Small businesses do not need a wall of scary numbers. They need a short list of metrics that change decisions: what attackers do most often, where money is lost, and which controls consistently break common intrusion paths.
These seven numbers come from high-authority sources and map directly to actions a small team can take.
Seven cybersecurity numbers worth tracking
1) $16 billion in reported losses
The FBI’s Internet Crime Complaint Center (IC3) reported losses exceeding $16 billion in its latest annual report. That figure is about reported complaints, not total harm, and it still shows scale: cyber-enabled fraud and account compromise are a money problem, not just an IT problem.
Source: FBI IC3 2024 Annual Report (PDF).
2) 859,532 complaints in one year
IC3 also reported 859,532 complaints. Volume matters because it predicts how often your staff will see phishing, impersonation, and fake support messages that look legitimate.
Source: FBI IC3 2024 Annual Report (PDF).
3) 22% of breaches involved credential abuse
Verizon’s Data Breach Investigations Report (DBIR) highlights credential abuse as a top initial access path. For small businesses, this often means reused passwords, weak admin accounts, and password resets flowing through an insecure inbox.
Source: Verizon DBIR (latest).
4) 20% of breaches involved vulnerability exploitation
Vulnerability exploitation is not just a large-enterprise problem. Internet-facing services, remote access appliances, and unpatched web apps create a fast path to ransomware.
Source: Verizon DBIR (latest).
5) 30% of breaches involved third parties
Third-party involvement matters for small businesses because your exposure is not only your own network. It is payroll providers, IT vendors, accounting platforms, and any SaaS admin account your business relies on.
Source: Verizon DBIR (latest).
6) Ransomware was present in 44% of breaches
Ransomware is not just encryption. It is operational shutdown plus pressure, often combined with data theft. When ransomware is common, your best defense is to make restoration real: offline or immutable backups, tested restores, and identity controls that prevent repeat compromise.
Source: Verizon DBIR 2025 press release and DBIR report page.
7) $115,000 median ransom payment
Verizon reported a median ransom payment of $115,000. Even when a business does not pay, recovery costs can exceed the ransom through downtime, rebuild labor, and fraud disputes.
Source: Verizon DBIR 2025 press release.
What to do with these numbers
The numbers are not a strategy. Use them to prioritize controls that break the most common paths:
- Protect the control plane: email and admin accounts, with 2FA and strong passwords.
- Reduce vulnerability exposure: patch internet-facing systems fast and remove services you do not need.
- Assume third-party risk: limit vendor admin access and monitor critical SaaS logins.
- Make restores real: keep offline backups and test them.
- Train for phishing and impersonation and rehearse the first hour of an incident.
If you want a practical ransomware-focused control plan, start with how to protect your business from ransomware and ransomware.
Small business security is not about perfect defense. It is about removing the cheapest paths for attackers and making recovery predictable. When identity and restore paths are hardened, the same threat landscape becomes survivable.