What percentage of cyber attacks target small businesses?

According to various industry reports, approximately 43% of cyber attacks target small and medium-sized businesses. The UK government's Cyber Security Breaches Survey consistently shows that small businesses experience a significant number of attacks, with many experiencing at least one breach or attack in the past 12 months.

Why do hackers target small businesses?

Hackers target small businesses because they tend to have weaker security than large corporations. Automated scanning tools make it easy to find vulnerable websites regardless of size. Small businesses often have valuable customer data, email reputations worth exploiting, and server resources that can be used for cryptocurrency mining or spam operations.

How many small businesses close after a cyber attack?

Industry research suggests that approximately 60% of small businesses that experience a significant cyber attack go out of business within six months. The combination of immediate costs (incident response, recovery), lost customer trust, and potential regulatory fines can be overwhelming for businesses without the financial reserves to absorb the impact.

Is my website being scanned by attackers right now?

Almost certainly. Automated scanning tools crawl the entire internet 24/7, looking for vulnerable websites. Services like Shodan and Censys index internet-connected devices and their vulnerabilities. If your website is on the public internet, it is being scanned regularly. The question is whether those scans find anything exploitable.

Why Your Small Business Is a Bigger Cyber Target Than You Think

If you run a small business in the UK, there is a good chance you think cyber criminals are not interested in you. You might assume they go after big corporations, banks, and government departments. That assumption is not just wrong — it is exactly what makes you an attractive target.

43% of all cyber attacks target small and medium-sized businesses. Not Fortune 500 companies. Not government agencies. Businesses like yours.

Here is why attackers actively target small businesses, and why the "too small to matter" mindset is putting your livelihood at risk.

The "too small to target" myth

Ask most small business owners about cyber security and you will hear some version of: "Why would anyone target us? We are just a small [accountancy firm / shop / consultancy / trades business]." This belief is widespread, and it is exactly what attackers count on.

The myth works like this: you assume you are safe because you believe attacks are targeted — that someone, somewhere, decides to attack your specific business. In reality, the vast majority of attacks are automated and indiscriminate. Bots do not care whether you are a five-person firm or a five-thousand-person corporation. They scan every website on the internet and attack whichever ones have vulnerabilities.

Think of it this way: a burglar walking down a street at night does not care which house they break into. They try every door and window. The one that opens is the one they enter. Your website is a house on that street, and automated bots are trying the doors and windows dozens of times every day.

Automated attacks do not discriminate

Modern cyber attacks are largely automated. Attackers use tools that scan the entire internet — every publicly accessible website, server, and connected device — looking for known vulnerabilities. These tools run continuously, 24 hours a day, 365 days a year.

Services like Shodan and Censys act as search engines for internet-connected devices. Anyone can use them to find websites running outdated software, servers with open ports, databases exposed to the internet, and devices with default credentials still in place. Attackers use these services to build lists of vulnerable targets, and then automated scripts attack them all at once.

Your website has been scanned by these tools already today. The bot found your site, checked for common vulnerabilities, and moved on — or logged your site as a potential target for later. This happens invisibly, in the background, without you ever knowing.

The misconceptions that leave you vulnerable

Three beliefs come up again and again when we talk to small business owners. All three are dangerous.

"We don't have valuable data." You almost certainly do. Customer names and email addresses are valuable. Purchase histories are valuable. Even basic contact forms collect personal data that is protected under the GDPR. If you have any customers, you have data worth stealing.

"Our hosting provider handles security." Your hosting provider keeps the server running. They patch the operating system and maintain the network. But they do not manage your website's code, your plugins, your admin passwords, your database configuration, or your file permissions. The vast majority of website vulnerabilities exist in the application layer — which is your responsibility, not your host's.

"We'd notice if something was wrong." Would you? The average time to detect a data breach is 197 days. Most website breaches do not cause visible changes. Attackers do not deface your homepage or take your site offline. They slip in quietly, take what they want, and leave. Your website continues to work perfectly while customer data is being exfiltrated.

What attackers actually want from your website

Understanding what attackers are after helps you understand why your small business is a target. Here is what they want:

Your customers' data. Names, email addresses, phone numbers, and any other personal information. This data gets sold on dark web markets, used for phishing attacks, or leveraged for identity theft. A database of 500 customer records has real monetary value to an attacker.

Your email reputation. If an attacker gains access to your email system or SMTP credentials, they can send spam or phishing emails that appear to come from your domain. Because your domain has built up reputation with email providers over years, these emails are more likely to reach inboxes instead of spam folders. Your reputation is a valuable asset that attackers want to exploit.

Your server resources. Attackers install cryptocurrency mining scripts on compromised servers. Your server runs their mining software, using your electricity and computing power to generate cryptocurrency for the attacker. You pay the hosting bill; they collect the proceeds.

Your site for SEO spam. Attackers inject hidden links, pages, and content into your website to boost other sites' search engine rankings. This can get your site penalised by Google, destroying your search visibility for months or years after you discover and remove the spam.

The numbers tell the story

The UK government's Cyber Security Breaches Survey provides a consistent picture year after year:

Approximately half of UK businesses reported experiencing a cyber security breach or attack in the last 12 months.
The average cost of a breach for a small business is £4,200, rising significantly when customer data is involved.
Among businesses that identified a breach, the most common attack vectors were phishing attempts, impersonation, and malware — all of which can be triggered through website vulnerabilities.

And the most sobering statistic: 60% of small businesses that suffer a significant cyber attack go out of business within six months. The combined cost of incident response, lost revenue, reputational damage, and potential fines is more than many small businesses can absorb.

Why prevention is cheaper than cure

Compare the costs. A security scan to identify vulnerabilities on your website takes minutes and costs nothing for a basic check. Ongoing monitoring that alerts you to new threats costs roughly the same as a business mobile phone contract.

Now compare that to the cost of a breach: £4,200 on average. Emergency incident response. Website rebuild. Customer notification letters. Potential ICO fines. Lost customers. Damaged reputation. Time spent dealing with the aftermath instead of running your business.

Preventing a breach is not expensive. Recovering from one is. The gap between those two costs is the best investment a small business can make in its own survival.

Most UK small business websites have at least five hidden security issues. An automated scan finds them in seconds. Run a free scan and see exactly what an attacker would see when they look at your website.