123 SMB Cybersecurity Statistics

As we explored in our 239 Cybersecurity Statistics roundup, cybersecurity is one of the fastest-growing industries in the world–and, due to the ever-moving influx of remote clients, customers, team members, and key stakeholders, small businesses have more at stake than they may realize.

In today’s blog, we cover 300 SMB cybersecurity statistics you need to know divided by year, industry, and overall significance. 

Let’s get started:

The Top SMB Cybersecurity Statistics of 2023 (So Far)

• 61% of small-to-medium-sized businesses have been the target of a cyberattack

• Small business employees experience a 350% higher likelihood of being targeted by social engineering attacks vs. employees working at medium-sized or large enterprises

• 87% of SMBs report that they store customer data that could be compromised by an attack

• Malware is the most common type of cyberattack directed at small businesses

• 27% of SMBs that collect customer credit card information state that they have little to no cybersecurity protection

• Nearly 95% of cybersecurity incidents involving SMBs cost between $826 USD and $653,587 USD in 2023

• 50% of small organizations said that it took over 24 hours to start to recover from a cyberattack

• Almost 40% of small businesses reported that they lost critical, unretrievable data as the result of a cyberattack

• 51% of small businesses said their website was down for 8 - 24 hours in the wake of an attack

• Only 17% of small businesses globally have cyber insurance, with 48% not purchasing it until after their first cyberattack

• 95% of cybersecurity breaches are attributed to human error

• 64% of small business owners are not familiar with the regulatory standards pertaining to cyber insurance

• The next five years are due to see a 15% increase in cybercrime costs, reaching 10.5 trillion by 2025

• Small organizations (those with fewer than 500 employees) spend an average of nearly $3 million USD per cyber incident

2022 Small Business Cybersecurity Stats in Review

How does this stack up against 2022's small business cyber landscape?

Key highlights from this year included, but weren't limited to:

• 51% of small businesses had no cybersecurity measures in place

• Only 17% of small businesses stated that they encrypted their data

• 36% of small business owners reported being "not concerned" about cyberattacks, with 59% of interviewees claiming that it was because they were "too small" to be targeted

• Under 30% of SMBs that suffered a breach in 2022 responded by hiring IT staff or a cybersecurity firm

• In order, antivirus software (at 58%), firewall implementation (at 49%), VPN usage (at 44%), and password management (at 39%) were the top four cybersecurity tools SMBs were planning to adopt

• Only 13% were hit by ransomware during 2022, down from 34% in the year before

• 45% of small business owners said that their processes were ineffective at mitigating cyberattacks

• 66% of small business owners reported having experienced a cyberattack in the past 12 months

• 69% of small business owners stated that cyber attacks were becoming more targeted

• In 2022, the most common types of cyberattacks were, in order: phishing (at 57%), compromised or stolen devices (at 33%), and credential theft (at 30%)

2021 Small Business Cybersecurity Stats in Review

• 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees

• Personal data was stolen in 45% of all breaches

• The average cost of a data breach was an unprecedented $4.24 million

• 54% of businesses stated that their IT departments lacked the experience to manage sophisticated cyberattacks

• The average time it took to identify a data breach was 212 days

• 43% of all data breaches were caused by insiders, with this statistic only climbing year over year

• The average organization took 286 days to identify and contain a breach

• 42% of companies experienced cyber fatigue

• 83% of small and medium-sized businesses claimed not to be financially prepared to recover from a cyberattack

• 1 in 5 small organizations did not use endpoint security, and 52% of SMBs did not have IT security experts in-house

• 43% of SMBs did not have an incident response plan in place

2020 Small Business Cybersecurity Stats in Review

• The average privacy budget for smaller organizations (250-499 employees) doubled from $0.8 million to $1.6 million

• 78% of SMBS looked at security as their top cloud-related challenge

• This was followed by better managing cloud spend (at 76%) and lacking the necessary resources and expertise to manage cloud-based software (at 72%)

• 93% of small business data breaches were financially motivated

• Only 3% of cyberattacks in 2020 were reported to be motivated by espionage

• VIPRE’s SMB Security Trends survey reported that nearly half of the CISOs and IT pros found data security to be their biggest IT security challenge, followed by preventing data loss (at 42%) and increasing employee security awareness (at 41%)

