You may have heard the oft-quoted small business cyber
security statistic that’s something akin to “60% of small companies that suffer
a cyber attack are out of business within six months.” Heck, like many major
media outlets, we’ve even quoted this stat ourselves in the past. However, it
turns out that the organization that’s often attributed for this small business
cyber security statistic, the National Cyber Security Alliance (NCSA), actually
recommends not citing this statistic for the following
“This statistic was not generated from NCSA research, and we cannot verify its original source. NCSA has not actively referenced this statistic for several years, but we discovered that it was included in an outdated infographic on our website. We have removed all of these references and do not recommend its ongoing usage. Members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.”
Well, that’s a bummer, right?
While we here at Hashed Out may not be the internet’s top
resource for cyber security related information – though we strive to be and
have more than two million readers – we still want to do the best job we can at
providing you with the best and most useful information possible. This includes
topics such as small business cyber
With this in mind, we’ve put together a list of some of the small business cyber security statistics you SHOULD know in one convenient resource. We’ll also discuss why SMBs make such attractive targets and what you can do to protect your business. Note: This article is one that we plan to continually update with new, fresh SMB cyber security statistics, so be sure to check back periodically for updates and new information!
Anyhow, as we like to say around here…
Let’s hash it out.
When we originally wrote this article, we shared about a 2017 study from
VIPRE Security that showed two-thirds (66%) of small and medium-sized
businesses would suffer catastrophic consequences and would have to close their
doors after a breach. Their survey of 250 SMBs’ IT managers conveyed that the
businesses would shut down for a minimum of one day or would be put out of
business entirely if such an event were to occur.
While we hoped that our research on small business cyber
security related stats would show that this number decreased over the past two
years, unfortunately, that’s not really the case. We’ve compiled a list and
will discuss some of the cyber security statistics you’ll want to know about
small businesses and mid-size companies:
1. 43% of All Data Breaches Target SMBs
Verizon’s most recent Data Breach
Investigation Report (DBIR) shows that almost half of all breaches occurred
at small businesses. This statistic speaks for itself and doesn’t require more
of an explanation.
2. There Was a 424% Increase in Authentic and New
Breaches of Small Businesses in 2018
The cyber security firm 4iQ states in its 2019 Identity Breach Report
that cybercriminals targeted small businesses with cyber attacks at an
inordinate rate in 2018 — up nearly 425% over the previous year.
3. 83% of SMBs Lack the Funds to Deal with the
Repercussions of a Cyber Attack
Cyber Survey of more than 1,300 SMB owners shows that more than 80% of
businesses lack the money they would need to recover from a cyber attack or
data breach. Of those that report setting money aside for such an incident
(17%), few have considered the reputational or legal costs they will likely
face if an attack should occur. That’ll take the buzz out of any victory they
may have momentarily felt.
4. The Average Cyber Attack Carries a Price Tag of
Nearly $3 Million
When it comes to calculating the costs of a cyber attack,
there are many considerations you must take into account: The cost of any
ransom you may be expected to pay, the cost of any data that may be lost,
sustained system outages, downtime, non-compliance fines, legal fees – not to
mention potential lawsuits. The Keeper Security and the Ponemon Institute’s 2018
State of Cybersecurity in Small & Medium Size Businesses report states
that downtime accounts for about $1.56 million of those costs.
For an example of the “extra” costs businesses face, look
no further than the recent AMCA
data breach. The company, which also operates as Retrieval-Masters
Creditors Bureau, Inc., has paid millions in such “additional” costs — $4.2
million to report the breach, $3.8 million for notifications, etc. That’s
before getting into the penalties and lawsuits…
5. SMBs Experience 8+ Hours of Downtime During a
Security Capabilities Benchmark Study shows that 40% of midmarket companies
with 250-499 employees “experienced eight hours or more of system downtime due
to a severe security breach in the past year.”
6. 1 in 323 Emails to Small Businesses are Malicious
Symantec’s 2019 Internet
Security Threat Report shows that employees of smaller organizations were
more likely to be hit by email threats such as spam, phishing, and email malware
than those who work at large organizations.
7. 60% of SMBs Cite Employee Negligence as Cause of
The Keeper Security/Ponemon Institute’s small and medium
size businesses report shows the number of SMBs reporting negligent employees
and contractors as the cause of data breaches increased to 60% in 2018 — whereas
external threats (hackers) were reported as 37% of the causes.
8. 54% of SMBs Believe Their Companies are “Too Small”
to Be Ransomware Targets
The Keeper Security/Ponemon Institute SMB report shows
that some SMBs think that their organizations are too small to be attractive
targets for cybercriminals. However, if you’ve read virtually any recent cyber
security reports or literature, you’d know that no company is “too small” or “too
large” that a cybercriminal won’t take an interest. Like a modern version of
Goldilocks — you know, if she was a cybercriminal rather than a trespasser
breaking into bears’ houses — she’ll have no problems about trying the cyber
defenses of every company to find a target that is “just right.”
