations’ (SMBs’) cybersecurity preparation and knowledge. Even while 83% of SMBs say they have a plan in place and 93% believe they are informed about cybersecurity threats, just 36% are investing in new tools, and only 11% have used AI-powered safeguards.
Despite growing awareness, the majority of SMBs still lack the funding, resources, and internal knowledge necessary to thwart contemporary threats, according to research based on observations from SMB decision-makers across sectors and organization sizes. SMBs want protection that is simple to use, inexpensive to implement, and designed to grow with their company in light of more sophisticated and frequent assaults.
Highlights of CrowdStrike’s 2025 State of SMB Cybersecurity Report:
- The smallest companies are lagging the most: more than half of SMBs with fewer than 50 workers devote less than 1% of their yearly budget to cybersecurity, and only 47% of them say they have a security plan in place.
- Cost considerations influence decisions, but not necessarily in the best ways: Only 57% of SMBs say they prioritize protection against sophisticated threats, and only 6.5% think their current cybersecurity budget is actually enough, despite 67% of them prioritizing cost when choosing a cybersecurity solution.
- SMBs are under-supported in strategy and overwhelmed by choice: Almost 70% of SMBs rely on outside advice to guide their purchasing decisions, and 50% of SMBs feel overloaded by the variety of cybersecurity products available.
- Ransomware is still a major risk, particularly to smaller teams: Ransomware was reported by 29% of SMBs with less than 25 workers that had a cyber event in the previous year, compared to 19% of bigger SMBs.
- Adoption of AI-driven security offers a chance for expansion: There is a clear potential for growth-minded organizations to improve their safety with scalable, automated security that lowers operating costs and complexity, since just 11% of SMBs now use AI-powered security, and the majority are still in the early stages of the process.
According to Lisa Campbell, Vice President of SMB at CrowdStrike, “SMBs are more conscious of the cyber risks they face, but they are still susceptible to contemporary threats. Many are aware that they require more robust protection, but their lack of time, money, and experience prevents them from doing so. To put awareness into action, they want solutions that are both economical and efficient without increasing complexity.”
