32 Small Business Cybersecurity Statistics – 2023

Although big corporations usually make the headlines, small businesses are targeted far more frequently, with 43% of all data breaches targeting small businesses.

In this article, we’ll detail 32 key small business cybersecurity statistics.

1. 61% of SMBs Were Hit by a Successful Cyberattack in the Past Year

Small businesses remain a prime target for cyber criminals. A study released in June 2023 found that 61% of SMBs (small and medium businesses) in the US and UK were successfully hit by a cyberattack in the past year.

[Source: BlackFog]

2. 43% of All Data Breaches Are Against SMBs

One recent study identified SMBs as the #1 target of data breaches, comprising 43% of all incidents.

[Source: CNBC]

3. 37% of Small Business Owners Are Concerned About Being Attacked in the Year Ahead

In a recent survey, 37% of small business owners 37% said that they were concerned they could be the victim of a cyberattack in the next 12 months. 64% said they were confident in their ability to quickly resolve a cyber attack, should one occur.

[Source: CNBC | SurveyMonkey]

4. 4% of Small Business Owners Believe Cybersecurity Is Their #1 Risk

Among small business owners, only 4% think that cybersecurity is the greatest risk facing their business.

[Source: CNBC | SurveyMonkey]

5. 87% of IT Professionals Reported 2+ Successful Attacks in the Past Year

Lightning often strikes twice: in one recent survey, 87% of IT decision-makers at SMBs reported experiencing two or more successful attacks in the past year.


Types of Cyberattacks

6. 50% of SMBs Are Most Concerned About Malware Attacks

Among SMBs, malware attacks were the greatest concern, with 50% stating those types of attacks were their highest concern. However, 71% of cyberattacks are malware-free, showing a potential disconnect between the point of focus for SMBs and reality.

[Source: TechRepublic & Crowdstrike]

7. Ransomware Attacks Are the Most Common Cyberthreats to Small Businesses

When it comes to cybersecurity threats, ransomware is a threat to small businesses. Overall, 82% of ransomware attacks target SMBs. Other top threats to SMBs include stolen credentials, phishing, and malicious texts.

[Source: Axios & University of Maryland]

8. 13% of Small Businesses Were Hit by Ransomware in 2022

Ransomware attack rates have declined since 2021, especially those against small businesses. Among companies with fewer than 100 employees, only 13% were hit by ransomware during 2022, down from 34% in the year before.

[Source: TechRepublic]

9. Small Business Employees Experience 350% More Social Engineering Attacks Than Enterprises

Social engineering attacks – such as phishing and vishing – are a significant risk to small businesses. Overall, employees at small businesses are subject to 350% more social engineering attacks compared to their enterprise-level counterparts.

[Source: River City Bank]

10. Cloud Exploitation Grew by 95% Last Year

In 2022, cloud exploitation – where attackers exploit cloud vulnerabilities to access cloud systems – grew by 95%. Since small businesses often turn to cloud services to expand their capabilities and enhance security, this shows attackers are getting savvy to the shifting tech landscape and are becoming increasingly cloud-conscious.

[Source: Crowdstrike]

11. Cyberattack Breakout Times Fell to 84 minutes in 2022

The average cyberattack breakout time is the speed at which an attacker can breach a system once access is gained. In 2022, this breakout time fell to 84 minutes, a significant drop from the 98-minute average breakout time recorded for 2021.

[Source: Crowdstrike]

Cyberattack Cost Statistics

12. Data Breaches Cost SMBs an Average of $3M+ Per Incident

Among companies with fewer than 500 employees, the average cost of a data breach is approximately $3.31 million per incident. That averages out to $164 per breached record.

[Source: IBM]

13. Data Exfiltration Occurred in 89% of Cyberattacks on SMBs

Data exfiltration – a type of breach that involves the copying, transferring, or retrieving of data from a targeted system without proper authorization – occurs in 89% of successful cyberattacks on SMBs. Often, specific kinds of data are explicitly sought by the attacker, such as financial data, customer information, personnel data, or proprietary knowledge.

[Source: TechRepublic]

14. 39% of SMBs Lost Customer Data Due to a Cyberattack

Compromised customer data is a prime concern for companies of all sizes, as it can put their customers at risk while also harming operations. Among SMBs, 39% have lost customer data due to a cyberattack.

[Source: TechRepublic]

15. 40% of Attacked Small Businesses Lost Critical Data

Among small businesses that fell victim to a cyberattack, 40% lost critical data during the event.

[Source: BullGuard]

16. One Third of Small Businesses That Experienced an Attack Lost Business

Among small businesses that fell victim to cybercriminals, one third lost customers because of the attack. This can be due to downtime leading to a missed opportunity, customers becoming wary about using a company they view as less secure, or any other reason.

[Source: TechRepublic]

17. 58% of SMBs Experienced Downtime as the Result of a Cyberattack

Cyberattacks can significantly impact operations, often rendering systems or data inaccessible or unusable for a period. Among SMBs, 58% reported experiencing downtime due to a cyberattack.