• 57% of data breaches that targeted small businesses were perpetrated by external threat actors, an increase from the 26% reported the previous year

• 52% of SMBs reported that they did not regularly allow their employees to work remotely before the start of the pandemic, with 22% switching to entirely remote work with no cybersecurity threat prevention plan in place

(8)

Notable Small Business Cybersecurity Predictions for 2023 and Beyond

• Gartner forecasts that by 2025, 60% of organizations will embrace zero trust as the first step to security

• Through 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs in order to minimize operational friction and maximize control adoption

• By 2024, modern privacy regulation will blanket the majority of consumer data (however, it's estimated that less than 10% of organizations will have successfully weaponized privacy as a competitive advantage)

• By 2026, 10% of large enterprises will have a measurable zero-trust program in place, (up from less than 1% in 2023)

• By 2027, 75% of employees will create technology outside IT’s visibility

• By 2025, 50% of cybersecurity leaders will have unsuccessfully attempted to leverage cyber risk quantification to drive organizational decision-making

• By 2025, nearly half of SMB cybersecurity leaders will change jobs due to high reported levels of stress

• By 2026, 70% of SMB boards will include one member with cybersecurity expertise

• Through 2026, more than 60% of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today

2023 SMB Cybersecurity Statistics by Industry

Being in the loop about the top SMB cybersecurity stats for your industry is essential in determining where to place your organization's proactive cybersecurity efforts.

We break them down for you below:

Healthcare SMB Cybersecurity Stats to Know:

• Half of internet-connected devices in hospitals are vulnerable to hacks

• 70% of recently surveyed organizations reported that healthcare ransomware attacks have resulted in longer lengths of stays in hospital and delays in procedures and tests that have resulted in poor outcomes including an increase in patient mortality

• The average cost of a data breach is over $10 million dollars in the healthcare industry

• 95% of general identity theft is made up of stolen hospital records

• Healthcare data breaches have had the highest security breach costs for over twelve consecutive years

• 88% of polled healthcare employees have opened phishing emails

• An HIMSS survey reported that 36% of non-acute care employees have said that their companies do not undergo phishing tests

• Almost 24% of healthcare employees across the United States have not received Cybersecurity Awareness Training

• Healthcare security breaches cost, on average, $408 per record

Education SMB Cybersecurity Stats to Know:

• The education sector experiences a 44% increase in cyber-attacks when compared to 2021, with an average of 2297 attacks against organizations every week

• In 2019, there were a reported 348 incidents of cyberattacks on educational organizations, which was almost three times as many as in 2018

• 96% of decision-makers in the educational sector believe their organizations are susceptible to external cyberattacks; 71% say they are not prepared to defend against them

• Education ranks second as the most vulnerable to ransomware attacks, with healthcare still placing first

• 42% of school staff do not adhere to cyber hygiene protocols

• 41% of the attacks on higher education involved social engineering

• 30% of users working within education have fallen victim to phishing attacks since 2019

• Education-related records can be sold as much as $265 USD per record on average on the dark web

• 87% of educational establishments have suffered at least one successful cyberattack

• 85% of universities agree that investing in cybersecurity should be a budgetary priority

• The education sector accounted for over 13% of all data breaches in 2017

• Out of all industries, education ranks as the least secure when it comes to cybersecurity

• For universities, ransomware attacks doubled between 2019 and 2020

• Over 128 school districts across North America have dealt with repeat cyberattacks beginning in 2016

Fintech SMB Cybersecurity Stats to Know:

• 55% of financial institutions were hit by ransomware within the last year, a 62% increase on the previous year

• 80% of data breaches in fintech are the result of lacking or reused passwords

• One-third of fintech SMBs with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions

• Fintech SMBs spend 5% to 20% of their IT budget on security

• 22% of fintech SMBs increased cybersecurity spending in 2021

• 42% of fintech SMBs have revised their cybersecurity plan since the COVID-19 pandemic

