Small business cyber attack statistics including surprises for 2023

A cyber attack or data breach is a threat to every business. Still, it can be more devastating for small businesses as they face numerous challenges, including cash inflow, competition, employee retention, limited funding, supply chain and other business problems simultaneously, making it difficult for them to survive.

Being a new and small business, a minor cyber incident or data breach can not only downgrade its reputation but, in severe cases, can make them shut down its businesses. As technology advances, small businesses are increasingly exposed to multiple cyber threats, including advanced persistent threats like ransomware or severe cyber attacks. Such incidents continuously make it difficult for these businesses to remain competitive and secure in the digital world.

With the right approach, small business owners can build robust cybersecurity systems according to their business demands and need. In addition, they can ensure their business remains safe in the ever-changing digital and online world. To keep your organisation safe from cyber attacks, you can go through our managed cyber security services, where our expertise and offerings are focused on small businesses. 

Today, we will highlight the trend of cyber security attacks and cyber threats identified by small businesses over the years. The latest cyber attack statistics will help understand where SMBs (small-midsize businesses) lack cybersecurity spending and how they can protect themselves from prevalent threats, cyber risks and future attacks on critical data.

What are the most common cyber attacks on small businesses?

Due to limited resources, fewer security protections and endpoint security systems compared to large enterprises, small businesses are attractive targets for cybercriminals. As a result, they are vulnerable to multiple types of cyber threats.

Research conducted by Kaspersky in 2022 observed various types of successful cyber attacks on SMBs (small-medium sized businesses) with the following percentages:

• 56% experienced malware on organisation-owned devices.
• 45% faced social engineering and phishing attacks.
• 38% suffered from fileless attacks on organisation-owned devices due to commonly leveraged security vulnerabilities
• 40% faced ransomware attacks.
• 36% faced crypto-mining attacks.

Another research performed by a cloud-based technology solution provider found that many small business leaders in the UK, Germany, Netherlands, Australia, New Zealand, Singapore, US, and Canada felt they were attacked for the following reasons:

• 37% believed they were attacked due to phishing emails, and
• 27% blamed it on malicious websites and web ads.
• 24% thought they experienced a data breach due to weak passwords and access management, among the most significant cyber threat issues.
• 24% blamed poor user practices.
• 23% and 19% blamed the incidents on a lack of end-user and administrator security training, respectively.
• 19% blamed the incidents on vishing.
• 19% observed that they lacked anti-virus defence solutions.
• 18% had insufficient security support for using personal devices.
• 18% had outdated security patches.
• 17% had insufficient funding for IT security solutions.
• 17% noticed attack patterns due to lost or stolen employee credentials.
• 16% lacked the adoption of security solutions.
• 15% left the remote desktop protocol (RDP) open.
• 13% experienced security breaches due to shadow IT.

Whereas a study conducted among over 2000 small businesses in the US showed that cyber threats are one of the top 10 challenges they face, making up 23% of the overall findings.

The same study found that the top three cyber threats are malware, phishing, and data breaches, with the following percentage breakdown:

• Malicious software (Malware attack): 18%.
• Phishing attacks: 17%.
• Data breach: 16%.
• Website hack: 15%.
• Denial of Service (DoS): 12%.
• Ransomware attack: 10%.

A recent study on cyber attacks on small businesses in the US found the following vectors:

• Credential theft/social engineering attacks: 11%.
• Phishing emails: 17%.
• Compromised/stolen devices: 17%.
• Malware attacks: 17%.
• Ransomware attack: 19%.
• Insider attack: 11%.
• Others: 7%.

What percentage of small businesses fail after a cyber attack?

A survey in the US indicated that 60% of small businesses impacted by data breaches had to completely shut down their businesses within six months of the breach.

The impact of a data breach on any business varies, depending on multiple factors such as business size, nature, the intensity of the attack, financial stability, preparedness of business, ability and availability of resources to recover from the attack, severity of loss due to attack, and much more.

On the other hand, 70% of data breaches in 2021 were motivated by money, with only a tiny fraction done for espionage purposes. This high percentage of attack consequences emphasises how important it is for businesses to invest in security and incorporate it with business strategy to protect against such cybersecurity threats in future.

What percentage of cyber attacks are on small businesses?

