Casey Crane is a regular contributor to Hashed Out with 10+ years of experience in journalism and writing, including crime analysis and IT security. She also serves as a Content Marketer at The SSL Store.

Small businesses are a favorite target of cyber criminals — cyber attacks were up 424% in 2018

You may have heard the oft-quoted small business cyber security statistic that’s something akin to “60% of small companies that suffer a cyber attack are out of business within six months.” Heck, like many major media outlets, we’ve even quoted this stat ourselves in the past. However, it turns out that the organization that’s often attributed for this small business cyber security statistic, the National Cyber Security Alliance (NCSA), actually recommends not citing this statistic for the following reason:

“This statistic was not generated from NCSA research, and we cannot verify its original source. NCSA has not actively referenced this statistic for several years, but we discovered that it was included in an outdated infographic on our website. We have removed all of these references and do not recommend its ongoing usage. Members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.”

Well, that’s a bummer, right?

While we here at Hashed Out may not be the internet’s top resource for cyber security related information – though we strive to be and have more than two million readers – we still want to do the best job we can at providing you with the best and most useful information possible. This includes topics such as small business cyber security statistics.

With this in mind, we’ve put together a list of some of the small business cyber security statistics you SHOULD know in one convenient resource. We’ll also discuss why SMBs make such attractive targets and what you can do to protect your business. Note: This article is one that we plan to continually update with new, fresh SMB cyber security statistics, so be sure to check back periodically for updates and new information!

Anyhow, as we like to say around here…

Let’s hash it out.

The Top Small Business Cyber Security Statistics

When we originally wrote this article, we shared about a 2017 study from VIPRE Security that showed two-thirds (66%) of small and medium-sized businesses would suffer catastrophic consequences and would have to close their doors after a breach. Their survey of 250 SMBs’ IT managers conveyed that the businesses would shut down for a minimum of one day or would be put out of business entirely if such an event were to occur.

While we hoped that our research on small business cyber security related stats would show that this number decreased over the past two years, unfortunately, that’s not really the case. We’ve compiled a list and will discuss some of the cyber security statistics you’ll want to know about small businesses and mid-size companies:

