As we explored in our 239 Cybersecurity Statistics roundup, cybersecurity is one of the fastest-growing industries in the world–and, due to the ever-moving influx of remote clients, customers, team members, and key stakeholders, small businesses have more at stake than they may realize.
In today’s blog, we cover 300 SMB cybersecurity statistics you need to know divided by year, industry, and overall significance.
Let’s get started:
61% of small-to-medium-sized businesses have been the target of a cyberattack
Small business employees experience a 350% higher likelihood of being targeted by social engineering attacks vs. employees working at medium-sized or large enterprises
87% of SMBs report that they store customer data that could be compromised by an attack
Malware is the most common type of cyberattack directed at small businesses
27% of SMBs that collect customer credit card information state that they have little to no cybersecurity protection
Nearly 95% of cybersecurity incidents involving SMBs cost between $826 USD and $653,587 USD in 2023
50% of small organizations said that it took over 24 hours to start to recover from a cyberattack
Almost 40% of small businesses reported that they lost critical, unretrievable data as the result of a cyberattack
51% of small businesses said their website was down for 8 - 24 hours in the wake of an attack
Only 17% of small businesses globally have cyber insurance, with 48% not purchasing it until after their first cyberattack
95% of cybersecurity breaches are attributed to human error
64% of small business owners are not familiar with the regulatory standards pertaining to cyber insurance
The next five years are due to see a 15% increase in cybercrime costs, reaching 10.5 trillion by 2025
Small organizations (those with fewer than 500 employees) spend an average of nearly $3 million USD per cyber incident
How does this stack up against 2022's small business cyber landscape?
Key highlights from this year included, but weren't limited to:
51% of small businesses had no cybersecurity measures in place
Only 17% of small businesses stated that they encrypted their data
36% of small business owners reported being "not concerned" about cyberattacks, with 59% of interviewees claiming that it was because they were "too small" to be targeted
Under 30% of SMBs that suffered a breach in 2022 responded by hiring IT staff or a cybersecurity firm
In order, antivirus software (at 58%), firewall implementation (at 49%), VPN usage (at 44%), and password management (at 39%) were the top four cybersecurity tools SMBs were planning to adopt
Only 13% were hit by ransomware during 2022, down from 34% in the year before
45% of small business owners said that their processes were ineffective at mitigating cyberattacks
66% of small business owners reported having experienced a cyberattack in the past 12 months
69% of small business owners stated that cyber attacks were becoming more targeted
In 2022, the most common types of cyberattacks were, in order: phishing (at 57%), compromised or stolen devices (at 33%), and credential theft (at 30%)
82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees
Personal data was stolen in 45% of all breaches
The average cost of a data breach was an unprecedented $4.24 million
54% of businesses stated that their IT departments lacked the experience to manage sophisticated cyberattacks
The average time it took to identify a data breach was 212 days
43% of all data breaches were caused by insiders, with this statistic only climbing year over year
The average organization took 286 days to identify and contain a breach
42% of companies experienced cyber fatigue
83% of small and medium-sized businesses claimed not to be financially prepared to recover from a cyberattack
1 in 5 small organizations did not use endpoint security, and 52% of SMBs did not have IT security experts in-house
43% of SMBs did not have an incident response plan in place
The average privacy budget for smaller organizations (250-499 employees) doubled from $0.8 million to $1.6 million
78% of SMBS looked at security as their top cloud-related challenge
This was followed by better managing cloud spend (at 76%) and lacking the necessary resources and expertise to manage cloud-based software (at 72%)
93% of small business data breaches were financially motivated
Only 3% of cyberattacks in 2020 were reported to be motivated by espionage
VIPRE’s SMB Security Trends survey reported that nearly half of the CISOs and IT pros found data security to be their biggest IT security challenge, followed by preventing data loss (at 42%) and increasing employee security awareness (at 41%)
57% of data breaches that targeted small businesses were perpetrated by external threat actors, an increase from the 26% reported the previous year
52% of SMBs reported that they did not regularly allow their employees to work remotely before the start of the pandemic, with 22% switching to entirely remote work with no cybersecurity threat prevention plan in place
(8)
Gartner forecasts that by 2025, 60% of organizations will embrace zero trust as the first step to security
Through 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs in order to minimize operational friction and maximize control adoption
By 2024, modern privacy regulation will blanket the majority of consumer data (however, it's estimated that less than 10% of organizations will have successfully weaponized privacy as a competitive advantage)
By 2026, 10% of large enterprises will have a measurable zero-trust program in place, (up from less than 1% in 2023)
By 2027, 75% of employees will create technology outside IT’s visibility
By 2025, 50% of cybersecurity leaders will have unsuccessfully attempted to leverage cyber risk quantification to drive organizational decision-making
By 2025, nearly half of SMB cybersecurity leaders will change jobs due to high reported levels of stress
By 2026, 70% of SMB boards will include one member with cybersecurity expertise
Through 2026, more than 60% of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today
Being in the loop about the top SMB cybersecurity stats for your industry is essential in determining where to place your organization's proactive cybersecurity efforts.
