First, the good news: Small business owners have woken up to a hard truth: Cybersecurity isn’t just a big business problem anymore. As digital tools become essential to daily operations—whether it’s managing payroll, processing payments, or communicating with customers—cyber threats have long loomed over Main Street. Phishing scams, ransomware attacks, and data breaches target smaller companies with increasing frequency, and the damage can be devastating.
Now, the not-so-good news: Awareness is growing, but action hasn’t always kept pace.
While large corporations have dedicated IT departments and cybersecurity budgets, small business owners often juggle security alongside other priorities. Many still lack formal protocols, employee training, or even basic safeguards like two-factor authentication. The result is a widening gap: small businesses recognize the risk but remain vulnerable.
CrowdStrike just released its CrowdStrike State of SMB Cybersecurity Survey, revealing a widening gap between cybersecurity awareness and real protection among SMBs. Which is progress…but not enough.
Jon Rat, the co-founder and CEO of Archy, got a sneak peek at the report and notes, “These findings really hit home. Like a lot of small businesses, we know cybersecurity is important, but it’s tough to navigate all the options when you’re also trying to run a company day-to-day. Time, budget, and expertise are always limited, making it hard to move from awareness to real action. What this survey shows is that we’re not alone and that SMBs need more support and clearer guidance.”
Is this what’s holding SMBs back when so much is at stake? To learn more, I turned to Lisa Campbell, VP of SMB at CrowdStrike.
Rieva Lesonsky: In the past, many SMBs were unaware of the cybersecurity threats that could cost them their businesses. Now, the CrowdStrike State of SMB Cybersecurity Survey shows that 94% of those surveyed claim to be “knowledgeable” about these threats. That’s astonishing to me.
Are they actually that aware? If so, why do so many SMBs “fall short on training, tools, and consistent execution of their security strategy?”
Lisa Campbell: It’s true awareness among small businesses has grown significantly. They’re reading headlines about breaches and ransomware attacks, and they know that cyber threats are real and are not exclusive to the Fortune 500.
But knowing the risks and knowing how to respond to them are two very different things. We often see that even though SMBs say they’re “knowledgeable,” they may not have the experience or the resources to put that knowledge into practice. That’s where the gap really shows—according to our survey, only 11% are using AI-powered defenses, and fewer than half are regularly training employees.
It’s not a lack of concern—it’s a lack of capacity. They’re juggling a dozen priorities, and cybersecurity can easily fall behind when it feels too complex or out of reach.
Lesonsky: Small businesses seem to lack security plans. What are some ways to break through to them about how essential it is to develop a sound security strategy? What are some reasons that are holding them back? Lack of knowledge? Budget? Time?
Campbell: For the smallest businesses, just keeping the lights on can be a full-time job. Owners and IT leads wear a lot of hats, and cybersecurity often gets pushed down the list until something goes wrong. What holds them back isn’t just budget—it’s time, competing priorities, and not knowing where to start. That’s where we have to meet them. That means [offering] solutions that are affordable and scalable, with the flexibility to fit into their businesses as they grow. But just as important is giving them the right kind of support—practical guidance and tools that work out of the box. Security shouldn’t slow a business down—it should enable it to grow safely.
Lesonsky: I was also surprised that businesses with fewer than 25 employees are hardest hit by ransomware attacks. What do cybercriminals want from those businesses? Your report shows these SBOs rank ransomware attacks as low on their perceived threats. How can they avoid ransomware attacks?
Campbell: Cybercriminals are opportunistic—they go after the easiest targets. And for many attackers, that means going down-market. Smaller businesses often lack strong defenses, and attackers know it. A ransomware payment from a 10-person company may not make headlines, but if you can hit hundreds of them in a short time period, it adds up fast. Unfortunately, many of the smallest business owners still think, “We’re too small to be a target,” and that leaves them exposed.
Education is key here. Helping even the smallest SMBs understand that they are targets and that proactive measures like multi-factor authentication, secure backups, and AI-powered endpoint protection can help stop threats before they become business-disrupting attacks.
Lesonsky: The report shows SMBs want guidance and are overwhelmed by all the security tools available to them. Where can SMBs go for guidance? Do SMBs need more available resources? What form would that take?
Campbell: Most small businesses turn to someone they trust—whether that’s an IT consultant or a peer recommendation. The problem is—the market is saturated with tools that sound similar, and it’s hard to know what really works. That’s why nearly 70% of SMBs in our report said they rely on outside recommendations to guide their decisions.
There’s definitely a need for more tailored resources: side-by-side comparisons, quick-start guides, real case studies, and interactive demos that help them make confident decisions. At CrowdStrike, we see it as our responsibility not just to provide great tools but to make it easier for SMBs to choose and use them effectively.
Lesonsky: Anything else you’d like to add?
Campbell: Cybersecurity is a core part of running a successful business—it’s not just an IT issue—it’s a business resilience issue. Small and medium-sized companies are navigating complex challenges with limited resources, and they deserve security solutions that work for them, not against them.
At CrowdStrike, we’re committed to helping SMBs protect what they’ve built with powerful, easy-to-use, and cost-effective tools. Falcon Go was designed specifically with their needs in mind, to give growing businesses the confidence and protection they need to stay ahead of threats and focus on growth.
Rieva Lesonsky is President of Small Business Currents, LLC, a content company focusing on small businesses and entrepreneurship. While you can still find her on Twitter @Rieva, you can also reach her @Rieva.bsky.social and LinkedIn. Or email her at Rieva@SmallBusinessCurrents.com.
