The National Cyber Strategy Has an SMB Problem
Key Highlights
- Cybersecurity experts warn small and midsize businesses are increasingly becoming the preferred entry point for AI-powered cyberattacks.
- Many SMBs lack the resources, staffing and expertise needed to defend against rapidly evolving phishing, malware and social engineering threats.
- The imperative is for a more risk-directed federal cybersecurity strategy focused on practical protections, shared resources and AI security guidance for SMBs.
The weakest link in America’s digital economy isn’t a government agency or a major corporation. It’s the millions of small and medium-sized businesses increasingly finding themselves in cybercriminals’ crosshairs.
For the first time, the majority of SMBs rank cyberattacks as their top business threat, ahead of inflation, recession concerns, and workforce challenges (75%). They are not peripheral players. They form the foundation of the U.S. economy, making up 99.9% of all U.S. companies and employing nearly half the American workforce. Yet in the Administration's National Cyber Strategy, with its sharp focus on critical infrastructure and offensive cyber capabilities, they remain largely an afterthought.
That is a strategic blind spot America cannot afford.
If policymakers want to build a truly secure and resilient digital economy, they must place SMBs at the center of that effort.
The backbone of the U.S. economy and its weakest link
Across every sector of the U.S. economy, from professional services and financial activities to wholesale and retail trade, SMBs operate as suppliers, service providers and partners to larger enterprises, woven directly into broader systems and data flows. This connectivity drives growth, but it also expands the attack surface.
That exposure is being exploited. While large enterprises invest in mature cybersecurity programs, 84% of SMB owners still self-manage cybersecurity with limited resources, time and in-house expertise.
AI-powered attacks are escalating both the speed and sophistication of threats. Cybercriminals now automate reconnaissance, launch highly targeted phishing campaigns, and deploy adaptive malware that evolves in real time. Nearly half of SMBs report experiencing AI-generated phishing attacks in the past year, alongside AI-enabled adaptive, evasive malware (35%) and hyper-personalized social engineering (28%). Meanwhile, SMBs struggle to keep pace with manual patching, reactive monitoring, and disconnected tools. In fact, 42% say the speed of AI-driven attacks makes traditional human-driven patching and response times effectively obsolete.
The result: attackers increasingly treat SMBs as the path of least resistance into larger networks and supply chains.
A growing risk with human consequences
Cyberattacks don't just compromise data. They shut businesses down.
Half of SMBs expect to lose customers following a successful breach, while 48% anticipate reputational damage and 33% expect a decline in sales. Cyber incidents are already disrupting day-to-day operations: 73% report network outages, 58% experience website downtime, and 51% face point-of-sale failures.
For many SMBs, the margin for error is minimal. A single incident can halt operations, cut off revenue, and erode hard-earned trust. Forty percent say a breach costing $100,000 or less could force them to close permanently.
The impact extends beyond financial loss. Without dedicated security teams, owners and operators take on cybersecurity themselves, adding it to already demanding roles. This creates constant pressure: 66% report losing personal time, while 56% report increased anxiety tied to these responsibilities.
What began as a resource gap has become a human one. SMB leaders absorb the strain, leading to burnout, increased vulnerabilities, and fewer opportunities to focus on growth.
And it doesn’t stop there. When attackers compromise an SMB, the impact spreads to customers, partners, and supply chains, increasing risk across interconnected systems and the broader economy.
Aligning policy with reality: From awareness to risk-directed action
The National Cyber Strategy provides a framework to act. Now it needs to reach the businesses that need it most.
The strategy calls for stronger coordination between the government and the private sector, focusing on better defenses, improved information sharing, and greater investment in advanced technologies. But delivering on those priorities requires recognizing the central role SMBs play in today's threat landscape.
As leaders across government and industry implement this strategy, they must ensure it reaches SMBs in a meaningful and practical way. This starts with designing intuitive, cost-effective, and scalable solutions that reflect how SMBs actually operate.
Specifically, governments should prioritize a risk-directed approach to cybersecurity, one that focuses resources on identifying, assessing, and mitigating the threats most likely to disrupt critical operations. Three areas demand immediate attention:
1) Expand access to shared cybersecurity resources for SMBs
Cyber risk has outpaced the capacity of individual business owners and small internal teams. Governments can help close this gap by funding shared security resources and creating public-private partnerships that extend enterprise-grade protection to SMBs.
2) Establish clear minimum standards and validated toolsets
Not every alert carries the same level of risk, and SMBs often lack the guidance to prioritize effectively. Governments can support better outcomes by defining baseline cybersecurity standards, endorsing vetted toolsets, and promoting frameworks that help SMBs focus their limited time and budget on the risks most likely to disrupt operations.
3) Set practical AI cybersecurity guidelines for SMB adoption
Static rules and manual responses cannot keep up with modern threats. Governments can accelerate safe adoption by establishing clear AI governance frameworks, setting minimum standards for AI-driven security tools, and ensuring SMBs have access to trusted, compliant technologies that improve detection and response.
SMBs that move beyond fragmented, reactive approaches and align their cybersecurity strategies with real-world risk will be better positioned to withstand and recover from attacks. But they cannot get there alone.
A secure digital economy is only as strong as its most vulnerable participants. Right now, that vulnerability runs directly through America's small businesses.
The National Cyber Strategy has an opportunity to change that. But opportunity without action is just exposure by another name. The risks are compounding, the threats are accelerating, and the window to act is narrowing. Federal leadership on SMB cybersecurity isn't optional. It's the deciding factor.
About the Author
Kevin Pierce
President and COO, VikingCloud
Kevin Pierce is VikingCloud’s President and Chief Operating Officer and has been with VikingCloud since 2016. Prior to this role, Kevin was VikingCloud's Chief Product Officer, leading product development, service delivery, consulting, and managed security testing teams as they leveraged machine learning and artificial intelligence to deliver next-generation cybersecurity. Over 30 years in the technology space, Pierce designed and built highly scalable cloud systems for secure data exchange, supply chain optimization, and cybersecurity across multiple industries. He also co-founded two technology companies that each grew to hundred-million-dollar valuations prior to exit.