The vast majority of US small businesses suffered a data or security breach over the past year, with many (38%) putting up their prices as a result, according to a new study from the Identity Theft Resource Center (ITRC).
The non-profit’s 2025 Business Impact Report is based on interviews with 662 owners or executives at businesses with under 500 employees.
ITRC president, James Lee, argued that the inflationary impact of breaches acts as a “hidden cyber tax” on consumers. He claimed the data should serve as a wake-up call to lawmakers and spark new public policy initiatives at a state and federal level to alleviate the financial burden of cyber-threats.
“This shadow tax creates a drag on the US economy, fuels inflation and places a disproportionate burden on the small businesses that generate jobs and sustain communities. These businesses, which generally lack the resources of their larger enterprise counterparts, are being forced to choose between investing in growth, keeping prices low and defending against an ever-present digital threat,” Lee said.
“The current landscape is not a fair fight. We are at a point where the resilience of our national economy is increasingly linked to the cybersecurity of our small business community.”
Of the 81% of small businesses that suffered a security or data breach, or both, over the past year, a sizeable share (41%) blamed AI-powered attacks. The remainder were explained by external threat actors (43%) and malicious insiders (42%).
The ITRC warned that AI is increasingly being used to generate hyper-realistic phishing emails, deepfake audio/video for business email compromise (BEC), adaptive malware and automated reconnaissance.
“The primary advantage of a malicious insider has always been their intimate knowledge of internal processes, communication styles and organizational hierarchies, allowing them to bypass defenses through trust and familiarity,” the report explained.
“AI tools now allow external actors to replicate this advantage at scale.”
People, Process and Technology
The report also noted a “dangerous disconnect” between how confident small business leaders are about their cyber-resilience and their adoption of security controls.
Even as the number of respondents who said they felt “very prepared” for an attack or breach plummeted from 57% last year to 38% in this report, implementation of multi-factor authentication (MFA) also fell, from 34% to 27%. Investment in new security tools was down 15% annually.
The ITRC advised small businesses to tackle the threat from AI-driven attacks by focusing on people, process and technology, as follows:
- Update security training to ensure staff can spot AI-generated content and ensure they feel empowered to question unusual or urgent requests
- Implement and enforce a strict out-of-band verification policy for sensitive requests like financial transactions and changes to privileged account access
- Invest in modern, AI-powered cyber defenses that use behavioral analysis to identify anomalous activity on the network or endpoints, and look for AI-generated phishing content