The operational environment for Small and Medium-sized Businesses (SMBs) has undergone a volatile transformation during the 2024-2025 period.
The traditional line between physical security and cybersecurity is disappearing, replaced by a complex, hybrid threat landscape where vulnerabilities in one domain can trigger failures in the other.
While large enterprises continue to harden their security measures through centralized governance and significant investment, the middle market remains the most vulnerable segment of the economy. It is characterized by a dangerous combination of high exposure to threats, fragmented risk management responsibilities, and inefficient spending.
In a series of Insights, Holtium will examine three critical dimensions of this evolving trend:
Data from 2024-2025 shows a worrying trend in the US: while cyber threats remain a major challenge, physical security risks have risen sharply.
Security is no longer just about firewalls and phishing filters; it is increasingly about reinforced glass, inventory cages, access controls, incident management, and employee safety protocols.
For SMBs, the digital security divide continues to separate resilient enterprises from vulnerable businesses, while the physical environment has deteriorated significantly.
We are seeing more large-scale crime where criminals are as organized as real companies. This is not just petty theft; it is major criminal activity targeting key industries like shipping, retail, and construction.
For SMBs involved in logistics, manufacturing, or e-commerce, the supply chain has become a main target. Bad actors have shifted from opportunistic to strategic cargo theft, which involves fake IDs, fictitious pickups, and cyber-enabled fraud to deceive shippers.
The volume of attacks on the supply chain is growing fast.
Most alarming is the sophistication of these attacks. Travelers Insurance data highlights that strategic cargo theft, where criminals use deceptive means to trick shippers into handing over freight, grew nearly 1,500% from 2022 to 2024. This statistic is a key example of the blurring line between physical and digital crime; the theft is physical, but criminals use digital attack channels, such as identity theft.
Retail theft has evolved from opportunistic shoplifting into large-scale operations where organized retail crime groups steal items to resell them:
For SMB retailers, this means that the threat is no longer just inventory loss: employee safety is now at risk.
The construction sector, dominated by SMB contractors, faces a severe threat from the theft of heavy equipment and tools. These sites are often difficult to secure and house high-value assets. A range of industry sources estimate annual losses for construction and heavy equipment theft in the US to be between $300 million and $1 billion.
Beyond the cost, theft causes delays: for an SMB operating on thin margins, such delays can be existential.
SMBs are also struggling with vandalism and property damage that erodes margins and creates a perception of lawlessness. A single incident of broken windows can cost thousands in repairs and lost revenue.
The US Chamber of Commerce notes that, in some large cities, repeat offenders and vandalism are forcing businesses to close due to the financial and emotional toll. The severity of the issue has triggered government intervention; for instance, the City of Albuquerque launched grant funds in late 2024 to reimburse small businesses for up to 80% of window replacement costs due to vandalism.
The physical threat surge has become personal. The US Bureau of Labor Statistics reports that there were 1.6 homicides per day in the workplace in 2022, an 8.9% increase from 2021, and a series high going back to 2011.
For SMBs, where workforce density is high, margins are thin, and frontline employees often work without layered security infrastructure, the psychological and operational consequences are significant. Violence now shapes how staff perceive safety, how managers structure shifts, and how customers interpret the security of physical spaces.
Not all threats come from outside. Employee theft plays a major role in SMB losses in some sectors:
While physical threats have surged, cyber threats have become more automated and financially costly. This has led to a "Digital Security Divide", where resilient, often large companies are separated from vulnerable SMBs.
Contrary to the belief that hackers only target "big fish," SMBs are primary targets because they are viewed as low-hanging fruit with weaker controls.
The consequences of a breach are often fatal for smaller entities. Managed Security Services Providers report that 60% of small businesses that suffer a significant cyberattack go out of business within six months. This high rate underscores that cybersecurity is not just an IT issue but a solvency issue.
Ransomware remains the most financially damaging cyber-attack used against SMBs.
BEC represents a massive transfer of wealth from SMBs to criminals through social engineering rather than hacking.
The FBI's Internet Crime Complaint Center (IC3) reported that BEC resulted in losses of over $2.9 billion in 2023. These attacks often leverage the lack of formal verification processes in smaller organizations, spoofing executive emails to request urgent wire transfers.
For SMBs, the message is clear. Cybersecurity and physical security are no longer separate areas. A secure server room means little if a loading dock is compromised.
Likewise, reinforced storefront glass offers no protection if a phishing email drains payroll accounts.
Sometimes, criminals use SMBs as conduits. Wired magazine reported on how a cyberattack on a small HVAC distributor disrupted surgeries at a hospital in California, proving that SMB cyber failures now have direct physical consequences.
The era of managing cyber and physical risks separately is over. What replaces it will determine which SMBs thrive.
As the threat landscape gets worse, SMB leaders usually try to spend more money. However, simply buying more tools does not always mean better protection.
In the next piece, Holtium will examine SMB spending on security to understand why many are overspending on technology and physical security controls while remaining dangerously under-protected.