Another reason why costs are so high today is cybercrime.
A study by the Identity Theft Resource Center, a San Diego-based education and victim resource nonprofit, found that 38% of small businesses that were victims of cyber fraud or breaches in the past 12 months passed the losses on to customers by raising prices.
Another important finding is that cybercrime against small and medium-sized businesses is increasingly fueled by artificial intelligence.
“The era of predictable, human-scale threats is giving way to a new reality of automated, intelligent, and highly scalable attacks powered by AI,” the report says, discussing trends in threats, defenses, and attacks. It also provides detailed recommendations on network and application security, data protection, and employee and contractor practices. (This survey was conducted in August among more than 650 companies in more than a dozen industries.)
Eva Velasquez, CEO of the Identity Theft Resource Center, said the results are a stark reminder that hackers are not picky. They exploit data and funds from everyone, including large corporations, small businesses, and individuals.
“When you think about risk, it’s really about every company,” Velazquez said. From mom friends to large corporations, “everything is attractive to hackers.” Small businesses sometimes don’t pay enough attention to cybersecurity. “Because they think they’re not vulnerable. They’re thinking, ‘Well, why would someone target me?’
Not only are they targeted, but they are also successfully compromised multiple times a year. The most common pattern was two or three breaches in a 12-month period. An additional 34% experienced one breach, and nearly 12% experienced four or more breaches.
One encouraging change is that the percentage of companies with one or two breaches has increased since 2024, while the percentage of companies with three or more breaches has decreased. Perhaps companies have improved their cybersecurity protocols after the first or second breach.
But the report says the fact that a company was attacked only once says something about the methods of cyber attackers.
“Threat actors appear to be focused on opportunistic, high-volume attacks. This changes the risk calculus (for small and medium-sized businesses), changing the primary challenge from defending against a determined and persistent adversary to repelling a continuous wave of single-shot attacks from many sources.”
This nonprofit organization helps individuals free of charge, but in some cases businesses receive paid fees that are used to fund free services. Although the nonprofit faced a significant drop in federal funding last year, it remains financially strong thanks to private donors and unclaimed damages from a class action settlement, Velasquez said.
“Our services continue to be available at the same level they were before the changes to the federal grant process/availability,” Velazquez said.
AI attacks are on the rise
Four out of five small businesses report having suffered a security or data breach in the past 12 months. This statistic is unchanged from a year ago.
But with AI taking center stage, the nature of these attacks has changed.
According to the report, past research into small and medium-sized businesses that have experienced cyber or data breaches has found that insecure cloud environments, ransomware, hackers, malicious employees or contractors, missteps by remote workers, software flaws, and attacks on third-party vendors were factors that contributed to the incidents.
As recently as 2024, AI wasn’t even cited as a cause.
However, in 2025, 41% of small business victims say AI is the root cause of recent attacks.
According to the report, generative AI can create “highly personalized social engineering attacks that mimic the tone and context of legitimate internal communications.”
Velasquez said hackers are now launching larger automated attacks that cover a wider area.
In cybercrime, AI is the great equalizer. Generative AI can be used by unsophisticated criminals to perform sophisticated fraud.
“These tools are effectively democratizing advanced attack capabilities that were once the domain of highly skilled attackers,” the report said.
Remote work was the cause of data and cyber breaches that saw the largest percentage decrease in 2025 compared to 2024. This makes sense as employees are returning to the office. All other sources of attack have also declined, perhaps as fraudsters and data thieves have turned to AI.
AI has been added to the list, making some causes less prevalent, but they haven’t disappeared.
pay the price
When a small business suffers a breach or fraud, the financial impact can include lost revenue, legal costs, fines and fines, insurance, marketing and security reviews, and more.
When you add these costs together, the study found that 37% of businesses lost more than $500,000 per incident last year. Some quarters I lost up to $250,000, and other quarters I lost between $250,000 and $500,000.
To recover costs, companies used cash reserves, sought funding from investors, cut staff, and took advantage of credit and cyber insurance. They also adopted a new strategy where 38% increased prices.
“This represents significant inflationary macroeconomic spillovers that result directly from the worsening cyber threat environment for small businesses,” the report said.
One reason for this change may be the increased difficulty in obtaining other sources of funding. The proportion of investor funding to respond to cyber and data breach incidents in 2025 decreased compared to 2024. Additionally, fewer businesses relied on cyber insurance, with nearly a quarter saying they had difficulty obtaining or renewing cyber insurance after a breach. “This suggests that as the frequency and cost of claims rise, insurers are responding by adjusting their underwriting standards.”
Compared to 2024, 18% of companies cut staff as a way to offset losses from cybercrime, down from 27%.
Choosing to reduce reliance on insurance and investors and reduce layoffs as a result of cyber breaches may have each or all contributed to the price increase.
loss prevention
What sensitive data did the criminals sneak away?
Employee data was most commonly accessed in breaches, followed closely by both customer data and corporate IP.
To combat this, some companies have deployed powerful tools, but the study also uncovered some disturbing trends. “The implementation of important security measures such as multi-factor authentication is decreasing.” One reason, the report says, is that company leaders are so overwhelmed that they “ignore the fundamentals of effective defense.”
Velazquez and her nonprofit urge companies to continue to study known and evolving threats and continue to adapt their cybersecurity practices.
“MFA is the most important access control that[SMEs]should implement,” the report states. MFA stands for multi-factor authentication, a security checking system that requires requests to access secure information to be vetted through multiple independent channels. MFA “makes it significantly more difficult for attackers to use stolen passwords.”
Examples of these include free authentication apps (such as Google Authenticator), SMS codes sent to a user’s phone when they try to log in using their password, and physical hardware tokens.
The report cites an “astonishing decline in the adoption of MFA in internal systems, from approximately 33% in 2024 to approximately 27% in 2025.” This “represents a critical and high-priority vulnerability that SB must address immediately.”
“Changes in society”
“Even really good companies with robust cybersecurity can still experience a breach,” Velasquez said. “That doesn’t automatically indicate negligence.”
But companies with less robust cybersecurity are at far greater risk.
This report contains six pages of tips for preventing cyber and data breaches and combating AI-powered attacks. These range from the type of training a company should provide, to how to configure firewalls, best practices for data encryption, and more.
While small businesses need to strengthen their defenses, Velasquez also made a pitch to consumers: Don’t ignore companies that are taking steps to protect your data, even if it’s a nuisance.
The overwhelming 4-second delay before a confirmation text message arrives, the extra screen taps associated with using an authenticator app, are signs that companies are doing things right.
“One of the tensions we have is convenience and security. And businesses are fighting this tension between, ‘I have to be safe, but I have to make people jump through hoops to prove who they are to protect their data, their accounts, their information.'” And individuals think, ‘I want convenience.’ ”
“If there’s a shift in society where we understand that a little bit of friction, a little bit of inconvenience is actually good for us,” she says.
Velasquez added that companies that require this are the ones to do business with, “because you know they’re taking steps to protect you and your data.”
