---
id: "concept-smb-cyber-risk-asymmetry"
type: "concept"
source_timestamps: ["¶5", "¶6"]
tags: ["smb", "resource-allocation", "budgeting"]
related: ["claim-smb-breach-cost", "claim-smb-budget-insufficiency", "concept-relative-cybersecurity"]
definition: "The structural disadvantage faced by Small and Medium-sized Businesses in defending against cyber threats due to enterprise-level attack costs combined with highly constrained defensive budgets."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# SMB Cyber Risk Asymmetry

There is a massive resource gap between enterprise giants and SMBs when it comes to cybersecurity defense, and it is widening as AI escalates the threat (see [[concept-ai-fueled-threat-escalation]]).

The numbers the source cites:
- **[[entity-microsoft-d7|Microsoft]]** spends **over $1 billion annually** on security, data protection, and risk management.
- The average cyberattack costs an SMB **more than $250,000**, with extreme cases reaching **as high as $7 million** ([[claim-smb-breach-cost]], citing Microsoft research).
- Only **7%** of SMBs report their cybersecurity budget is "definitely sufficient"; **67%** prioritize cost above all else when selecting security tools; and (per [[entity-crowdstrike|CrowdStrike]]) roughly **70%** rely heavily on internal IT staff ([[claim-smb-budget-insufficiency]]).

Because SMBs face enterprise-scale *attack* economics with startup-scale *defense* budgets, they cannot win by brute-force financial investment. They must instead rely on affordable, high-leverage defensive strategies — the practical playbook of [[framework-dobrygowski-smb-cyber-defense]] — and adopt the pragmatic posture of [[concept-relative-cybersecurity]] rather than chasing unattainable total safety.

> [!note] Enrichment nuance
> The *order of magnitude* (hundreds of thousands, sometimes millions) is consistent with industry reporting, but the precise "$250,000 average / up to $7M" and "7% / 67%" figures read as rounded, synthesized, survey-specific statistics rather than universally accepted benchmarks tied to a single canonical study. Treat them as directionally accurate but numerically approximate.
