SBN

15 Small Business Cyber Security Statistics That You Need to Know

Small business cyber attacks aren’t cheap — IBM reports that the costs associated with insider threat-related incidents alone cost an average of $7.68 million. Here’s our list of the top SMB cybersecurity statistics you need to know in 2020

Note: This small business cyber security statistics article is one that we periodically update with new data. Be sure to check back periodically for updates and fresh SMB cybersecurity statistics!

You may have heard the oft-quoted small business cyber
security statistic that’s something akin to “60% of small companies that suffer
a cyber attack are out of business within six months.” Heck, like many major
media outlets, we’ve even quoted this stat ourselves in the past. However, it
turns out that the organization that’s often attributed for this small business
cyber security statistic, the National Cyber Security Alliance (NCSA), actually
recommends not citing this statistic for the following
reason
:

“This statistic was not generated from NCSA research, and we cannot verify its original source. NCSA has not actively referenced this statistic for several years, but we discovered that it was included in an outdated infographic on our website. We have removed all of these references and do not recommend its ongoing usage. Members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.”

Well, that’s a bummer, right?

While we here at Hashed Out may not be the internet’s top resource for cyber security related information – though we strive to be and have more than two million readers – we still want to do the best job we can at providing you with the best and most useful information possible. This includes topics such as small business cyber security statistics.  

With this in mind, we’ve put together an updated list of some of the small business cyber security statistics you SHOULD know in one convenient resource. We’ll also discuss why SMBs make such attractive targets and what you can do to protect your business.

Let’s hash it out.

The Top Small Business Cyber Security Statistics to Know in 2020

The ongoing COVID-19 global pandemic is changing things for small businesses and organizations around the world. An August 2020 report from INTERPOL indicates that small businesses may not (currently) be the top target of cybercriminals:

To maximise damage and financial gain, cybercriminals are shifting their targets from individuals and small businesses to major corporations, governments and critical infrastructure, which play a crucial role in responding to the outbreak. Concurrently, due to the sudden, and necessary, global shift to teleworking, organizations have had to rapidly deploy remote systems, networks and applications. As a result, criminals are taking advantage of the increased security vulnerabilities arising from remote working to steal data, generate profits and cause disruption.”

But just because larger organizations are their primary targets doesn’t mean that SMBs should let their guards down, either. Many types of cyber attacks and other dangerous still pose a risk to small and mid-size businesses, too.

What Qualifies as an SMB?

Well, that answer depends. One of the things that makes reporting small business cyber security statistics a bit challenging is that different reports identify small businesses differently. For example, according to some of the reports we cite in this article:

  • Verizon categorizes small businesses as those that have fewer than 1,000 employees.
  • The cyber security company VIPRE categorizes small businesses as those that have 1-500 employees.
  • Alliance Cybersecurity’s data includes companies that have 500 or fewer employees as well.

With this in mind, let’s kick off our list of small business cyber security statistics.

1. $7.68 Million: The Average Cost of an Insider-Related Cyber Incident for SMBs

Well, that number certainly starts things off with a bang. The costs associated with the impacts of insider threats varies greatly depending on the size of the organization and scope of the attack. Research from IBM and the Ponemon Institute’s The Cost of Insider Threats Global Report 2020 shows that small organizations (those with fewer than 500 employees) spend an average of $7.68 million per incident.

2. 43% of SMBs Lack Any Type of Cybersecurity Defense Plans

What if we were to tell you that more than two in five companies that have 50 or fewer employees in the U.S. and United Kingdom don’t have any type of cybersecurity defense plan in place? Yes, that’s right. A January 2020 research study by BullGuard showcases a disturbing number of businesses are choosing to be reckless. They’re essentially rolling the dice in terms of securing their data (and that of their customers) from small business cyber attacks.

3. One in Five SMBs Don’t Use Any Endpoint Security Protections

BullGuard’s survey of 3,083 SMBs shows that 23% of small businesses in both the U.K. and U.S. neglect to use endpoint security mechanisms. Additionally, 32% of those surveyed who do use endpoint security protections says that they rely solely on free, consumer-grade cybersecurity solutions. Yeah, take a moment to wrap your head around that one!

4. 60% of SMB Choose to Keep Their Heads in the Sand About Attack & Breach Risks

Additional data from BullGuard’s survey further chips away at our hope for the futures of some SMBs. Despite nearly one-in-five (18.5%) small businesses experiencing cyber attacks or data breaches, 60% of those surveyed SMB owners think their businesses aren’t a likely target of cybercriminals.

