A few years ago, I read an alarming statistic in Cybercrime Magazine in a way I hadn’t looked at before. For my End of Year 2024 wrap up I decided to circle back and see how we’ve fared against the statistic.

In short – Abysmally.

The statistic I’m referring to is, if Cybercrime were a country it would rank as the world’s third-largest economy only behind the U.S. and China. At the time, the estimated amount was $6T and seemed staggering, but plausible. Fast forward to today and the outlook has worsened. Cybercrime still ranks as 3^rd, ahead of Japan, Germany, and India; with a staggering projected $8 trillion impact in 2024. This represents a 33% growth since 2021—a trajectory driven by ransomware (RaaS), phishing, supply chain vulnerabilities, and many more.

To put this in perspective, while cybercrime grows at a staggering rate, outpacing even the fastest-growing economies like India (20.8%) and the U.S. (13.7%), its effects hit SMBs the hardest.

The largest 5,000 U.S. companies generated $38 trillion in 2023, and SMBs contributed $12 trillion. Yet, the cost of cybercrime affects businesses disproportionately. For small and mid-market businesses (SMBs), the impact is personal, disrupting operations, eroding customer trust, and putting livelihoods at risk.

Based on data from the National Cybersecurity Alliance (NCA) and the Verizon Data Breach Investigations Report (DBIR), over 1 million SMBs were significantly impacted by cyber incidents in 2023, with more than 60% of affected businesses shutting down within six months. With fewer resources and less robust defenses than larger enterprises, SMBs often become easy targets, leading to devastating consequences. Many of these incidents could have been prevented, mitigated, or recovered from more effectively with proper preparation.

But not everything in 2024 was grim. Awareness and a growing concern among business owners of all sizes has been happening. They have been taking proactive steps to strengthen their defenses, achieving operational efficiencies by aligning security with business goals. Alongside challenges came innovation and a growing recognition of the importance of cybersecurity.

Let’s take a quick look at a few of the areas that were most impactful in 2024, and look ahead to 2025 to prepare for the opportunities and challenges.

Ransomware’s Unrelenting Growth
Ransomware attacks surged globally in 2024, disproportionately targeting SMBs. With downtime averaging 22 days per incident and costs reaching $170,000 per attack, the financial and reputational damage was severe. However, companies that invested in layered security solutions and robust incident response plans fared significantly better, recovering faster and minimizing losses. The growing frequency and cost of ransomware attacks taught us a critical lesson in 2024: preparation and proactive defense strategies are non-negotiable.

Phishing’s AI Evolution
Phishing attacks became smarter in 2024, with cybercriminals leveraging AI to craft highly convincing scams. Nearly 83% of breaches originated from phishing campaigns, making employee awareness a critical vulnerability. Businesses that implemented regular training and upgraded to app-based multi-factor authentication (MFA) saw significant reductions in successful attacks, highlighting the effectiveness of combining education with modern security tools.

Supply Chain Vulnerabilities: The SMB Factor
SMBs emerged as a weak link in supply chain security, with 62% of breaches traced back to vulnerabilities in smaller vendor systems. This not only placed SMBs at risk but also prompted increased scrutiny from enterprise partners. For SMBs, addressing these vulnerabilities became a path to building trust and strengthening competitive advantage within their supply chains.

Compliance Pressures and Their Impacts
Regulatory demands escalated in 2024, particularly in industries like healthcare, retail, and SaaS. Companies that fell short faced fines, legal battles, and lost contracts. On the flip side, businesses that prioritized compliance often gained operational efficiencies, reduced costs, and built stronger client relationships, turning regulatory challenges into competitive advantages.

Looking ahead to 2025, businesses must apply the lessons learned in 2024 to anticipate and mitigate evolving threats.

The Continuing Threat of Ransomware
Ransomware campaigns are expected to become more targeted in 2025, with attackers demanding payments not just to decrypt data but to prevent leaks of sensitive information. Smaller businesses remain prime targets due to perceived vulnerabilities.
Developing a reliable backup and recovery strategy is critical. Regularly test backups to ensure quick recovery and work with security partners to protect these backups from tampering. A robust incident response plan will also minimize downtime and costs.

Phishing and the Role of User Education
Phishing attacks will evolve further in 2025, with AI generating scams that are harder to detect. Without user training programs, businesses will remain vulnerable.
Investing in ongoing employee training and app-based MFA can drastically reduce risk. Transition away from SMS-based MFA, which is more susceptible to interception, to strengthen account security.

Supply Chain Security: SMBs as Trusted Partners
As enterprises enforce stricter third-party risk management practices, SMBs have an opportunity to stand out by adopting strong cybersecurity measures.
Aligning with frameworks like CIS, NIST or ISO 27001 helps build trust and strengthens relationships, ensuring SMBs remain integral to supply chains. In some instances, sharing findings and working with Enterprise partners solidifies the relationships further.

Expanding Compliance Requirements
Compliance mandates will broaden in 2025, impacting industries like healthcare, retail, and SaaS. Failing to meet these requirements could result in steep fines and reputational damage.
Automating compliance tracking and reporting reduces the risk of mistakes and saves time. Businesses that integrate compliance into their operations demonstrate accountability and gain trust with clients and partners.

Partner with Experts
The complexity of modern cybersecurity requires expertise. Collaborating with trusted providers ensures layered security, 24/7 monitoring, and compliance support, allowing you to focus on business growth.

Build a Resilient Strategy
Plan for disruptions while striving for operational excellence. Identify your most critical assets, create a roadmap for continuous improvement, and regularly test your defenses to ensure readiness.

Foster a Culture of Security
Technology alone isn’t enough. Empower employees with training to recognize threats, protect sensitive data, and report suspicious activity. A security-conscious team is your first line of defense.

Turn Compliance Into a Competitive Advantage
Compliance isn’t just about avoiding fines—it’s an opportunity to build trust. Clients and partners are more likely to work with businesses that demonstrate accountability and transparency.

The challenges of cybersecurity are undeniable, but so are the opportunities for growth, trust-building, and competitive advantage. By understanding the lessons of 2024 and preparing for what’s ahead, your business can not only weather the risks but emerge stronger and more resilient.

As a reminder, SMB size can be a significant advantage. Adoption of new security measures, ability narrow risk, understanding of their environment and fewer points of compromise allow SMBs to be more nimble and responsive.

While cost and expertise continue to be a factor, in many instances the most cost effective and basic steps reduce impact to SMBs by over 85%.

With the right strategy, tools, and partnerships, 2025 can be a year of thriving in the digital age.