Cyberattacks against small businesses have been on the rise in recent years. Despite the attitude among many small business owners that hackers only go after behemoths, smaller companies make increasingly attractive prey. In fact, certain types of attacks–social engineering attacks, like phishing, for example–are much more commonly aimed at small businesses.
Cybercriminals assume that weaker security measures will make small businesses easier to crack than larger enterprises. Small businesses are generally not financially prepared for an attack, and most lack cyber insurance. For many smaller companies, a successful cyberattack may even put them out of business.
Slowly, small businesses are waking up to the reality that they are targets, just like larger companies. They are increasingly strengthening their security posture with tools and practices that minimize their risk of being breached.
We’ve gathered the most recent cybersecurity statistics relevant to small businesses. Read on to find out exactly what they are up against and what steps they can take to defend themselves.
Easy Small Business Cybersecurity Statistics Finder
Small business cyberattack overview statistics (go to this section)
1. 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
2. 61% of SMBs were the target of a Cyberattack in 2021.
3. At 18%, malware is the most common type of cyberattack aimed at small businesses.
4. 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.
5. 37% of companies hit by ransomware had fewer than 100 employees.
6. Small businesses receive the highest rate of targeted malicious emails at one in 323.
7. Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
8. 87% of small businesses have customer data that could be compromised in an attack.
9. 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info.
Cost of cyberattacks statistics (go to this section)
10. 55% of people in the U.S. would be less likely to continue doing business with companies that are breached.
11. 95% of cybersecurity incidents at SMBs cost between $826 and $653,587.
12. 50% of SMBs report that it took 24 hours or longer to recover from an attack.
13. 51% of small businesses said their website was down for 8 - 24 hours.
14. In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.
15. Nearly 40% of small businesses reported they lost crucial data as a result of an attack.
16. 51% of small businesses that fall victim to ransomware pay the money.
17. 75% of SMBs could not continue operating if they were hit with ransomware.
18. Just 17% of small businesses have cyber insurance.
19. 48% of companies with insurance did not purchase it until after an attack.
20. 64% of all small businesses are not familiar with cyber insurance.
Small business preparedness statistics (go to this section)
21. 47% of businesses with fewer than 50 employees have no cybersecurity budget.
22. 51% of small businesses have no cybersecurity measures in place at all.
23. 36% of small businesses are “not at all concerned” about cyberattacks.
24. 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked.
25. Only 17% of small businesses encrypt data.
26. 20% of small businesses have implemented multi-factor authentication.
27. 80% of all hacking incidents involve compromised credentials or passwords.
28. One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions.
29. 76% of small businesses that increased cybersecurity spending cited rising fear of new threats.
Response & defense statistics (go to this section)
30. 42% of small businesses have revised their cybersecurity plan since the COVID-19 pandemic.
31. Nearly half of small businesses spend less than $1,500 monthly on cybersecurity.
32. 22% of small businesses increased cybersecurity spending in 2021.
33. SMBs spend 5% to 20% of their total IT budget on security.
34. 29% of businesses that suffered a breach responded by hiring a cybersecurity firm or dedicated IT staff.
35. Antivirus software (58%), firewalls (49%), VPNs (44%), and password management (39%) are the top four cybersecurity tools SMBs are adopting.
Small Business Cybersecurity Overview
Few small businesses prioritize cybersecurity or devise comprehensive strategies to prevent or respond to attacks, and hackers know it. The following statistics sketch out a threat landscape that small businesses can’t afford to ignore.
46% of all cyber breaches impact businesses with fewer than 1,000 employees.
This is according to Verizon's 2021 Data Breach Investigations Report. [1] The percentage of smaller businesses being hit has climbed steadily in the last few years. An earlier study from Symantec found that 43 percent of 2015 attacks hit businesses with 250 or fewer employees; in 2014, the figure was 34 percent. [18] Factors that continue to make smaller businesses attractive targets to cybercriminals include easier access and fewer security protections in place compared to large enterprises, and the opportunity to receive smaller amounts of money from numerous small or midsize businesses. For one thing, these attacks are unlikely to attract the media and law enforcement attention that attacks on larger companies might.