[Source: TechRepublic]

18. 40% of Small Businesses That Fell Victim Experienced 8+ Hours of Downtime

The impacts of a cyberattack are often multifold. 40% of small businesses that were targeted by an attack experienced at least eight hours of down time as a result of the incident.

[Source: CISCO]

19. 50% of Small Business That Were Successfully Attacked Took 24+ Hours to Recover

Recovering from an incident and being able to resume business as normal isn’t usually a fast process following an attack. Overall, half of all small business owners said it took at least 24 hours to resume operations.

[Source: BullGuard]

SMB Preparedness Statistics

20. 42% of Small Business Owners Have No Cyberattack Response Plan

Among small business owners, 42% don’t have any plan in place to respond to a cyberattack. Another 11% aren’t sure whether there’s a plan in place, indicating they could experience issues should an attack occur.

[Source: CNBC]

21. Just 17% of Small Businesses Encrypt Their Data

Often, encryption is considered a basic protection against an attack, ensuring that even if a system is breached, the data isn’t easily readable. However, just 17% of small businesses actually encrypt their data.

[Source: Advisor Smith]

22. One Third of Small Businesses Rely on Free, Consumer-Grade Cybersecurity Solutions

While businesses benefit from more robust security mechanisms, not all small businesses go with paid-for, business-grade services. Instead, one-third rely on free, consumer-grade antivirus, antimalware, and similar products.

[Source: BullGuard]

23. 41% of SMBs State that a Lack of Knowledge Is the Biggest Challenge to Staying Prepared

Effective protection against cyber threats requires specific knowledge. Understanding the nature of threats and the technologies needed to mitigate them is critical for creating a comprehensive solution. Among SMBs, 41% state that their biggest challenge when designing effective protection was knowledge or a lack thereof.

[Source: BlackFog]

24. Only 6% of Small Business Owners Increased Their Cybersecurity Spending This Year

In many cases, SMBs struggle to dedicate resources toward cybersecurity, and it can be particularly challenging when costs for services or expertise rise. Year over year, only 6% of small business owners increased their cybersecurity budgets to protect themselves against threats during the last year.

[Source: Digital Ocean]

25. 25% of SMBs Cite a Lack of Time as a Major Security Issue

When it comes to significant challenges, 25% of SMBs struggle with a lack of time to properly manage security. Often, this is due to smaller staff sizes and limited resources.

[Source: Digital Ocean]

26. One in Five Small Businesses Uses No Endpoint Security

Endpoint security is critical for ensuring desktops, laptops, smartphones, and similar devices are protected on a basic level. However, a startling one in five small businesses don’t use endpoint security of any kind.

[Source: BullGuard]

27. 38% of SMBs Have Zero Dedicated Cybersecurity IT Employees

38% of SMBs have no dedicated cybersecurity team members. An additional 42% only have a single employee working on cybersecurity. And although 74% of SMBs reported they believe data privacy is a major concern, 57% don’t have a single employee dedicated to data privacy.

[Source: Digital Ocean]

28. Just 26% of Small Business Owners Have Cyberattack Insurance

Cyberattack insurance is a classic form of protection against an attack, decreasing the financial hardship hackers can cause. However, just 26% of small business owners invest in this protection.

[Source: CNBC]

29. Only 8% of Small Businesses Have a Dedicated Cybersecurity Budget

A startling 47% of businesses with 50 or fewer employees have no cybersecurity budget whatsoever. Of those that do, only a small number have a dedicated cybersecurity budget separate from IT spending. All told, only 8% of small businesses have a formal, dedicated budget to ward off cyberattacks.

[Source: Corvus Insurance]

Cybersecurity Response Statistics

30. 64% of Small Business Owners Are Confident They Can Resolve a Cybersecurity Attack

While many small business owners don’t have formal cybersecurity budgets and aren’t able to take every precaution, the vast majority seem to assume that isn’t an issue. 64% are confident that they can quickly resolve a cybersecurity attack should one occur.

[Source: CNBC | SurveyMonkey]

31. 51% of Small Business Owners Pay the Money When Hit with Ransomware

Among small businesses that were targeted and infected by ransomware, 51% chose to pay the ransom. Twenty-four percent even covered the cost out of pocket. The other 27% used cyber insurance to handle the expense.

[Source: CNBC]

32. 76% of Small Business Owners Think Disclosing a Hack Should Be Required

Generally, small business owners feel that customers have a right to know if a company they use was hacked. In fact, 76% of small business owners think such disclosures should be mandatory.

[Source: CNBC]

One Last Thing…

In the course of our research, we identified one frequently cited statistic that proved to be false. You might find many websites claiming that 60% of small businesses go out of business within six months following a cyberattack. These websites usually cite the National Cybersecurity Alliance – but the National Cybersecurity Alliance has, in fact, issued a statement describing this figure as “incorrect” and noting that it “was not generated from NCSA research.”

Should we encounter any other faulty statistics in the course of our research, we will document them here.

About the Author

Find Catherine on Firewall Times

Catherine Reed

Catherine Reed is a writer and researcher with experience writing about a wide variety of topics including personal finance, technology, and staffing.