Small businesses are now the main target of ransomware, and most are underprepared. In Verizon's 2025 Data Breach Investigations Report, ransomware appeared in 88% of breaches at small and midsize businesses and in 44% of all breaches, up 37% year over year. Recovery is costly even when the data comes back: Sophos put the average ransomware recovery cost at $1.5M, before any ransom. The control with the strongest evidence behind it, multi-factor authentication, blocks more than 99.9% of automated account-compromise attacks (Microsoft), yet most breaches still start with a valid login. This report combines the 2025-2026 data from Verizon, Sophos, Microsoft, IBM, Coalition, ConnectWise, Huntress, and CISA to show where MSP and SMB readiness stands, and what closes the gap.
Source: Top IT MSP synthesis of 2025-2026 research from Verizon, Sophos, Microsoft, IBM, Coalition, ConnectWise, Huntress, and CISA · Reviewed by the Top IT MSP research team · Updated July 2026
88%
of SMB data breaches involved ransomware (Verizon 2025 DBIR)
$1.5M
average cost to recover from ransomware, before any ransom (Sophos 2025)
99.9%
of account-compromise attacks blocked by MFA (Microsoft)
Ransomware now lands on small businesses first
Ransomware now hits small businesses harder than large ones. Verizon's 2025 Data Breach Investigations Report found ransomware in 88% of confirmed breaches at small and midsize businesses, against 44% across organizations of every size. That 44% is up 37% year over year, so the technique is spreading, not fading. The reason is economic: attackers have learned that a small firm with thin defenses is faster to breach and more likely to pay than a hardened enterprise.
Providers see the same shift. ConnectWise's 2025 threat research describes ransomware groups deliberately moving down-market to smaller organizations with less robust defenses, and reaching many of them at once by compromising the tools those businesses rely on. For the roughly 33 million small businesses in the United States, that changes the question from "are we big enough to be a target" to "are our controls good enough to not be the easy one."
Attackers log in, they do not break in
Most attackers get in with a valid login, not malware. In the 2025 DBIR, credential abuse was the single most common initial access vector at 22% of breaches, with vulnerability exploitation close behind at 20%. Sophos reached the same conclusion from the recovery side: in The State of Ransomware 2025 (a survey of 3,400 IT and security professionals across 17 countries), the number-one root cause of attacks was an exploited vulnerability, and 63% of victims pointed to a lack of people or skills as a contributing factor.
Once inside, attackers stay quiet and use legitimate tools. Huntress reported that remote access trojans showed up in 75% of the incidents it investigated in its 2025 Cyber Threat Report, letting intruders operate as if they were the user. This is exactly why multi-factor authentication matters so much: Microsoft found that MFA blocks more than 99.9% of automated account-compromise attacks, and that almost every compromised account lacked it. A stolen password is only useful if it is the only thing standing in the way.
The readiness gap is people and process, not just products
The biggest gap is people and process, not the tool budget. In ConnectWise's State of SMB Cybersecurity in 2025, 83% of small and midsize businesses said AI and generative AI raise their threat level, yet only 51% had put matching security policies and practices in place. That 32-point gap between concern and action is the readiness problem in one number. It shows up elsewhere too: 57% called cybersecurity their top organizational priority, and 58% spent more on it in 2024 than they had planned, which signals reactive, unplanned spending rather than a managed program.
Money alone does not close the gap. Sophos found that 63% of ransomware victims blamed a shortage of people or skills, which is precisely the shortage a managed IT provider is built to fill. The controls that stop most attacks, such as MFA everywhere, fast patching, monitored endpoint detection, and tested backups, are well understood. What small businesses lack is the staff and the process to run them every day.
The threat picture in five numbers
The table below pulls the most decision-useful figures from the 2025 research into one view. Each is drawn from the primary source named in the final column.
| Signal | 2025 data | Source |
| SMB breaches involving ransomware | 88% | Verizon DBIR |
| All breaches involving ransomware | 44% (up 37% YoY) | Verizon DBIR |
| Breaches involving a third party | 30% (doubled YoY) | Verizon DBIR |
| Average ransomware recovery cost | $1.5M (before ransom) | Sophos |
| Global average data-breach cost | $4.44M (down 9%) | IBM |
Sources: Verizon 2025 Data Breach Investigations Report; Sophos The State of Ransomware 2025; IBM Cost of a Data Breach Report 2025.
What a breach actually costs
A breach is expensive even when the ransom is small. IBM's Cost of a Data Breach Report 2025 put the global average at $4.44M, down 9% year over year but still a company-ending number for most small firms. Ransom demands are actually falling: Coalition's 2025 Cyber Claims Report recorded average demands dropping 22% year over year to $1.1M, with claim severity down 7%. The demand is the visible part of the bill, not the whole bill.