61% of SMBs were the target of a Cyberattack in 2021.
Not all of these attacks achieved their aim. However, the high percentage of targeted businesses shows how commonly attackers single out SMBs. [2]
At 18%, malware is the most common type of cyberattack aimed at small businesses.
Malware is followed in popularity by phishing (17%), data breaches (16%), website hacking (15%), DDoS attacks (12%) and ransomware (10%), according to a survey from March 2022. [3]
82% of ransomware attacks in 2021 were against companies fewer than 1,000 employees.
Furthermore, 37% of companies hit by ransomware had fewer than 100 employees. This is believed to result from a shift in tactics of cybercriminals that leverage ransomware. Attackers are turning away from mega-sized targets to focus on small or mid-sized companies, since risk of exposure and arrest are generally not as great. RDP compromise–via access to a system administrator or user password–is the most common break-in method in these types of attacks. Password managers are a popular tool to protect credentials and prevent RDP compromise. [4]
Small businesses receive the highest rate of targeted malicious emails at one in 323.
Such threats, including phishing, spam and email malware, are most commonly aimed at businesses with fewer than 250 employees. One in 323 emails to businesses of this size is malicious [5] –a lot considering the average office worker receives 121 emails per day.
Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
Social engineering attacks–including phishing, baiting, quid pro quo, pretexting, and tailgating–rely on human interaction and psychology to get targets to break normal security rules and practices. Small businesses are particularly vulnerable. Those with fewer than 100 employees receive 350% more threats than larger companies. CEOs and CFOs are popular targets, as are executive assistants with access to the accounts of high-level company members. [6]
87% of small businesses have customer data that could be compromised in an attack.
According to a study from March of this year, this includes sensitive data like credit card info, social security numbers, bank account info, phone numbers, and addresses. This means that beyond the damage a business sustains when it is breached, its customers may also be impacted through identity theft, privacy violations, etc. In fact, the same study found that 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info. [7]
Back to top ↑
The Cost of Cyberattacks for Small Businesses
Why would a cybercriminal attack a small businesses? Because the funds they receive from a number of such attacks can easily add up to what they’d receive from a larger enterprise. And, since SMBs tend to be easier to breach due to weaker security measures, it may take less time and effort to accomplish an attack. Media attention and law enforcement also may be less aggressive post attack, making the chance of an arrest and outing less likely. For their part, small businesses are not well positioned to easily recover from such an attack. Since only 17% of small businesses have cyber insurance, the financial impact of one successful attack can be quite damaging.
In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.
Smaller businesses, vulnerable to a breach due to weak defense measures, are also often unable to afford one. All associated costs, including those beyond the incident itself–lost business, fines, and implementation of new cyberdefense technology to comply with regulations–can add up to an amount they can’t cover. [8]
95% of cybersecurity incidents at SMBs cost between $826 and $653,587.
Costs can spiral due to downtime, lost business, emergency solutions, legal and regulatory fines, etc. Small companies are frequently without emergency funds or insurance to cover the expenses. [1]
50% of SMBs report that it took 24 hours or longer to recover from an attack. [9]
The damaging effects of a cyberattack are numerous and impact a company’s finances, customer relations, and reputation. For example, website downtime can mean a loss of business and customer loyalty. In one survey, 51% of small businesses said their website was down for 8 - 24 hours following an attack. [10] It’s also worth noting that 55% of people in the U.S. would be less likely to continue doing business with companies that are breached. [11]
Nearly 40% of small businesses reported they lost crucial data as a result of an attack.
Loss of critical data can have far-reaching negative effects for breached companies. Loos of sensitive customer data like credit card info, social security numbers, phone numbers, or home addresses can also lead to customer lawsuits, and the payment of damages becomes a possibility. [9]
51% of small businesses that fall victim to ransomware pay the money.
