Cybercrime and Small Businesses: The 2025 ITRC Business Impact Report

We know small businesses are the backbone of the U.S. economy, but the latest 2025 Business Impact Report from the Identity Theft Resource Center (ITRC) shows that cybercrime is now a near-universal threat for them, with serious financial, operational, and strategic consequences. The report draws on an August 2025 survey of 662 small business owners and executives at companies with 500 or fewer employees, including solopreneurs and gig workers. Today we’ll walk through the findings.

Cyberattacks Are Almost Universal, and They’re Getting More Sophisticated

One of the clearest takeaways: 81 percent of small businesses reported experiencing a security breach, data breach, or both in the past year—an alarmingly high figure that shows nearly all small enterprises are now targets.

The nature of cyberattacks is also evolving. AI-powered attacks were cited as a root cause in more than 40 percent of incidents, indicating sophisticated threat actors are increasingly leveraging automation and machine learning to break through defenses.

The Financial Toll Is Severe (and Passed on to Customers)

The financial impact of these breaches is significant: A majority of breached businesses reported losses of $250,000 or more, and more than a third reported losses exceeding $500,000 in 2025. To cope with these rising costs, 38.3 percent of small business leaders said they raised prices to cover financial impacts like remediation, lost revenue, fines, or legal costs—effectively creating a “cyber tax” that gets passed on to consumers.

This trend is especially worrisome for small business owners. Why? It highlights how cybercrime not only hurts the bottom line directly, but also forces pricing decisions that can impact competitiveness and customer relations.

Confidence in Cyber Readiness Is Declining

Despite greater awareness of risks, many small business leaders feel less prepared to defend against attacks than they did a year ago. The percentage of respondents who said they felt “very prepared” for a cyberattack dropped sharply, driven by the emergence of new, sophisticated threats.

At the same time, implementation of basic security measures like multi-factor authentication (MFA) actually declined from 33.6 percent in 2024 to 27.2 percent in 2025, creating a paradox: Small businesses know cyber threats are growing, but many aren’t adopting basic protections that could reduce risk. This “dangerous disconnect” between awareness and action leaves many small companies exposed to threats they know are coming.

Small Business Leaders Are Divided on AI

Cybersecurity attitudes reflect broader confusion. While most leaders are planning for future AI–driven attacks and would embrace AI-powered security tools, they’re mixed on who should be responsible for protecting people from AI-enabled cybercrime: The business, the customer, or broader public policy?

Whether it’s using AI to automate detection or to generate phishing campaigns, small businesses must understand that AI is both a risk and a tool in cybersecurity.

Small business owners don’t have to be cybersecurity experts, but you do need to treat cyber risk like any other business risk—one that can cost serious money and disrupt operations.

At ARF Financial, we help business owners stay ahead of financial risks, and that includes those that emerge from cyber incidents. From financial planning to risk mitigation strategies, we equip your business with tools and guidance to keep your operations resilient and your growth on track. Interested in safeguarding your business and its future? Let’s talk about how ARF Financial can help you build a stronger, more secure financial foundation—tailored to the challenges you face today.