• 76% of SMBS in the fintech space that increased cybersecurity spending cited a rising fear of new threats

Law SMB Cybersecurity Stats to Know:

• 37% of ransomware attacks are launched against organizations with less than 100 employees

• 55% of residents in the U.S. report being less likely to continue doing business with firms that are breached

• Only 20% of small law firms have implemented satisfactory multi-factor authentication

•  80% of all hacking incidents involve compromised credentials or passwords

•  85% of MSPs consider ransomware one of the biggest threats to their law SMB clients

• Nearly half of all SMBs spend less than $1,500 monthly on cybersecurity

• 51% of law SMBs that fall victim to ransomware pay the money

Government SMB Cybersecurity Stats to Know:

• In 2022, the UK government announced new cybersecurity measures to protect their nuclear weapons systems

• Nearly 80% of nation-state attackers targeted government agencies, think tanks, and other non-government organizations

• 58% of cyberattacks from nation-statess originated in Russia.

• The United States remains the most highly targeted country with 46% of global cyberattacks being directed towards Americans

• Fraud cases have increased 70% since 2020

• Government bodies caution for people to expect greater governance of cryptocurrencies in the coming years

• Vanatu’s official government sites and online services were compromised by a sophisticated cyberattack in 2022

• The United States government is ranked as the #1 most-targeted government for cyberattacks, with a likelihood of 38%

• 75% of SMBs could not stay in operation if hit with ransomware, including government-adjacent ones

Global Cybersecurity Stats

• Worldwide, spending within the cybersecurity industry reached $40.8 billion in 2019

• 2021 saw $787,671 in direct financial losses every hour due to security breaches

• Between May 2020 and May 2021, cybercrime in the Asia-Pacific rose by 168%

• Japan experienced a 40% increase in cyberattacks in 2021 compared to 2020

• In Q3 2022, there was a 70% uptick in breached accounts compared to Q2 of the same year

• 4 out of 5 SMBs state that their antivirus software has not stopped malware

• Only 16% of SMBs report feeling secure in their security posture

• Nearly 70% of SMBs do not enforce password for multi-factor authentication policies

• 68% of SMBs store confidential data like email addresses, whereas over half store phone numbers and store billing addresses

• Web-based attacks make up most of cyberattacks against SMBs at 49%

• Over half of small-to-midsize businesses go out of business within six months of being hit by a successful cyberattack

• 58% of malware victims are SMBs

• 70% of SMB owners report not feeling ready for a cyberattack if one hits

• 43% of the world’s total cyberattacks are targeted at small-to-midsize businesses 

• Supply chain attacks are becoming a global trend in 2023

• 54% of companies claim that their IT departments will not be able to handle cyberattacks

• “Cybersecurity fatigue” impacts 42% of organizations

• 43% of security breaches are insider threats

• Nearly 40% of all security breaches in 2021 involved phishing

• Out of all the email attachment types, the most malicious ones are .doc and .dot, at 37%

Types of Attacks SMBs Are Most At Risk From

Lastly, what are the types of attacks SMBs are most at risk from in 2023?

Here's what the reports have to say:

• Phishing attacks increased by 48% in the first half of 2022, with reports of 11,395 incidents costing businesses around the globe a total of $12.3 million

• Up to 40% of cyber threats for SMBs are now occurring directly through the supply chain

• Ransomware attacks grew by 41% in 2022 and identification and remediation for a breach took 49 days longer than the average breach; this is trending upwards in 2023 and beyond

• As the internet of things (IoT) continues to grow in scope, it is becoming an increasingly tempting target for cybercriminals

Don't Become Part of the Percentage. Partner With Packetlabs

Here at Packetlabs, our penetration testing services are 95% manual: this is a testament to our commitment to both quality and security. We strive to ensure that the best test results are delivered to our clients. Our in-depth testing ensures that no stone is left unturned, and even the most minute of weaknesses can be found and eliminated.

Our team comprises highly experienced professionals with some of the industry’s most sought-after certifications, such as CREST, OSCP, CEH, and CISSP.

Contact us today or join our newsletter for cybersecurity education and implementation that goes beyond the checkbox.