According to a survey from CNBC and Momentive, 24% of those hit pay out of pocket, while for 27%, cyber insurance covers it. Without insurance, the cost to small businesses can be quite burdensome, and few have any dedicated budget for handling such expenses. [12]
75% of SMBs could not continue operating if they were hit with ransomware.
This is according to a recent survey of 1,200 SMBs by Momentive on behalf of CyberCatch, a San Diego-based cybersecurity platform provider. If having to pay the funds demanded was not bad enough for these businesses, the total disruption to operations would make such attacks even harder to withstand. [12]
Just 17% of small businesses have cyber insurance.
A survey of U.S. small businesses from late 2021 found that only 17% had insurance to cover costs in the event of a cyber breach. Further, it found that 48% of those companies did not purchase insurance until after an attack, and 64 percent of all respondents were not familiar with cyber insurance. [13]
Back to top ↑
Small Business Cybersecurity Preparedness
We are seeing a moderate increase in cybersecurity preparedness among small businesses. COVID-19 forced many businesses to rethink their IT, including cybersecurity. However, it appears that a lot of small businesses still think they are too small to be hit and hence don’t prioritize defense. Weak security measures–or none at all–leave their business, their data, and also their customers’ data and privacy at risk.
47% of businesses with fewer than 50 employees have no cybersecurity budget.
A survey of small businesses from late 2021 found that businesses spend more on cybersecurity as they scale. While almost half of companies with fewer than 50 employees lacked a cybersecurity budget, 35% of those with 50 - 249 employees lacked one, and the figure fell to 18% for companies with over 250 employees. [14]
51% of small businesses have no cybersecurity measures in place at all.
In March 2022, Digital.com surveyed 1,250 businesses with 500 or fewer employees. 42% reported that their companies had cyberdefense measures in place; 21% said they were currently working on cybersecurity plans; and 7% said they were unsure of their company’s defense posture. [7]
36% of small businesses are “not at all concerned” about cyberattacks.
Concern about attacks tends to be lowest among companies with predominately in-person operations. Online-only and hybrid businesses are considerably more concerned about cyberattacks. [7]
59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked.
This attitude persists despite the steadily climbing percentage of cyberattacks that hit small businesses. In fact, certain types of attacks are most commonly aimed at small businesses. For example, companies with fewer than 100 employees receive 350% more social engineering attacks–including phishing, baiting, and pretexting than larger companies. [7]
Only 17% of small businesses encrypt data.
Data encryption is a crucial cybersecurity measure that a business’s data, and their customers’ data, is vulnerable without. It ensures that data cannot be read by an attacker even in the event that they get past the firewall and can dramatically mitigate the cost of a cyberattack. Companies may find encryption technology complicated, which helps explain why it is not more widely used. [13]
20% of small businesses have implemented multi-factor authentication. [13]
A 2020 study of cyberattacks by Verizon found that 80% of all hacking incidents involved compromised credentials or passwords. [19] This is why cybersecurity professionals tend to agree that MFA is a critical first line of defense against cyberattacks.
One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions.
The same 2020 study of 3,083 small business owners in the US and UK also found one in five companies of this size use no endpoint security at all. Small businesses may fall back on these solutions, feeling that enterprise-grade technology is too complex or expensive to use. Unfortunately, cybercriminals are aware of these vulnerabilities among small businesses, and it’s one reason they are increasingly targeting them. [9]
76% of small businesses that increased cybersecurity spending cited rising fear of new threats.
The same study from late 2021 found that 70% of small businesses that expanded their cyber security budget cited the need for more sophisticated, high-tech solutions; 51% did so to meet external requirements or industry standards. [14]
Back to top ↑
Response & Defense Moving Forward
Spending on cybersecurity among small businesses is rising. We also see that a significant percentage of companies that have suffered an attack respond by implementing new, stronger cybersecurity measures or even hiring dedicated cybersecurity staff. As attacks against SMBs continue to rise, we can expect more companies to take note and adopt a better defense posture to avoid being next on an attacker’s hit list.