• The 2022 official cyber security breaches survey showed that 36% of micro and 48% of small organisations in the United Kingdom reported experiencing data breaches and attacks.
• Research in the UK shows the following statistics on small businesses:
  • 20% of companies with 1-49 employees experienced a security breach.
  • 22% of small organisations with 50-249 employees were impacted.
  • 22.5% of companies were vulnerable to external attacks.
  • 20.2% of small businesses experienced a massive cyber attack.
  • In contrast, 32% of small businesses suffered from active cyber attacks.
• Small businesses affected by cyber attacks in the UK were mainly in the retail sector.
• According to the data breach investigation report of 2022, small businesses with 1 to 10 employees were the target of almost 80% ransomware attacks. The same report revealed that using stolen credentials was the second most common attack vector in over 70% of data breaches against small businesses with 1 to 10 employees.
• An independent research platform surveyed around 1250 small business owners with 500 or fewer employees globally and concluded that the companies that fall victim to cyber-attacks were.
  • Primarily online small businesses (20%).
  • Businesses have both online and physical presence (12%).
  • Primarily in-person businesses (7%).
• In addition, 90% of those impacted sustained financial loss:
  • 68% suffered a loss of up to $250,000.
  • 19% lost up to $500,000.
• A study in the US on small businesses found 28% of businesses are among the targets of cyber attacks since the pandemic.
• In 2021, the cost of data breaches for small businesses with less than 500 employees increased by $2.98 million from $2.35 million.
• According to 2021, 82% of ransomware attacks targeted companies with less than 1000 employee counts.
• Another survey observed one or more severe cyber attacks experienced by 61% of small and medium-sized businesses (SMBs) in 2021.
• In 2021, the FBI’s Internet Crime Complaint Center received a high volume of complaints, totalling 847,376, regarding cyberattacks and malicious cyber activity, causing losses close to $7 billion and primarily impacting small businesses.

Business downtime due to cyber attack

According a survey performed on small businesses in the UK, Germany, Netherlands, and other geo-location shows the following statistics on the average business downtime:

• The average downtime costs $126k, which includes the lost revenue.
• 45% of small enterprises sustained two or more days of rest.
• 84% of SMBs report downtime costs them $1000 to less than $250,000.
• 3% say that the web downtime costs them $750,000 to less than $1,000,000.
• 1% of the SMBs say they lost $1,000,000 or more due to downtime.
• 12% of the small businesses say they did not encounter any downtime.

Cyber Attack Statistics Infographic 

How many businesses took steps to prevent future data breaches?

With the growing number of cyber attacks aimed at small to medium-sized businesses, many companies and industries have started investing in security products and measures to mitigate prevalent threats. The driving factor behind this investment is the increasing frequency and intensity of cyber threats and the financial and reputation damage they can cause.

Nonetheless, how businesses take steps to prevent such incidents depends on the business size, industry, financials and geographical location.

• According to the research findings, even though 90% of companies that fell victim to cyber-attacks experienced a significant drop in revenue, only 8% of these businesses did not take any measures to change or enhance their security strategy. In contrast:
  • 44% installed anti-virus and anti-malware software.
  • 43% implemented VPN.
  • 29% recruited IT and security personnel.
  • 25% introduced cyber security awareness training.
• Another study conducted in 2022 by a research platform surveyed 1,250 small business owners with 500 employees or fewer. The results revealed fewer than half of these businesses had implemented measures to protect themselves from cyber-attacks.
• The results of the survey performed on over 2,000 business decision-makers in countries like the UK, Germany, the Netherlands, Singapore, and others, showed the following frequency of vulnerability assessment:
  • 13% perform vulnerability assessments more than four times a year.
  • 24% complete it 3-4 times a year.
  • 25% complete it twice a year.
  • 21% complete it once a year.
  • 12% complete it once every 2-4 years.
  • 3% perform it once every five years or longer.
  • 1% never achieve it.
  • 2% still determining.
• In comparison, a study of 1,122 businesses in the US found that 72% of small business owners have put cybersecurity measures in place. The breakdown of the steps they have taken is as follows:
  • Implementing a strong password policy (21%).
  • Implemented multi-factor authentication (20%).
  • Data encryption (17%).
  • Purchasing cyber security software (16%).
  • Regular employee training on cyber security (16%).
  • Hiring a cyber security consultant (9%).
• Another research in the same region mentioned above observed:
  • 15% of small businesses hired more in-house experts.
  • 15% consulted the third-party service provider.
  • 17% purchased and increased cyber security liability insurance.
  • 23% upgraded the security solution and tools.
  • 24% invested in educating against severe cyber attacks and preventive measures.
• In 2021, just 22% of small businesses increased their cybersecurity spending, despite 46% of all cyber breaches impacting businesses with fewer than 1,000 employees.

What is the current security posture of small businesses?

• The recent survey on the cybersecurity measures of small businesses reveals that only 42% of the over 1.2k small businesses have implemented cybersecurity practices to prevent threats in their organisations.
  • 21% of them are in the process of developing and implementing a cybersecurity plan.
  • 30% have no cybersecurity measures in place.
  • 7% are still determining the security posture of their organisations.
• The survey also found that 59% of these businesses believe they are too small to be targeted by cyber-attacks.
  • 25% feel that their limited online presence does not require security.
  • 19% do not have enough funds to implement security measures.
• In addition to the statistics mentioned above, the breakdown of businesses with insufficient security measures against cyberattacks includes:
  • 45% of businesses operate solely in person.
  • 27% of businesses operate exclusively online.
  • 21% of businesses operate both in-person and online.
• According to official statistics of UK cyber security breaches in 2022:
  • 2% of micro-organisations have security policies in place to address cyber risks.
  • 32% of micro businesses have a business continuity plan that addresses cyber security.
  • 43% of small businesses have a business continuity plan with cyber security considerations.
• The survey also revealed that:
  • 16% of micro companies are using outdated versions of Windows. Patch management must be risk-based, not the never-ending ‘patch everything’ saying. 
  • 20% of small companies have the same issue.

