A 2025 Mastercard survey of more than 5,000 small business owners found that one in five businesses that experienced a cyberattack went bankrupt or permanently closed. The 80 percent who survived shared something in common: they had either prepared for the attack’s aftermath before it happened, or they absorbed costs that most businesses could not. The difference between those two outcomes is measurable, predictable, and largely within your control.
What the Survival Gap Actually Looks Like
The 20 percent failure rate among attacked small businesses is not evenly distributed. Businesses that fail after a cyberattack share identifiable characteristics: they were operating without tested backups, they had no documented recovery procedures, and they discovered their cyber insurance either didn’t cover the specific incident type or had coverage limits that didn’t match actual recovery costs. The attack itself was often not the cause of closure. The absence of preparation was.
IBM’s 2025 Cost of a Data Breach Report calculates that the average ransomware incident costs $4.4 million in total — over 38 times the average ransom demand of $115,000. That multiplier matters: businesses that pay the ransom and assume they’re recovered are typically looking at a fraction of their total costs. The remaining $4.2 million comes from operational downtime, data restoration, legal fees, regulatory penalties, customer notification obligations, and the staff time consumed by the response and recovery process.
Sixty percent of businesses hit by a major cyberattack close within six months. The timeline matters because most of the costs don’t arrive immediately. Customer churn happens over weeks. Regulatory investigations happen over months. Litigation from affected parties may not resolve for years. A business that appears to have survived an attack in the first 30 days may still be absorbing damage that manifests as closure by month six.
The Five Controls That Separate Survivors from Non-Survivors
Control 1: Offline, encrypted, tested backups. The most consistent differentiator between businesses that recovered and those that didn’t was backup integrity. Organizations with offline backups — stored separately from the network that ransomware could encrypt — and that had confirmed those backups were restorable within the past 90 days, recovered in days. Those whose backups were connected to the same network, unencrypted, or untested discovered their safety net didn’t exist when they needed it most.
Control 2: Multi-factor authentication on all remote access systems. Twenty-three percent of 2025 attacks entered through compromised credentials. Every system that can be accessed remotely — email, VPN, remote desktop, cloud applications — should require a second factor beyond a password. This single control eliminates the vast majority of credential-based attacks, including those using passwords obtained from prior third-party breaches your employees may not know occurred.
Control 3: A documented incident response plan. Businesses that had a documented response plan — even a simple one — recovered faster and at lower cost than those improvising their response under pressure. The plan does not need to be sophisticated. It needs to answer four questions: who do we call first, what systems do we isolate, how do we communicate with customers and employees, and what is our recovery priority order? Write those answers down before you need them.
Control 4: Cyber liability insurance with coverage limits that reflect actual costs. Coverage limits set based on the perceived value of what’s being protected — the server, the software — rather than the full scope of incident costs routinely leave businesses underinsured. A business with $500,000 in annual revenue might carry $250,000 in cyber coverage and face $1.8 million in recovery costs. Work with your broker to calculate coverage based on your actual recovery scenario, not on asset replacement value.
Control 5: Regular patching of all business-critical software. Thirty-two percent of 2025 attacks exploited unpatched vulnerabilities. Monthly patching of operating systems, business applications, and network devices eliminates the most actively exploited known vulnerabilities from your environment. This control requires consistent execution over time, not sophisticated tools.
What Businesses That Survive Have in Common
The businesses that absorb a cyberattack and continue operating are not necessarily the ones with the best technology. They are frequently the ones with the best operational discipline. They patched consistently, so fewer exploitable vulnerabilities existed. They maintained offline backups, so ransomware encryption wasn’t terminal. They had insurance that reflected their actual risk, so the financial event was survivable. They had a response plan, so the first 72 hours were methodical rather than chaotic.
This is an operational discipline problem, not a technology problem. The tools required are available to every small business. The difference between the businesses in the 80 percent who survived and the 20 percent who didn’t is almost never the sophistication of their defenses. It is whether they had executed the fundamentals consistently before the attack arrived.
What Business Leaders Should Do Next
- Schedule a backup restoration test for this month. Call your IT provider or whoever manages your backups and ask them to demonstrate a successful file restore from backup. If they can’t do it on short notice, that’s the answer. Fix the backup situation before anything else.
- Enable MFA on every email account in your organization. Email is the most frequently compromised business system and the entry point for a significant percentage of phishing-based attacks. If your team is not using MFA on email, make that change this week.
- Write a one-page incident response cheat sheet. List the first three calls you make if you discover ransomware on your network: your IT provider, your cyber insurance carrier, and your legal counsel. Include the after-hours contact numbers. Put copies in three places — because when ransomware hits, the computers where this document lives may be inaccessible.
- Review your cyber insurance policy with your broker this quarter. Ask specifically: does my current coverage limit match a realistic full recovery cost scenario? Does the policy cover business interruption, customer notification costs, and regulatory defense in addition to data recovery?
- Confirm your software patching schedule is actually happening. Ask your IT provider for the date of the last patching cycle for your critical systems. If you don’t have an IT provider, set a monthly calendar reminder to run Windows Update and update your business software on the first Tuesday of each month.