42% of small businesses have revised their cybersecurity plan since the COVID-19 pandemic.
When the pandemic forced employees out of the office, cybersecurity suddenly became a bigger concern for many companies. Indeed, as remote work led to the use of personal devices and unsecured or partially secured networks, cybersecurity incidents increased. In response, some small businesses implemented new cybersecurity policies, such as better practices around login credentials. [16]
Nearly half of small businesses spend less than $1,500 monthly on cybersecurity.
A recent survey of 600 U.S. small businesses shows that they are spending somewhat more on cybersecurity in 2022 than they did before COVID-19. For example, the number spending over $500 monthly went from 24% to 26%, while those spending $1,500 - $1,999 monthly rose from 19% to 24%. [16]
22% of small businesses increased cybersecurity spending in 2021.
The same 2021 study from CNBC and Momentive found that 67% of companies were spending the same amount at they had in 2020. [12] It’s estimated that, on average, SMBs spend 5% to 20% of their total IT budget on security. [17]
29% of businesses that suffered a breach responded by hiring a cybersecurity firm or dedicated IT staff.
44% of those attacked installed antivirus/antimalware software, while 43% started using a VPN; 8% made no changes, a study from earlier this year found. [7]
Antivirus software (58%), firewalls (49%), VPNs (44%), and password management (39%) are the top four cybersecurity tools SMBs are adopting.
This is according to a March 2022 survey of 1,250 businesses with 500 employees or less. According to the survey they have either adopted or plan to adopt these solutions, along with secure payment processing tools (38%). [7]
Back to top ↑
Conclusion
A lot of small businesses remain in ostrich mode when it comes to cyber threats. They do not realize that hackers have their sights set on them and are aware of their faulty defenses. However, a growing number of small businesses are paying attention and doing what they must to fortify their data and prevent huge losses. More and more of them realize they cannot afford a successful attack and need to have adequate defense and response strategies in place. There is no reason not to take action since strong, cost-effective protection is possible even for businesses with modest IT budgets.
If you want to learn more about how to effectively protect your business, we recommend reading the following guides: Identity and Access Management (IAM), Privileged Access Management (PAM), Role-Based Access Control (RBAC), Zero Trust Architecture, and Secure Access Service Edge (SASE).
If you want to see how we can help you secure your business, sign up for a free product demo.
References
1. 2021 SMB Data Breach Statistics | Verizon
2. 2022 Data Breach Investigations Report | Verizon
3. Small Business Insights: Inflation now the No.1 concern for small businesses - QuickBooks
4. Law enforcement pressure forces ransomware groups to refine tactics in Q4 2021
5. Symantec Security Center
6. Spear-phishing report: Social engineering and growing complexity of attacks - Journey Notes
7. 51% of small business admit to leaving customer data unsecure - Digital.com
8. Protect Your Small Business from Cybersecurity Attacks
9. New Study Reveals One In Three SMBs Use Free Consumer Cybersecurity And One In Five Use No Endpoint Security At Al
10. 2022 Study: 50% of SMBs Have a Cybersecurity Plan in Place | UpCity
11. America's small businesses aren't ready for a cyberattack
12. Main Street overconfidence: Small businesses don't worry about hacking
13. Cyber Insurance Stats: 64% of businesses unfamiliar with coverage | AdvisorSmith
14. Survey Findings: SMB Cyber Readiness - Cyber Risk Insight Index - Q1 2022
15. Data Breach Investigations Report
16. 2022 Study: 50% of SMBs Have a Cybersecurity Plan in Place | UpCity
17. How Much do SMBs Really Spend on Cyber Security?
18. 43 Percent of Cyber Attacks Target Small Business
19. 67 Percent of Breaches Caused by Credential Theft, User Error, and Social Attacks
