Cyber Incidents Targeting SMBs Dropped Slightly

Cybersecurity incidents aimed at small businesses increased by 61 percent between the pandemic years 2020 and 2021, but have since dropped slightly.

Source: ITC | Published on November 2, 2022

Web outages at American Family

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization founded to assist victims of identity theft, has released the 2022 Business Impact Report, its second annual report on the effects of identity theft and cyberattacks on small businesses and solopreneurs.

The ITRC surveyed 447 small business owners, leaders, and employees for the report to investigate the effects of cybercrime on small businesses. According to the responses, cybersecurity incidents aimed at small businesses increased by 61 percent between the pandemic years 2020 and 2021, but have since dropped slightly. Less than half (45 percent) of small businesses reported a security breach, data breach, or both, compared to 58 percent in the 2021 report.

Other key findings from the 2022 Business Impact Report include:

  • More than 45 percent of small businesses lost revenue as a result of cybercrime. Small businesses, on average, lost less money as a result of a cyber incident in the previous year, with one notable exception: victims of social media account takeover. (Companies paying less than $250K increased by 11 percentage points; businesses paying $250K-$500K decreased by six (6) points.)
  • However, half of the small businesses polled reported losing control of a social media account to a cybercriminal, with 87% of the victims losing revenue generated by the account. More than one-third of victims (34%) lost between $1,000 and $10,000.
  • Fewer small businesses (23 percent) reported a data breach in the previous 12 months, a two (2) percentage point decrease from 2021. However, the number of small businesses reporting a first-time breach increased by 17 percentage points since 2021.
  • Almost 30% of small businesses lost customer trust and struggled to respond to customer concerns.
  • More than 40% of small businesses had difficulty understanding what happened and why it happened.
  • 70% of small businesses said they were ready to protect against a cyberattack or recover from a data breach after investing in more security tools and training.

“There are people behind all of these statistics,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “These are people trying to support their families and the families of their employees.” When people read this report, I want them to remember that the resources stolen by cybercriminals are the same resources that are required to sustain or grow a business, which keeps those families safe, healthy, and financially secure.”

“While we are pleased to see fewer reported cyber events, we are also intrigued that so many small business leaders are confident in their ability to defend against a cyber event.” We’ll find out in 2023 whether these statistics and confidence levels are one-time occurrences or true trends.”

Another significant finding in the 2022 Business Impact Report is that small businesses relied more on cyber insurance and existing credit lines to cover the costs of a data or security breach (40 percent – a 12 percentage point increase in using insurance proceeds and a seven (7) point increase in existing credit use). In addition, 35 percent of small businesses reported returning to pre-breach performance levels within a year, a 13 percent increase. The majority of businesses (41 percent) still needed one to two years to fully recover.

The ITRC provides a variety of low- and no-cost tools to assist small businesses. By calling 888.400.5530 or visiting to live-chat, consumers can receive free live victim support or guidance from a knowledgeable advisor.

About the ITRC 2022 Business Impact Report

The ITRC conducted two online surveys in August and September 2022, with the help of SurveyMonkey, to investigate the effects of cybercrime on small businesses as defined by the US Small Business Administration. 447 people who met the criteria of being in a leadership position or an IT professional at a company with 500 or fewer employees, including solopreneurs, completed questionnaires. In our general survey, 55 percent (55%) of respondents were from companies with ten or fewer employees, including 17 percent (17%) who identified as solopreneurs; 19 percent (19%) of respondents were from companies with 11 – 50 employees; 12 percent (12%) of respondents were from organizations with 51-200 employees; and 14 percent (14%) from businesses with 201-500 employees. Nineteen percent (19%) of responses in a social media account takeover survey came from businesses with ten or fewer employees, including eight percent (8%) from solopreneurs; 36 percent (36%) of responses came from companies with 11 – 50 employees; 22 percent (22%) of responses came from SMBs with 51-100 employees; and 22 percent (22%) of responses came from organizations with teams of 101 – 500 people.

By far the majority of general survey responses – 58 percent (58%) – came from people who identified as a business owner or partner, while 28 percent (28%) came from C-Suite and Sr. Executives. The majority of respondents to the social media attack survey were “Owners or Partners” (62%) and Senior Leaders (25%).

Unless otherwise specified in a question, the term “breach” referred to both a data breach and a security breach.