1. 43% of All Data Breaches Target SMBs Verizon’s most recent Data Breach Investigation Report (DBIR) shows that almost half of all breaches occurred at small businesses. This statistic speaks for itself and doesn’t require more of an explanation.
2. There Was a 424% Increase in Authentic and New Breaches of Small Businesses in 2018 The cyber security firm 4iQ states in its 2019 Identity Breach Report that cybercriminals targeted small businesses with cyber attacks at an inordinate rate in 2018 — up nearly 425% over the previous year.
3. 83% of SMBs Lack the Funds to Deal with the Repercussions of a Cyber Attack InsuranceBee’s Cyber Survey of more than 1,300 SMB owners shows that more than 80% of businesses lack the money they would need to recover from a cyber attack or data breach. Of those that report setting money aside for such an incident (17%), few have considered the reputational or legal costs they will likely face if an attack should occur. That’ll take the buzz out of any victory they may have momentarily felt.
4. The Average Cyber Attack Carries a Price Tag of Nearly $3 Million When it comes to calculating the costs of a cyber attack, there are many considerations you must take into account: The cost of any ransom you may be expected to pay, the cost of any data that may be lost, sustained system outages, downtime, non-compliance fines, legal fees – not to mention potential lawsuits. The Keeper Security and the Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses report states that downtime accounts for about $1.56 million of those costs. For an example of the “extra” costs businesses face, look no further than the recent AMCA data breach. The company, which also operates as Retrieval-Masters Creditors Bureau, Inc., has paid millions in such “additional” costs — $4.2 million to report the breach, $3.8 million for notifications, etc. That’s before getting into the penalties and lawsuits…
5. SMBs Experience 8+ Hours of Downtime During a Breach Cisco’s 2018 Security Capabilities Benchmark Study shows that 40% of midmarket companies with 250-499 employees “experienced eight hours or more of system downtime due to a severe security breach in the past year.”
6. 1 in 323 Emails to Small Businesses are Malicious Symantec’s 2019 Internet Security Threat Report shows that employees of smaller organizations were more likely to be hit by email threats such as spam, phishing, and email malware than those who work at large organizations.
7. 60% of SMBs Cite Employee Negligence as Cause of Data Breaches The Keeper Security/Ponemon Institute’s small and medium size businesses report shows the number of SMBs reporting negligent employees and contractors as the cause of data breaches increased to 60% in 2018 — whereas external threats (hackers) were reported as 37% of the causes.
8. 54% of SMBs Believe Their Companies are “Too Small” to Be Ransomware Targets The Keeper Security/Ponemon Institute SMB report shows that some SMBs think that their organizations are too small to be attractive targets for cybercriminals. However, if you’ve read virtually any recent cyber security reports or literature, you’d know that no company is “too small” or “too large” that a cybercriminal won’t take an interest. Like a modern version of Goldilocks — you know, if she was a cybercriminal rather than a trespasser breaking into bears’ houses — she’ll have no problems about trying the cyber defenses of every company to find a target that is “just right.”
9. 77% of SMBs Anticipate Outsourcing Cyber Security Continuum reports in its State of SMB Cyber Security in 2019 report that nearly 80% of small businesses believe their cyber security tasks will be outsourced within five years’ time.
10. 62% of SMBs Lack the In-House Skills to Handle Cyber Security As disconcerting as it may be, it isn’t surprising that many small businesses lack the in-house personnel. However, this is a practice that needs to stop considering that attacks on small businesses are the most common. Continuum’s 2019 small business cyber security report shares that nearly two-thirds of SMBs say they don’t have the employees to handle cyber security functions, and 56% report that they don’t have any cyber security experts within their ranks.
11. 62% of Phishing Simulations Hook at Least One Set of User Credentials Duo’s research shows that more than half of phishing campaigns resulted in at least one set of user credentials becoming exposed. Furthermore, the same study showed that 64% of phishing campaigns involved at least one out-of-date device.
12. Small Businesses Invest Less Than $500 Per Year in Cyber Security Products This devastatingly low number is the average amount that Juniper Research’s 2018 study says that small businesses spend on consumer-grade cyber security products each year. Considering that SMBs represent only 13% of the cyber security market, it’s no surprise that small businesses make such an attractive target to cybercriminals.
13. 55% of Small Businesses Cite Resources and Knowledge as Challenges to Cyber Security Planning A survey by the Better Business Bureau (BBB) indicates that the greatest challenges for developing a cyber security plan to increase small business cyber security is a lack of resources or knowledge.
14. Cyber Attacks Due to Weak or Stolen Employee Passwords Average $383,365 Did you know that the average cost of cyber attacks that result from compromised employee passwords is $383,365? This is one of the findings of the Keeper Security/Ponemon Institute SMB report.
15. 68% of Small Businesses Don’t Have Disaster Recovery in Mind Nationwide reports that more than two-thirds of small business owners don’t have a disaster recovery (DR) plan in place. Additionally, the report shows that 71% of small business owners choose not to buy business interruption insurance.

Why SMBs are More Vulnerable to Cyber Attacks and Data Breaches

Unfortunately for consumers, many business owners still convince themselves that their businesses are “too small” to be of interest to hackers. CPO Magazine reports that this is even the case with some businesses that experienced data breaches in the past!

In reality, it should come as no surprise that small and midsize businesses make tempting targets for cybercriminals. Due to their small sizes and limited funds, SMBs often have access to fewer personnel and information and technology resources than their larger corporate counterparts. This is particularly important considering that small businesses are the drivers of economy in the U.S. The most recent data from the U.S. Small Business Administration (SBA) reports that there were 30.2 million businesses in the U.S. as of 2015. Of these, 5.9 million had paid employees.

As a small company with more than 85 employees, we’re certainly not going to sit here and bash the people who work at small businesses by saying that employees are the root of all evil. However, there is truth in the statement that employees do pose a serious risk for every business — small or otherwise — because of the decisions that are made by upper level management. Employees who lack the knowledge or training to avoid cyber threats are in positions to unwittingly put your company at risk by something as simple as clicking on the link in one phishing email. However, if IT security personnel and other employees alike are never given the training, funding, or resources they need, how can we hold them at fault?

How You Can Protect Your Small Business from SMB Cyber Security Attacks

At the SSL Store, we’re a small company that specializes in secure sockets layer/transport layer security (SSL/TLS) to create encrypted connections. As such, we’re happy to help you configure your servers for maximum protection and to get that lauded “HTTPS” in your web address. However, that’s only one piece of the puzzle — SSL only secures certain attack vectors. As such, you’ll need to invest in additional security measures to increase the digital security of your small or medium-sized business.

Some such methods that should be used to create multi-layered protection include:

• Firewalls, antivirus, and endpoint security solutions
• Network penetration testing
• Establish computer use, device, and password policies
• Implement access management
• Email security solutions (such as anti-phishing solutions, spam filters, email signing certificates)
• Employee cyber security awareness training and phishing simulations
• Create an incident response and disaster recovery plan
• Create and maintain data backups regularly