Over Half of Small Businesses Have Suffered a Breach: Cybersecurity Trends

Whenever I need to find a good cybersecurity or data privacy topic, I can usually find one on Sharon Nelson’s excellent Ride the Lightning blog on her Sensei Enterprises site.  This one is about an interesting report issued by the Identity Theft Resource Center (ITRC) with data on small business cybercrimes from two surveys, with several findings, including that over half of responding small businesses have suffered a breach.

The 2021 Business Aftermath Findings (Insights on Small Business Identity and Cybercrimes) report released in October by the ITRC (covered here by Sharon) has several notable findings regarding small businesses and breaches, including:

  • 58% of small businesses have had at least one security breach or one data breach – or both, with 16% having suffered a data breach, 22% having suffered a security breach and 20% having suffered both.
  • 44% paid between $250,000-$500,000 to cover their breach costs.
  • 16% paid between $500,000-$1,000,000 to cover their breach costs.
  • 42% said it took them 1-2 years to return business to normal.
  • 28% said it took them 3-5 years to return business to normal.
  • 7% have not yet fully recovered.

Even more notable, most of the small businesses who have suffered a breach have suffered more than one:

  • 25% have had one breach
  • 41% have had two breaches
  • 25% have had three breaches
  • 8% have had four or more

To avoid additional breaches, small businesses took these post-breach measures:

  • 47% implemented new security tools
  • 44% provided new training for IT staff
  • 35% provided new training for non-IT staff
  • 34% hired additional security staff
  • 27% increased budgets
  • 19% increased vendor due diligence

The ITRC, with the assistance of SurveyMonkey and DIG.Works, conducted two surveys to explore the impacts of cybercrimes on small businesses as defined by the U.S. Small Business Administration (500 or fewer employees).  The SurveyMonkey online questionnaire was completed by 417 individuals that met the criteria of being a person in a leadership position or an IT professional at a company of 500 or fewer employees. The DIG.Works findings resulted in 1,050 responses to an online survey of general consumers who were asked if they worked for an organization of 50 employees or less; and, if so, has their employer experienced a data breach. The results of these questions are reported separately.

The 37-page PDF report is full of small business cyber statistics and results regarding the small businesses who suffered a breach.  You can check it out via the link above.  And for all topics cybersecurity and data privacy related, follow Sharon’s Ride the Lightning blog – it’s a terrific cyber and privacy resource!

So, what do you think?  Do you work for a small business and has it ever suffered a breach?  Please share any comments you might have or if you’d like to know more about a particular topic.


Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply