The operational environment for Small and Medium-sized Businesses (SMBs) has undergone a volatile transformation during the 2024-2025 period.
The traditional line between physical security and cybersecurity is disappearing, replaced by a complex, hybrid threat landscape where vulnerabilities in one domain can trigger failures in the other.
While large enterprises continue to harden their security measures through centralized governance and significant investment, the middle market remains the most vulnerable segment of the economy. It is characterized by a dangerous combination of high exposure to threats, fragmented risk management responsibilities, and inefficient spending.
In a series of Insights, Holtium will examine three critical dimensions of this evolving trend:
- Rising Risk Exposure: Physical security threats are returning alongside persistent cyber risks, creating two problems at once for SMBs.
- The Spending Trap: Businesses are spending more on security but are not becoming any safer.
- Why Integrated Security Matters: It is now necessary to combine physical and digital security in a way that wors for SMBs.
Rising Risk Exposure
Data from 2024-2025 shows a worrying trend in the US: while cyber threats remain a major challenge, physical security risks have risen sharply.
Security is no longer just about firewalls and phishing filters; it is increasingly about reinforced glass, inventory cages, access controls, incident management, and employee safety protocols.
For SMBs, the digital security divide continues to separate resilient enterprises from vulnerable businesses, while the physical environment has deteriorated significantly.
We are seeing more large-scale crime where criminals are as organized as real companies. This is not just petty theft; it is major criminal activity targeting key industries like shipping, retail, and construction.
The Cargo Theft Crisis and Supply Chain Pressure
For SMBs involved in logistics, manufacturing, or e-commerce, the supply chain has become a main target. Bad actors have shifted from opportunistic to strategic cargo theft, which involves fake IDs, fictitious pickups, and cyber-enabled fraud to deceive shippers.
The volume of attacks on the supply chain is growing fast.
- CargoNet reported a record-breaking year in 2024 with 3,625 incidents, representing a 27% increase from 2023.
- The National Insurance Crime Bureau (NICB) forecasts a further 22% increase in cargo theft losses in 2025, with thieves targeting high-turnover goods such as electronics, food, and building materials.
Most alarming is the sophistication of these attacks. Travelers Insurance data highlights that strategic cargo theft, where criminals use deceptive means to trick shippers into handing over freight, grew nearly 1,500% from 2022 to 2024. This statistic is a key example of the blurring line between physical and digital crime; the theft is physical, but criminals use digital attack channels, such as identity theft.
The volume of attacks on the supply chain is growing fast.
The Organized Retail Crime Epidemic
Retail theft has evolved from opportunistic shoplifting into large-scale operations where organized retail crime groups steal items to resell them:
- The frequency of theft has reached historic highs. The Council on Criminal Justice reports that shoplifting rates in major US cities increased by 14% in 2024 compared to 2023.
- This surge represents a massive financial drain. Capital One Shopping research estimates that US retailers lose approximately $45 billion in inventory to organized retail crime annually.
- The risk of violence has also increased The National Retail Federation notes that threats or acts of violence during theft events increased by 17% year-over-year in 2024.
For SMB retailers, this means that the threat is no longer just inventory loss: employee safety is now at risk.
Construction Sector Vulnerability
The construction sector, dominated by SMB contractors, faces a severe threat from the theft of heavy equipment and tools. These sites are often difficult to secure and house high-value assets. A range of industry sources estimate annual losses for construction and heavy equipment theft in the US to be between $300 million and $1 billion.
Beyond the cost, theft causes delays: for an SMB operating on thin margins, such delays can be existential.
Vandalism and Property Damage
SMBs are also struggling with vandalism and property damage that erodes margins and creates a perception of lawlessness. A single incident of broken windows can cost thousands in repairs and lost revenue.
The US Chamber of Commerce notes that, in some large cities, repeat offenders and vandalism are forcing businesses to close due to the financial and emotional toll. The severity of the issue has triggered government intervention; for instance, the City of Albuquerque launched grant funds in late 2024 to reimburse small businesses for up to 80% of window replacement costs due to vandalism.
Workplace Violence
The physical threat surge has become personal. The US Bureau of Labor Statistics reports that there were 1.6 homicides per day in the workplace in 2022, an 8.9% increase from 2021, and a series high going back to 2011.
The physical threat surge has become personal.
For SMBs, where workforce density is high, margins are thin, and frontline employees often work without layered security infrastructure, the psychological and operational consequences are significant. Violence now shapes how staff perceive safety, how managers structure shifts, and how customers interpret the security of physical spaces.
The Insider Threat: Employee Theft and Fraud
Not all threats come from outside. Employee theft plays a major role in SMB losses in some sectors:
- According to the California Restaurant Association, 75% of employees have stolen at least once from their employer. The National Retail Federation reports that employee theft accounts for approximately 29% of retail inventory loss.
- Another common vector in retail and hospitality are “sweetheart” deals, where employees give unauthorized discounts or free merchandise to friends and family. This form of theft is difficult to detect without advanced Point of Sale monitoring.
Cyber Threats and the Digital Security Divide
While physical threats have surged, cyber threats have become more automated and financially costly. This has led to a "Digital Security Divide", where resilient, often large companies are separated from vulnerable SMBs.
Cyber threats have become more automated and financially costly.
The Target on the Non-Enterprise Business Back
Contrary to the belief that hackers only target "big fish," SMBs are primary targets because they are viewed as low-hanging fruit with weaker controls.
- Data from Hiscox, a specialty insurance carrier, reveals that 41% of US small business experienced a cyber-attack in 2023.
The consequences of a breach are often fatal for smaller entities. Managed Security Services Providers report that 60% of small businesses that suffer a significant cyberattack go out of business within six months. This high rate underscores that cybersecurity is not just an IT issue but a solvency issue.
Ransomware and Extortion
Ransomware remains the most financially damaging cyber-attack used against SMBs.
- IBM’s 2024 Cost of a Data Breach Report indicates that the global average cost of a data breach reached $4.88 million.
- Healthcare SMBs are particularly vulnerable. The American Hospital Association noted that healthcare faced more cyberthreats in 2024 than any other critical infrastructure sector, with groups actively targeting the industry.
Business Email Compromise (BEC)
BEC represents a massive transfer of wealth from SMBs to criminals through social engineering rather than hacking.
The FBI's Internet Crime Complaint Center (IC3) reported that BEC resulted in losses of over $2.9 billion in 2023. These attacks often leverage the lack of formal verification processes in smaller organizations, spoofing executive emails to request urgent wire transfers.
The End of Siloed Security
For SMBs, the message is clear. Cybersecurity and physical security are no longer separate areas. A secure server room means little if a loading dock is compromised.
Likewise, reinforced storefront glass offers no protection if a phishing email drains payroll accounts.
Sometimes, criminals use SMBs as conduits. Wired magazine reported on how a cyberattack on a small HVAC distributor disrupted surgeries at a hospital in California, proving that SMB cyber failures now have direct physical consequences.
The era of managing cyber and physical risks separately is over. What replaces it will determine which SMBs thrive.
Cybersecurity and physical security are no longer separate areas.
Looking Ahead: The Spending Trap
As the threat landscape gets worse, SMB leaders usually try to spend more money. However, simply buying more tools does not always mean better protection.
In the next piece, Holtium will examine SMB spending on security to understand why many are overspending on technology and physical security controls while remaining dangerously under-protected.