9. 77% of SMBs Anticipate Outsourcing Cyber Security
reports in its State of SMB Cyber Security in 2019 report that nearly 80%
of small businesses believe their cyber security tasks will be outsourced
within five years’ time.
10. 62% of SMBs Lack the In-House Skills to Handle
As disconcerting as it may be, it isn’t surprising that
many small businesses lack the in-house personnel. However, this is a practice
that needs to stop considering that attacks on small businesses are the most
common. Continuum’s 2019 small business cyber security report shares that
nearly two-thirds of SMBs say they don’t have the employees to handle cyber
security functions, and 56% report that they don’t have any cyber security
experts within their ranks.
11. 62% of Phishing Simulations Hook at Least One Set
of User Credentials
research shows that more than half of phishing campaigns resulted in at
least one set of user credentials becoming exposed. Furthermore, the same study
showed that 64% of phishing campaigns involved at least one out-of-date device.
12. Small Businesses Invest Less Than $500 Per Year in Cyber Security
This devastatingly low number is the average amount that Juniper
Research’s 2018 study says that small businesses spend on consumer-grade
cyber security products each year. Considering that SMBs represent only 13% of
the cyber security market, it’s no surprise that small businesses make such an
attractive target to cybercriminals.
13. 55% of Small Businesses Cite Resources and
Knowledge as Challenges to Cyber Security Planning
by the Better Business Bureau (BBB) indicates that the greatest challenges for
developing a cyber security plan to increase small business cyber security is a
lack of resources or knowledge.
14. Cyber Attacks Due to Weak or Stolen Employee
Passwords Average $383,365
Did you know that the average cost of cyber attacks that
result from compromised employee passwords is $383,365? This is one of the
findings of the Keeper Security/Ponemon Institute SMB report.
15. 68% of Small Businesses Don’t Have Disaster Recovery
that more than two-thirds of small business owners don’t have a disaster
recovery (DR) plan in place. Additionally, the report shows that 71% of small
business owners choose not to buy business interruption insurance.
Unfortunately for consumers, many business owners still
convince themselves that their businesses are “too small” to be of interest to
Magazine reports that this is even the case with some businesses that experienced
data breaches in the past!
In reality, it should come as no surprise that small and
midsize businesses make tempting targets
for cybercriminals. Due to their small sizes and limited funds, SMBs often have
access to fewer personnel and information and technology resources than their
larger corporate counterparts. This is particularly important considering that
small businesses are the drivers of economy in the U.S. The most recent data
from the U.S. Small Business Administration (SBA) reports
that there were 30.2 million businesses in the U.S. as of 2015. Of these, 5.9
million had paid employees.
As a small company with more than 85 employees, we’re certainly
not going to sit here and bash the people who work at small businesses by
saying that employees are the root of all evil. However, there is truth in the
statement that employees do pose a serious risk for every business — small or
otherwise — because of the decisions that are made by upper level management. Employees
who lack the knowledge or training to avoid cyber threats are in positions to
unwittingly put your company at risk by something as simple as clicking on the link
in one phishing email. However, if IT security personnel and other employees
alike are never given the training, funding, or resources they need, how can we
hold them at fault?
At the SSL Store, we’re a small company that specializes in
secure sockets layer/transport layer security (SSL/TLS) to create encrypted
connections. As such, we’re happy to help you configure your servers for
maximum protection and to get that lauded “HTTPS” in your web address. However,
that’s only one piece of the puzzle — SSL only secures certain attack vectors.
As such, you’ll need to invest in additional security measures to increase the
digital security of your small or medium-sized business.
Some such methods that should be used to create
multi-layered protection include:
We know you’ve already got a lot on your plate and probably
don’t have time to read a long article. Here’s what we covered in today’s
discussion on small business cyber security statistics:
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/15-small-business-cyber-security-statistics-that-you-need-to-know/
Traditional approaches to application security (AppSec), such as legacy static application security testing (SAST) and dynamic application security testing (DAST),…
In The State of Application Security, 2020, Forrester predicts application vulnerabilities will continue to be the most common external attack…
According to newly released court documents, Ukrainian national Denys Iarmak has been arrested for alleged involvement in the malicious cyber…
Introduction Cybersecurity is a constantly changing field, so a passion for lifelong learning is a must for infosec professionals. Staying…
Introduction Invoices can be a costly matter — and not always in the usual sense. Phishers believe that you would…
Earlier this month, Arbonne, a multi-level marketing company advertising vegan skincare, cosmetics, and nutrition products, disclosed a data breach affecting…