Cyberattacks targeting small businesses hit 3-year high, ITRC reports

During the past 12 months, 42% of small businesses that suffered a cyberattack lost revenue because of the incident, the ITRC reports.

While nearly three-quarters of small businesses were victims of a cyberattack, 85% of respondents to ITRC’s survey said they were ready for such an event. However, research from The Hanover shows that is not exactly the case. Credit: momius/Adobe Stock

During the past 12 months, 73% of small business owners said they had a cybersecurity incident, according to the Identity Theft Resource Center (ITRC) Business Impact Report. This was the highest percentage of businesses reporting a cyber event in the three years that ITRC has been producing the report.

Among those that did see an attack, 42% lost revenue because of the event. ITRC noted this was a 3% decline compared with the year prior, but that small businesses faced other repercussions. This included an increase in customers losing trust in the business, higher employee turnover and having a harder time understanding how the event occurred.

For organizations that had a cyber incident, 33% used cyber insurance as their primary source of recovery funding, while 29% dipped into cash reserves and around a quarter extended or opened a new line of credit, ITRC reported.

“We saw a spike in attacks in 2021 before a reduction last year due to the Russian invasion of Ukraine and disruption in the cryptocurrency markets Identity crime markets have rebounded this year, leading to record levels of breaches, suicide rates and business attacks,” Eva Velasquez, ITRC president and CEO, said in a release. “The good news is that small business leaders are focused on data security and privacy protection. However, we still have a lot of work to do. We must accelerate the transition to newer protections and continue to develop new resources to assist victims based on solid research and unmistakable evidence.”

While nearly three-quarters of small businesses were victims of a cyberattack, 85% of respondents to ITRC’s survey said they were ready for such an event.

Feeling prepared and being prepared, are of course two very different things and small business owners might be a bit overconfident. A coincidentally timed, but unrelated, report from The Hanover found that many small and mid-sized businesses lack basic cybersecurity provisions. For example, 62% of these organizations don’t train employees and half do not use multifactor authentication.

Further, 61% of small and mid-sized businesses have no incident response plan and 81% have no post-breach response team, according to The Hanover, which surveyed decision-makers at small- and mid-sized businesses for its cyber report.

The Hanover survey also found that few (7%) of these decision-makers think it is “very likely” they’ll have a cyber incident in the coming 12 months. This might be leading to a lax attitude around security, as 64% of survey respondents said they access business email on personal devices, while 33% connect their devices to public and unsecure Wi-Fi networks.

“With a small percentage of business decision-makers thinking a cyber incident is ‘very likely,’ the difference between perception and reality is glaring,” Eric Cernak, president of cyber at The Hanover, said in a release. “This creates an opportunity for independent agents to talk with their customers about the importance of proactively managing cyber risk and leveraging cybersecurity services.”

Related: