Roughly three-quarters of small-to-medium-sized businesses (SMBs) have experienced a cyber-attack, a breach, or both in the last year. According to non-profit organization the Identity Theft Resource Center (ITRC)’s third annual ITRC Business Impact Report, 73 percent of owners or leaders of SMB’s reported being attacked or breached in the past 12 months, following a slight dip in the previous year.
“Once upon a time, it was true that small businesses and solopreneurs were not a favorite target for cybercriminals. Attackers tended to go for larger, data-rich organizations with lots of cash and thousands of employees, where the law of averages meant it was easier to find someone to fall for a phishing attack,” comments Eva Velasquez, ITRC CEO.
“That hasn’t been true since at least 2020, and the past year has seen a big jump in the number of attacks targeting small businesses. In our third annual ITRC Business Impact Report, 73 percent of owners or leaders of SMBs shared they had experienced a data breach, a cyberattack, or both in the previous 12 months,” adds Velasquez.
Despite the uptick in cyber-attacks and data breaches, small business owners continue to be confident about their ability to respond to the threats they face and their options for recovery when an attack is successful. While 70 percent of 2022 respondents said they were prepared to protect against a cyberattack or recover from a data breach, 85 percent of respondents in 2023 expressed they were prepared and ready to respond to a cyber event. The number of organizations reporting first-time attacks remains the same at 43 percent compared to 2022.
As larger organizations with more financial and staff resources tighten their cybersecurity and invest in threat intelligence in order to identify incoming cyber-attacks, the cybercriminal gangs are tempted to go for lower-hanging fruit such as SMBs. Although the corporate data held by SMBs may be of less commercial value than the vast data banks managed by larger organizations, SMBs hold much information that is still extremely valuable to online criminals and fraudsters. According to ITRC, employee and consumer data continue to be the most impacted categories of information impacted by a breach of an SMB.
Danger of over-confidence for SMEs
But, while SMB executives may be confident of their cybersecurity, there is a growing danger of over-confidence on their part, given the increasing sophistication of cybercriminal groups, many of them backed by potentially hostile nation states such as China, Iran, Russia, and North Korea. It is not only the personal data held by SMBs that these highly organized groups of cybercriminals are after, as SMBs can often provide them with a weak link in a supply chain. At a time when larger organizations are finally taking cybersecurity seriously and beginning to make significant investments in securing their data, cybercriminals are constantly trying to infiltrate their data and communication systems via third parties, such as small suppliers, whose cybersecurity might not be so robust.
Many SMBs struggle to recover from cyber breaches. According to ITRC, 33 percent of respondents regard cyber-insurance as the primary source of recovery funding with a slight rise to 13 percent in the number of SMEs being forced to fire staff as a means of addressing the cost of a breach. But, according to Lloyd’s Insurers of London, existing cyber-insurance is woefully inadequate to meet the coming challenges, meaning that SMBs urgently need to reassess their post-breach recovery procedures in addition to tightening their cybersecurity.
