Almost 50% of all US-based SMEs (43%) have already experienced a cyber attack.
This is the headline finding from a new report released by Guards, which adds that 52% of SMEs still rely on an untrained internal staff member or the business owners themselves to manage critical security functions without support from professionals such as Managed Service Providers (MSPs).
This is despite the report finding that 80% of respondents believe the need for cybersecurity in their industries has increased over the past year and 61% anticipate greater overall cyber risks in the year to come.
“In 2025, SMEs are confronting the reality that cyber threats are no longer distant possibilities, but daily risks with the potential to disrupt or even destroy a business,” says Dor Eisner, CEO and co-founder of Guardz.
“This research confirms that businesses increasingly recognize the value of experienced service partners. Those that try to manage risk on their own lack the expertise, resources, and tools needed to stay resilient.
“The data shows that organisations with strong preparation, grounded in clear processes and trusted partners, are far better positioned to avoid disruption and
maintain continuity.”
Persistent vulnerabilities
SMEsreport ongoing challenges in defending against common threats, with phishing, ransomware, and employee mistakes topping the list. Nearly half (45%) of respondents cite employee negligence as their biggest cybersecurity concern, particularly acute in the education sector.
While 43% of SMEs report they experienced a cyberattack in the past five years, 27% said they were targeted in the past 12 months.
A majority (64%) of business owners reportedly recovered quickly, but a small but significant number (3%) faced severe, lasting damage.
Other findings include:
- 58% of SMEsuse network firewalls, 52% employ email/spam filters, and 41% have endpoint protection.
- 26% do not conduct regular penetration tests or security assessments.
- 42% of SMEs are worried about outdated technologies, with healthcare businesses the most concerned.
Rising awareness, inadequate preparation
In a year of a fast-moving threat landscape, half of SMEs reported increasing their cybersecurity budgets, with 17% significantly increasing their spend.
The average investment per employee remains minimal: 16% of SMEs allocate less than $50 per user annually, and nearly a third (31%) of SMe owners don’t know exactly how much they spend on cybersecurity at all.
Only 34% of SME owners have a formal incident response or continuity plan developed with a cybersecurity professional, and 27% lack cyber insurance altogether. In one-third (33%) of cases, the business owner personally handles alerts and incident resolution, which is both time-consuming and outside their expertise, leaving room for missteps and oversights.
An additional 13% of SMEs rely on untrained employees to handle alerts, reinforcing the operational fragmentation identified in the report.
A turning point for MSP engagement
As threats mount, SMEs are increasingly looking to external partners for help. According to the survey, the leading motivations for working with a managed service provider (MSP) are a fear of cyberattacks (52%) and a sense of responsibility to customers and stakeholders (40%).
While other factors were reported, compliance requirements, reduced cyber insurance premiums, and a growing need for specialised expertise, stood out as the primary drivers.
The report reveals that 80% of SMEs with a formal incident response plan in place were able to avoid major damage during an attack, highlighting that preparedness, and working with professionals, determines resilience.