However, if you’ve read virtually any recent cyber security reports or literature, you’d know that no company is “too small” or “too large” that a cybercriminal won’t take an interest. Like a modern version of Goldilocks — you know, if she was a cybercriminal rather than a trespasser breaking into bears’ houses — she’d have no problem trying out the cyber defenses of every company to find a target that’s “just right.”

Paul Lipman, CEO of BullGuard, states the issue nicely:

Small businesses are not immune to cyber attacks and data breaches, and are often targeted specifically because they often fail to prioritize security. Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”

It seems that many SMBs are overly confident about the safety of their data and organizations as a whole. Although we’ve not quite reached “full ostrich” level here (yes, we know that the ostrich thing a myth, but you get the point), we’re sure getting close.

5. 28% of the Breaches in 2019 Involved Small Business Victims

Nearly one-in-three breaches included in Verizon’s 2020 Data Breach Investigations Report (DBIR) calculations involved small businesses. This means that businesses need to do more to protect not only their digital assets and web presence but also to protect the security and privacy of their customers as well.

Wondering whether 28% is a good number or not? Well, it’s not great — It’s 28% too high, if you ask us! — but it’s still better than what it was previously. This number is down from the 43% data breach stat for SMBs that Verizon reported in their 2019 DBIR.

6. Phishing Is Top Threat Action for More Than 30% of Small Organizations

Phishing has been an SMB’s arch nemesis for several years — and this year’s no different. Verizon’s 2020 DBIR report shows phishing as the leading threat action, followed by the use of stolen credentials and password dumpers.

A screenshot of small business cyber security statistics data relating to data breach action varieties
The graph above is a screenshot from Verizon’s 2020 Data Breach Investigations Report.
Email Security Best Practices - 2019 Edition

Don’t Get Phished.

Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can be fatal in terms of suffering data breaches & going out of business. Don’t be another statistic.

7. 85% of MSPs Report Ransomware as the Biggest Malware Threat to SMBs in 2019

In their Global State of the Channel Ransomware Report, Datto reported that four-in-five managed service providers (MSPs) identified ransomware attacks as the leading malware threat to SMBs. But there appears to be a significant difference in opinion regarding the threat of ransomware attacks: “89% of MSPs are ‘very concerned’ about the ransomware threat and 28% report their SMB clients feel the same.” This is despite the fact that one-in-five SMBs reported falling victim to a small business ransomware attack.

8. 63% of SMBs Report Experiencing a Data Breach in the Previous 12 Months

Data from a 2019 study by Keeper Security and the Ponemon Institute shows that the number of small and medium-sized businesses that experienced data breaches increased to 63% in FY 2019. In the two prior fiscal years, participants report 58% in FY 2018 and 54% in FY 2017, respectively.

9. 46% of SMBs with < 1k Employees Had 5-16 Hours of Breach-Related Downtime in 2019

Cisco’s 2020 CISO Benchmark Study data indicates that downtime from data breaches is an issue for all organizations with up to 10,000 employees. According to their data (as it was cited in Cisco’s “Securing What’s Now and What’s Next” report), small and mid-size organizations with 250-449 employees reported the following:

  • 43% experienced 0-4 hours of downtime
  • 45% experienced experiencing 5-16 hours of downtime, and
  • 12% experienced 17-48 hours of downtime.

For businesses with more employees — 500-999 or 1,000-9,999 employees — their numbers showed greater variance:

10. 47% of SMBs Report Keeping Data Secure as Biggest Challenge

VIPRE’s SMB Security Trends survey results indicate that nearly half of the CISOs and IT pros surveyed find data security to be their biggest IT security challenges. The next biggest hurdles they identified include preventing data loss (42%) and increasing employee security awareness (41%).

11. 70% of SMBs’ Employees Passwords Were Stolen or Lost

Seven in 10 employees had their passwords stolen, according to 2019 data from Keeper Security and the Ponemon Institute. We sure hope, for their sake, that those businesses at least had access control policies in place to help limit the potential impact of such credential compromises — but we doubt it. Here’s why…

12. Credentials (52%) Represents the Most Compromised Type of Data in 2019

Credential compromise continues to be an issue for SMBs and other businesses as well. Verizon’s 2020 DBIR reports that more than half of small businesses reported issues of credential compromised in 2019.

But just who does Verizon say is responsible for these attacks on small businesses?

13. 74% of SMB Data Breaches Involve External Threat Actors

By far, the overwhelming majority of the data breaches that targeted small businesses in 2019 were perpetrated by external threat actors, according to Verizon’s 2020 DBIR.