How many have small business owners dedicated cybersecurity budgets?

It is widely known that businesses have allocated budgets for each department. With the massive increase in cyber incidents, it has been seen that companies realise the need to dedicate funds for cyber security countermeasures to protect assets, sensitive data, customers’ PII, and overall business reputation and penalties better avoided from law enforcement attention.

• A study delicately performed on a variety of small businesses shows:
  • Only 8% of businesses having fewer than 50 employees have an assigned security budget.
  • 14% of small businesses with 50 to 249 employees have the allotted cybersecurity budget.
  • The highest percentage of businesses with a dedicated cybersecurity budget is 18% among employees of 250 or more.
• The small business cybersecurity statistics gathered by another survey show:
  • Nearly three-quarters, i.e., 69% of the small business leaders, have cyber insurance.
  • The other third, who doesn’t have cyber insurance, is looking forward to it.
• The other survey observed that 48% of companies buy insurance after the attack had hit them.
  • 20% decided to buy cyber insurance due to the high risks in their industry.
  • 19% of companies acquired cyber insurance after someone they were familiar with experienced a severe cyber attack or loss.
  • 8% purchased cyber liability insurance due to a recommendation.
• On the other hand, 64% of small businesses are not aware of the cyber insurance concept.
• A study from the US in 2021 showed that only 17% of small companies had prior insurance, which helped them cover the cost of the security breach.
• On average, SMBs spend 5-20% on security from their total IT budget.
• Due to the constant fear of evolving cyber threats, 76% of small organisations increased their security expenses. Some of the biggest cyber threats relate to misconfiguration issues.
• In 2021, 22% of small businesses increased their security budget.

How can small businesses protect themselves within a limited budget?

Small businesses being one of the top targets for cybercriminals is a matter of concern. This is often because these businesses are new and still establishing themselves, leading to security being neglected or considered a low priority. However, small businesses still handle important information such as customer data such as PII (Personal Identifiable Information), critical assets, and more that, if leaked, could harm their reputation and result in penalties.

Nevertheless, unprepared small business owners can still improve security with a limited budget by taking several steps in the right direction; some of the ways of mitigating prevalent threats are:

Developing a cyber security plan

A detailed plan that outlines business objectives and accordingly prioritises the strategies to secure critical assets and data.

Employee Training

High-end security software will never protect the business if its employees are unaware of the threat that targets them. Organisations must train their employees to identify and combat the threats coming to them.

Software Update

Regardless of business size, outdated and vulnerable software imposes high threats, and regular updates can help businesses stay protected from the latest threats.

Firewalls, Anti-virus Software and Open-source Security Software

Usage of firewalls, anti-virus software and other open-source security solutions can enhance the security posture of small businesses without a huge investment.

Cyber Insurance

Small businesses can benefit from cyber insurance to mitigate the financial impact of security breaches or other incidents.

Data Protection

Through robust data encryption mechanisms, small businesses can make it difficult for cybercriminals to gain access to sensitive data and penetrate their systems.

Regular backup

By regularly backing up important data and storing it in a secure location off-site, a business can quickly recover in the event of a data breach or other unfortunate incident, minimising downtime.

Conclusion

From the above facts and figures, it is evident that no organisation or business; be it small, mid-level or large enterprises are safe from cyber-attacks and cyber criminals.

The most minor an organisation can do to protect itself from such attacks and malicious actors is to invest in basic cybersecurity, i.e. security awareness training of its employees and implement security solutions at the very least.

References

• https://twc-it-solutions.com/cybersecurity-report-uk/
• https://advisorsmith.com/data/small-business-cyber-insurance-statistics/
• https://digital.com/51-of-small-business-admit-to-leaving-customer-data-unsecure/
• https://go.kaspersky.com/rs/802-IJN-240/images/IT%20Security%20Economics%202022_report.pdf
• https://insights.corvusinsurance.com/cyber-risk-insight-index-q1-2022/survey-findings-smb-cyber-readiness
• https://www.coveware.com/blog/2022/2/2/law-enforcement-pressure-forces-ransomware-groups-to-refine-tactics-in-q4-2021
• https://www.verizon.com/business/resources/reports/dbir/2021/smb-data-breaches-deep-dive/
• https://twc-it-solutions.com/cybersecurity-report-uk/
• https://blog.barracuda.com/2022/03/16/spear-phishing-report-social-engineering-and-growing-complexity-of-attacks/
• https://www.cyberpilot.io/cyberpilot-blog/new-ibm-report-the-real-cost-of-a-data-breach
• https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022
• https://www.cnbc.com/2022/12/16/fbi-7-billion-lost-in-criminal-hacks-most-victims-small-businesses.html
• https://www.strongdm.com/blog/small-business-cyber-security-statistics
• https://www.fundera.com/resources/small-business-cyber-security-statistics
• https://www.kaspersky.com/about/press-releases/2022_small-businesses-are-still-in-danger-facing-an-increasing-number-of-attacks-in-2022