Guardz Report Shows Nearly Half of U.S. SMBs Have Faced a Cyberattack, Underscoring Rising Risk and Uneven Readiness

Guardz Report Shows Nearly Half of U.S. SMBs Have Faced a Cyberattack, Underscoring Rising Risk and Uneven Readiness

Key Takeaways

• Guardz finds 43% of U.S. SMBs have already experienced a cyberattack, with phishing, ransomware, and employee mistakes leading the list of threats.
• Despite rising concern, 52% of SMBs still rely on untrained internal staff or owners to manage cybersecurity.
• SMBs with a formal incident response plan were far more resilient, with 80% avoiding major damage during an attack.

Guardz’s latest SMB Cybersecurity Report lands at a moment when smaller organizations are quietly absorbing a disproportionate share of cyber pressure. The company’s new findings, published through PR Newswire and based on U.S. SMB responses, confirm what many Managed Service Providers (MSPs) have been sensing for years: smaller firms believe their risk is rising, but their ability to address it remains uneven.

The headline number is hard to ignore. Almost half of U.S. SMBs—43%—say they’ve already experienced a cyberattack. And 27% report being targeted just within the past 12 months. That’s not a blip; it’s a steady drumbeat of activity that many teams aren’t equipped to handle. Dor Eisner, CEO and Co‑Founder of Guardz, frames the shift plainly, noting that SMBs are confronting cyber threats as “daily risks” rather than hypothetical dangers. His point—that those trying to manage risk alone often lack expertise and tools—feels almost understated when placed next to the data.

One number in the report stands out as a kind of quiet proof: 80% of SMBs with a formal incident response plan avoided major damage during an attack. It’s a small detail, but it tells you a lot about how preparation levels separate companies that bounce back from those that falter.

Still, readiness gaps persist. Many of the basics—firewalls, email filters, endpoint protection—are present in only portions of the market. Guardz found that 58% use network firewalls, 52% rely on email or spam filtering, and 41% have endpoint protection. Those are foundational controls. Yet more than a quarter of SMBs say they don’t conduct regular penetration tests or security assessments, even as threats grow harder to detect. And 42% are concerned about outdated technologies, with healthcare organizations feeling that pressure most acutely. Anyone who has spent time in a mid-sized healthcare environment probably isn’t surprised; legacy systems linger because replacing them can disrupt patient workflows.

Phishing, ransomware, and employee mistakes continue to dominate the threat landscape. Nearly half of SMBs—45%—point to employee negligence as their top concern, especially in education. It raises a natural question: how do you strengthen a workforce when cyber training is often irregular or handled casually? Many SMBs don’t have the ability to create robust training programs internally, and owners frequently find themselves stretched thin, making “good enough” the default approach.

A majority of businesses—64%—report they recovered quickly from recent attacks, which is encouraging. But 3% faced severe and lasting damage, the sort of long-tail impact that can derail a small company for years. And yet, even with these experiences, 52% of SMBs still rely on an untrained internal employee or the business owner to manage cybersecurity. That’s where the conversation about MSPs becomes more than a sales pitch. For many SMBs, MSPs are effectively the only path to structured security operations. Guardz’s platform, which focuses on enabling MSPs to deliver protection to smaller clients, is positioned squarely in that gap.

Spending patterns add another layer of complexity. Half of SMBs increased their cybersecurity budgets this year, and 17% of them say the increase was significant. But even with that movement, the average per-user investment remains low. Sixteen percent of SMBs spend less than $50 per employee annually on cybersecurity. Nearly a third—31%—don’t know what their cybersecurity spend is at all. It’s an odd contrast: risk awareness is up, but investment clarity is foggy. Part of the story may be that cybersecurity costs are buried inside general IT budgets or handled piecemeal, especially in firms without dedicated security roles. A recent piece from the National Small Business Association notes that many small companies still track cybersecurity as an operating expense rather than a strategic one, which can distort how they perceive spending levels.

The rising concern reported by SMBs—80% say cybersecurity needs in their industry have increased, and 61% expect greater overall risks next year—suggests that more organizations are noticing gaps. But awareness doesn’t automatically translate into structured action. Even so, the demand trend is shifting the MSP landscape. When SMBs recognize they can’t assemble adequate internal coverage, they turn outward. A quick look at CompTIA’s MSP data shows steady growth in security-led service offerings, a trend that aligns with Guardz’s assertion that experienced partners matter more than ever.

There’s also a practical dimension that SMB leaders rarely say aloud: cybersecurity tasks often accumulate slowly until someone realizes they’re incomplete or misconfigured. Password resets, patch cycles, MFA rollouts, email filtering rules—these aren’t glamorous tasks, but lapses in any one of them can open the door to a breach. That’s where an MSP’s consistency becomes as valuable as its expertise.

Guardz’s report doesn’t try to turn these insights into sweeping predictions, and that restraint is useful. The numbers simply show a sector under strain, aware of its exposure, and trying to keep pace with increasing threats. But the report also hints at a baseline truth: SMBs that invest in structured preparation, particularly through incident response planning and partnership with trained providers, fare materially better than those handling security internally without support.

The story isn’t that SMBs are failing. It’s that many are operating with partial visibility and limited tooling, yet still expected to defend against the same classes of threats that hit large enterprises. The companies that close that gap—whether through MSPs, better processes, or clearer budgeting—seem positioned to handle the turbulence ahead.