The rest is downtime, lost data, and recovery labor, which is why Sophos measured $1.5M in average recovery cost before any ransom is counted. For a 25-person business, that combination of lost billable days, emergency response, and rebuilt systems is the figure that closes companies, not the headline ransom. Cyber insurance now reflects this reality by requiring baseline controls, and MFA has become a near-universal condition of coverage.
MSPs are both the target and the answer
Managed IT providers are now a primary target because one breach reaches many clients. CISA, the FBI, and the NSA, alongside international partners, issued a joint advisory warning that attackers, including state-sponsored groups, are stepping up their targeting of MSPs to reach downstream customers. That warning is not theoretical: CISA reported ransomware actors exploiting unpatched SimpleHelp remote-management software to compromise a provider and its customers from January 2025 onward. Verizon's finding that 30% of breaches now involve a third party, double the prior year, is the same story from the data side.
The flip side is the opportunity. A capable MSP is the fastest way for a small business to close the readiness gap, because it supplies the people, the process, and the round-the-clock monitoring that most SMBs cannot staff alone. The gap is real, but it is fixable, and the provider a business chooses is now a security decision as much as an IT one. That raises the bar for MSPs too: buyers should expect their provider to run the controls in the checklist below, not just sell them.
The 2026 readiness checklist, and the data behind it
The controls that stop most attacks are consistent across every source in this report. The table maps each control to the evidence for why it matters.
| Control | Why it matters | Source |
| MFA on every account | Blocks more than 99.9% of automated account-compromise attacks; missing on nearly all compromised accounts | Microsoft |
| Fast patching and vulnerability management | Exploited vulnerabilities were the number-one root cause of ransomware | Sophos |
| Monitored endpoint detection (EDR/MDR) | Remote access trojans appeared in 75% of investigated incidents | Huntress |
| Tested backups and a recovery plan | Average recovery cost reached $1.5M even when data was restored | Sophos |
| Vendor and RMM-tool hardening | 30% of breaches involved a third party; MSP tools were actively exploited | Verizon, CISA |
| Security-awareness training | Stolen credentials were the top initial access vector at 22% | Verizon |
A control is only as good as the process that runs it. Each item above is standard practice for a mature managed IT program.
How to use this report
Treat this as a readiness baseline, not a scare. Run the six-control checklist against your own environment first, then against any MSP you are considering, and ask each provider to show how they operate the controls day to day rather than simply listing them. If you want to compare real providers in your city on verified ratings and services, browse the Top IT MSP city directory. To see how we vet and rank providers, read our evaluation process.
Methodology and sources
This report is a synthesis of published, third-party research from recognized authorities, not a Top IT MSP survey. We selected the most recent primary reports available as of July 2026, verified each headline figure against the publisher's own materials, and cite every number to its source. Figures are presented as reported by each publisher.
- Verizon, 2025 Data Breach Investigations Report (ransomware share of breaches, initial access vectors, third-party involvement).
- Sophos, The State of Ransomware 2025 (recovery cost, root causes, people and skills gap; survey of 3,400 professionals).
- Microsoft, MFA blocks 99.9% of account-compromise attacks (effectiveness of multi-factor authentication).
- IBM, Cost of a Data Breach Report 2025 (global average breach cost).
- Coalition, 2025 Cyber Claims Report (ransom demands and claim severity).
- ConnectWise, The State of SMB Cybersecurity in 2025 (SMB priorities, AI-threat and policy gap).
- Huntress, 2025 Cyber Threat Report (remote access trojans and attacker tooling).
- CISA, FBI, and NSA, joint advisory on threats to MSPs and their customers (targeting of managed service providers).
Frequently asked questions
Are small businesses really targeted by ransomware?
Yes. In Verizon's 2025 Data Breach Investigations Report, ransomware was present in 88% of breaches at small and midsize businesses, a higher share than at large enterprises. Ransomware appeared in 44% of all breaches, up 37% year over year. Attackers favor smaller organizations because their defenses are often thinner.
Does multi-factor authentication actually stop attacks?
Yes. Microsoft found that MFA blocks more than 99.9% of automated account-compromise attacks, and that almost all compromised accounts did not have it enabled. Because most 2025 breaches started with stolen or abused credentials, MFA is the single control with the strongest evidence behind it.
Why are managed IT providers (MSPs) a target?
One breach of an MSP can reach many downstream customers, which makes providers a force multiplier for attackers. CISA, the FBI, and the NSA have issued a joint advisory warning of increased targeting of MSPs, and ransomware actors have exploited MSP remote-management tools such as SimpleHelp since January 2025. A well-run MSP is also the fastest way for a small business to close its readiness gap.
How much does a data breach cost a small business?
IBM put the global average cost of a data breach at $4.44M in 2025, down 9% year over year. Even with the ransom set aside, Sophos measured the average ransomware recovery cost at $1.5M. For a small business, downtime, lost data, and recovery labor usually dwarf the ransom itself.