It’s Not Just Big Companies Anymore. Small Businesses in the Firing Line

Posted: Thursday, May 07

KBI.Media
$
It’s Not Just Big Companies Anymore. Small Businesses in the Firing Line

Karissa Breen, more commonly known as KB, is crowned a LinkedIn ‘Top Voice in Technology’, and widely recognised across the global cybersecurity industry. A serial entrepreneur, she is the co-founder of the TMFE Group, a portfolio of cybersecurity-focused businesses spanning an industry-leading media platform, a specialist marketing agency, a content production studio, and the executive headhunting firm, MercSec. Now based in the United States, KB oversees US editorial operations and leads the expansion of the group’s media footprint across North America, while maintaining a strong presence in Australia, and the broader global market. She is the former Producer and Host of the streaming show 2Fa.tv, and currently sits at the helm of journalism for the group’s flagship arm, KBI.Media, the independent cybersecurity media company. As a cybersecurity investigative journalist, KB hosts her globally-renowned podcast, KBKast, where she interviews leading cybersecurity practitioners, CISOs, government officials including heads-of-state, and industry pioneers from around the world. The podcast has been downloaded in over 65 countries with more than 400,000 global downloads, influencing billions of dollars in cybersecurity budgets. KB is known for asking the hard questions and extracting real, commercially relevant insights. Her approach provides an uncoloured, strategic lens on the evolving cybersecurity landscape, demystifying complex security issues and translating them into practical intelligence for executives navigating risk, regulation, and rapid technological change.

i 3 Table of Contents

It’s Not Just Big Companies Anymore. Small Businesses in the Firing Line

From Karissa Breen

A new wave of cyber loss data is painting a clear picture for businesses in 2026, and picture indicates that it’s small and medium enterprises (SMEs) that are bearing the brunt.

Industry experts warn that while ransomware headlines command the news cycle, the real financial devastation is coming from something less visible, prolonged business disruption and downtime.

“What is driving the costs up for the SME is business interruption… it draws out the tail of a claim and the resolution time,” said Heather Osborne, Director of Global Events and Programming at NetDiligence.

Despite an increase in ransomware incidents, experts say payouts are actually declining. This is a sign that organisations are resisting demands or improving defences. But that doesn’t mean the damage is less severe.

Instead, companies are being crippled by downtime, unable to operate, generate revenue, or meet customer expectations.

“Companies cannot afford to be down.” Osborne said.

For sectors like retail and manufacturing, even a week offline can mean permanent loss of sales with customers quickly moving on to competitors. Loyalty to companies isn’t there. Consumers are seeking faster, better and cheaper options.

Beyond dollars and cents, experts say cyberattacks leave lasting psychological and reputational scars. These scars are hard to quantity and qualify.

“The impact of those harassment techniques… lasts a lifetime… I’m not sure you ever recover from that,” said Stefanie Luhrs, Partner of First Response at Atmos.

Luhrs pointed to belligerent threat actors who go beyond data theft, engaging in harassment, intimidation and even stooping to tactics like ‘swatting’.

Employees in general then lose trust in systems, leadership faces burnout and organisations struggle to rebuild credibility. Experts say modern consumers have little patience for outages and even less brand loyalty.

If a service isn’t available instantly, customers simply go elsewhere.

“We do expect to be able to have what we want when we want it,” Osborne noted, highlighting a shift toward instant gratification in global markets.

Because of the fallout of cybersecurity incidents, this by default is forcing companies to rethink not just cybersecurity, but customer retention strategies when faced by disruption.

While consumers can switch brands easily, businesses often can’t do.

Organisations hit by third party breaches are frequently locked into fierce contracts, forced to endure outages while scrambling for workarounds and to keep their head about the water.

“They’re stuck in that relationship… it leads to complaints, disputes, litigation,” Luhrs explained.

Many companies ultimately choose to cut ties, but only once contracts allow it, this subsequently creates long term strain on partnerships.

In the United States, cyber incidents are rolling up in the court room.

Experts say a booming plaintiff attorney ecosystem , often working on contingency which is fuelling a rise in class actions and legal disputes.

“If you have insurance, you’re a good target,” Osborne said, describing how litigation incentives are shaping the landscape.

Meanwhile, regulatory scrutiny is also ramping up globally, with watchdogs obtaining new enforcement powers and clearing backlogs of breach related complaints.

From lost revenue and legal battles to reputational damage that can’t be quantified, the cost of inaction is getting out of hand.

“If they want to even have a business… they need to get their house in order,” Osborne warned.

For companies still treating cybersecurity as a secondary priority, experts say the window to act is closing and the consequences are only getting more intense.