14. 83% of Data Breaches Against SMBs are Financially Motivated

Verizon’s 2020 DBIR data indicates that most cybercriminals nowadays worship primarily at the altars of the cryptocurrency and wire fraud gods. To state it more simply, eight in 10 data breaches are financially motivated. The other motivations they note for why cybercriminals launch small business cyber attacks or carry out data breaches are:

  • Espionage (8%),
  • Fun (3%), and
  • Grudges (3%).

15. 22% of SMBs Switched to Remote Work Without a Cybersecurity Threat Prevention Plan

We’re living in a time when the COVID-19 global pandemic has forced the hands of businesses worldwide to allow their employees to work from home at unprecedented rates. But what does this mean for small business cybersecurity preparations? Research from Alliant Cybersecurity shows that one-in-five small businesses jumped head-first into remote working without having a clear cybersecurity mitigation or prevention policy in place.

Now, consider that more than half (52%) of these SMBs indicate that they didn’t regularly allow their employees to work remotely prior to the pandemic. With this in mind, it’s easy to imagine what kind of Pandora’s box this opens in terms of cybersecurity vulnerabilities and risks.  

Unfortunately, what makes matters worse is findings from the Keeper Security/Ponemon Institute survey we mentioned earlier. Their data shows that 39% of their SMB survey respondents report that their organizations lack any incident response plans. So this means that when (not if) crap hits the proverbial cooling system, they won’t have a plan in place that helps them to respond to cyber-related events. 

Why SMBs Are Thought to Be More Vulnerable to Cyber Attacks & Data Breaches

Small businesses are the drivers of the U.S. economy. The most recent data from the U.S. Small Business Administration (SBA) reports that there are 31.7 million small businesses in the U.S. Furthermore, a significant part of the country’s workforce includes 60.6 million small business employees.

Historically, there’s been this common notion that small businesses are at greater risk to cyber crimes because they lack the resources — funds, personnel, time, etc. — to properly monitor and mitigate cyber threats. However, Verizon’s 2020 DBIR findings indicate that the gap between SMBs and larger organizations may be closing somewhat in terms of their respective security incident detection and response capabilities. This is in part because of SMBs’ increasing use of the cloud, software as a service (SaaS), and other modern resources that are available.

Unfortunately for consumers, however, some business owners and executives still convince themselves that their businesses are too small to be of interest to hackers. As you read earlier, this head-in-the-sand approach is even the case with some businesses that experienced cyber attacks and data breaches in the past! This means that they may not put the time, money, training and other resources in place to protect their businesses (and their customers as a result).

How You Can Protect Your Small Business from SMB Cyber Security Attacks

At the SSL Store, we’re a small company with about 90 employees. We specialize in secure sockets layer/transport layer security (SSL/TLS) to create encrypted connections. As such, we’re happy to help you configure your servers for maximum protection and to get that lauded “HTTPS” in your web address. However, that’s only one piece of the puzzle — SSL only secures certain attack vectors. As such, you’ll need to invest in additional security measures to increase the digital security of your small or medium-sized business.

Some such methods that should be used to create
multi-layered protection include:

  • Firewalls, antivirus, and endpoint security solutions
  • Network penetration testing
  • Cyber security audits
  • Computer use, device, and password policies
  • Access management and control policies and procedures
  • Email security solutions (such as anti-phishing solutions, spam filters, email signing certificates [S/MIME certificates])
  • Employee cyber security awareness training and phishing simulations
  • Incident response and disaster recovery plans
  • Current data backups

But what are some of the most common methods of defense that SMBs implement? According to recent survey data from The Manifest:

The most popular small business cybersecurity measures include limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best practices (34%).”

TL;DR? A Quick Summary of These SMB Cybersecurity Statistics Findings

We know you’ve already got a lot on your plate and probably
don’t have time to read a long article. Here’s what we covered in today’s
discussion on small business cyber security statistics:

We know you’ve already got a lot on your plate and probably don’t have time to read a long article. Here’s what we covered in today’s discussion on small business cyber security statistics:

  • $7.68 million is the average cost of insider-related cyber incidents for small businesses, according to IBM and the Ponemon Institute.
  • Small and medium-sized businesses need to get their butts in gear and put cybersecurity threat mitigation and incident response plans in place.
  • Consumer-grade cybersecurity products simply aren’t going to cut it for securing small businesses.
  • Phishing still leads the way in terms of being the leading threat action that attackers use against SMBs.
  • The largest percentages of surveyed SMBs experienced between 5 and 16 hours of downtime during a breach.
  • You need security beyond just SSL – this should include the use of firewalls, email security protections, secure CDNs, two-factor authentication (2FA), and endpoint security.
  • Ensure all software, hardware, servers, and other devices are up to date.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/15-small-business-cyber-security-statistics-that-you-need-to-know/