We break them down for you below:
Half of internet-connected devices in hospitals are vulnerable to hacks
70% of recently surveyed organizations reported that healthcare ransomware attacks have resulted in longer lengths of stays in hospital and delays in procedures and tests that have resulted in poor outcomes including an increase in patient mortality
The average cost of a data breach is over $10 million dollars in the healthcare industry
95% of general identity theft is made up of stolen hospital records
Healthcare data breaches have had the highest security breach costs for over twelve consecutive years
88% of polled healthcare employees have opened phishing emails
An HIMSS survey reported that 36% of non-acute care employees have said that their companies do not undergo phishing tests
Almost 24% of healthcare employees across the United States have not received Cybersecurity Awareness Training
Healthcare security breaches cost, on average, $408 per record
The education sector experiences a 44% increase in cyber-attacks when compared to 2021, with an average of 2297 attacks against organizations every week
In 2019, there were a reported 348 incidents of cyberattacks on educational organizations, which was almost three times as many as in 2018
96% of decision-makers in the educational sector believe their organizations are susceptible to external cyberattacks; 71% say they are not prepared to defend against them
Education ranks second as the most vulnerable to ransomware attacks, with healthcare still placing first
42% of school staff do not adhere to cyber hygiene protocols
41% of the attacks on higher education involved social engineering
30% of users working within education have fallen victim to phishing attacks since 2019
Education-related records can be sold as much as $265 USD per record on average on the dark web
87% of educational establishments have suffered at least one successful cyberattack
85% of universities agree that investing in cybersecurity should be a budgetary priority
The education sector accounted for over 13% of all data breaches in 2017
Out of all industries, education ranks as the least secure when it comes to cybersecurity
For universities, ransomware attacks doubled between 2019 and 2020
Over 128 school districts across North America have dealt with repeat cyberattacks beginning in 2016
55% of financial institutions were hit by ransomware within the last year, a 62% increase on the previous year
80% of data breaches in fintech are the result of lacking or reused passwords
One-third of fintech SMBs with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions
Fintech SMBs spend 5% to 20% of their IT budget on security
22% of fintech SMBs increased cybersecurity spending in 2021
42% of fintech SMBs have revised their cybersecurity plan since the COVID-19 pandemic
76% of SMBS in the fintech space that increased cybersecurity spending cited a rising fear of new threats
37% of ransomware attacks are launched against organizations with less than 100 employees
55% of residents in the U.S. report being less likely to continue doing business with firms that are breached
Only 20% of small law firms have implemented satisfactory multi-factor authentication
80% of all hacking incidents involve compromised credentials or passwords
85% of MSPs consider ransomware one of the biggest threats to their law SMB clients
Nearly half of all SMBs spend less than $1,500 monthly on cybersecurity
51% of law SMBs that fall victim to ransomware pay the money
In 2022, the UK government announced new cybersecurity measures to protect their nuclear weapons systems
58% of cyberattacks from nation-statess originated in Russia.
The United States remains the most highly targeted country with 46% of global cyberattacks being directed towards Americans
Fraud cases have increased 70% since 2020
Government bodies caution for people to expect greater governance of cryptocurrencies in the coming years
Vanatu’s official government sites and online services were compromised by a sophisticated cyberattack in 2022
The United States government is ranked as the #1 most-targeted government for cyberattacks, with a likelihood of 38%
75% of SMBs could not stay in operation if hit with ransomware, including government-adjacent ones
Worldwide, spending within the cybersecurity industry reached $40.8 billion in 2019
2021 saw $787,671 in direct financial losses every hour due to security breaches
Between May 2020 and May 2021, cybercrime in the Asia-Pacific rose by 168%
Japan experienced a 40% increase in cyberattacks in 2021 compared to 2020
In Q3 2022, there was a 70% uptick in breached accounts compared to Q2 of the same year
4 out of 5 SMBs state that their antivirus software has not stopped malware
Only 16% of SMBs report feeling secure in their security posture
Nearly 70% of SMBs do not enforce password for multi-factor authentication policies
68% of SMBs store confidential data like email addresses, whereas over half store phone numbers and store billing addresses
Web-based attacks make up most of cyberattacks against SMBs at 49%
Over half of small-to-midsize businesses go out of business within six months of being hit by a successful cyberattack
58% of malware victims are SMBs
70% of SMB owners report not feeling ready for a cyberattack if one hits
43% of the world’s total cyberattacks are targeted at small-to-midsize businesses
Supply chain attacks are becoming a global trend in 2023
54% of companies claim that their IT departments will not be able to handle cyberattacks
“Cybersecurity fatigue” impacts 42% of organizations
43% of security breaches are insider threats
Nearly 40% of all security breaches in 2021 involved phishing
Out of all the email attachment types, the most malicious ones are .doc and .dot, at 37%
Lastly, what are the types of attacks SMBs are most at risk from in 2023?
Here's what the reports have to say:
Phishing attacks increased by 48% in the first half of 2022, with reports of 11,395 incidents costing businesses around the globe a total of $12.3 million
Up to 40% of cyber threats for SMBs are now occurring directly through the supply chain
Ransomware attacks grew by 41% in 2022 and identification and remediation for a breach took 49 days longer than the average breach; this is trending upwards in 2023 and beyond
As the internet of things (IoT) continues to grow in scope, it is becoming an increasingly tempting target for cybercriminals
Here at Packetlabs, our penetration testing services are 95% manual: this is a testament to our commitment to both quality and security. We strive to ensure that the best test results are delivered to our clients. Our in-depth testing ensures that no stone is left unturned, and even the most minute of weaknesses can be found and eliminated.
Our team comprises highly experienced professionals with some of the industry’s most sought-after certifications, such as CREST, OSCP, CEH, and CISSP.
Contact us today or join our newsletter for cybersecurity education and implementation that goes beyond the checkbox.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
© 2024 Packetlabs. All rights reserved.