15 Small Business Cyber Security Statistics That You Need to Know
6 votes, average: 4.33 out of 56 votes, average: 4.33 out of 56 votes, average: 4.33 out of 56 votes, average: 4.33 out of 56 votes, average: 4.33 out of 5 (6 votes, average: 4.33 out of 5, rated)

15 Small Business Cyber Security Statistics That You Need to Know

Small business cyber attacks aren’t cheap — IBM reports that breaches associated with business email compromise cost an average of $5.01 million in 2020. Here’s our list of the top SMB cybersecurity statistics you need to know in 2021

Note: This small business cyber security statistics article is one that we periodically update with new data. This is the most recent update and is the last one we’ll likely make before we head into 2022. Be sure to check back periodically for updates and fresh SMB cybersecurity statistics!

You may have heard the oft-quoted small business cyber security statistic that’s something akin to “60% of small companies that suffer a cyber attack are out of business within six months.” Heck, like many major media outlets, we’ve even quoted this stat ourselves in the past. However, it turns out that the organization that’s often attributed for this small business cyber security statistic, the National Cyber Security Alliance (NCSA), actually recommends not citing this statistic for the following reason:

“This statistic was not generated from NCSA research, and we cannot verify its original source. NCSA has not actively referenced this statistic for several years, but we discovered that it was included in an outdated infographic on our website. We have removed all of these references and do not recommend its ongoing usage. Members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.”

Well, that’s a bummer, right?

While we here at Hashed Out may not be the internet’s top resource for cyber security related information – though we strive to be and have more than two million readers – we still want to do the best job we can at providing you with the best and most useful information possible. This includes topics such as small business cyber security statistics.  

With this in mind, we’ve updated our list of some of the small business cyber security statistics you SHOULD know in one convenient resource. We’ll also discuss why SMBs make such attractive targets and what you can do to protect your business.

Let’s hash it out.

The Top Small Business Cyber Security Statistics to Know in 2021

The ongoing COVID-19 global pandemic is changing things for small businesses and organizations around the world. An August 2020 report from INTERPOL indicates that small businesses may not (currently) be the top target of cybercriminals:

“To maximise damage and financial gain, cybercriminals are shifting their targets from individuals and small businesses to major corporations, governments and critical infrastructure, which play a crucial role in responding to the outbreak. Concurrently, due to the sudden, and necessary, global shift to teleworking, organizations have had to rapidly deploy remote systems, networks and applications. As a result, criminals are taking advantage of the increased security vulnerabilities arising from remote working to steal data, generate profits and cause disruption.”

But just because larger organizations are their primary targets doesn’t mean that SMBs should let their guards down, either. Many types of cyber attacks and other dangers still pose a risk to small and mid-size businesses, too.

What Qualifies as an SMB?

Well, that answer depends. One of the things that makes reporting small business cyber security statistics a bit challenging is that different reports identify small businesses differently. For example, according to some of the reports we cite in this article:

  • Verizon categorizes small businesses as those that have fewer than 1,000 employees.
  • IBM identifies small businesses as those with fewer than 500 employees.
  • Flexera categorizes SMBs as those that have fewer than 1,000 employees.
  • The cyber security company VIPRE categorizes small businesses as those that have 1-500 employees.
  • Alliant Cybersecurity’s data includes companies that have 500 or fewer employees as well.

With this in mind, let’s kick off our list of small business cyber security statistics.

1. $2.98 Million: The Average Cost of a Data Breach for SMBs With <500 Employees

Small business cyber security statistics graphic: a $2.98 million price tag, which is the average cost of a data breach for SMBs

The costs associated with data breaches vary greatly depending on the size of the organization and scope of the attack. Research from IBM and the Ponemon Institute’s 2021 Cost of a Data Breach Report shows that small organizations (those with fewer than 500 employees) spend an average of nearly $3 million per incident. Compare this to the $2.63 million price tag for organizations with 500-1000 employees and the $5.25 million average per-incident cost for organizations with 10,001-25,000 employees.

2. 43% of SMBs Lack Any Type of Cybersecurity Defense Plans

What if we were to tell you that more than two in five companies that have 50 or fewer employees in the U.S. and United Kingdom don’t have any type of cybersecurity defense plan in place? Yes, that’s right. A January 2020 research study by BullGuard showcases a disturbing number of businesses are choosing to be reckless. They’re essentially rolling the dice in terms of securing their data (and that of their customers) from small business cyber attacks.

3. One in Five SMBs Don’t Use Any Endpoint Security Protections

BullGuard’s survey of 3,083 SMBs also shows that 23% of small businesses in both the U.K. and U.S. neglect to use endpoint security mechanisms. Additionally, 32% of those surveyed who do use endpoint security protections say they rely solely on free, consumer-grade cybersecurity solutions. Yeah, take a moment to wrap your head around that one!

A graphic that illustrates the number of days it's been since a small business had a data breach

4. Only 47% of SMBs Find Breaches Within Days

Speed is of the essence when it comes to discovering data breaches. Verizon’s 2021 Data Breach Investigations Report (DBIR) shows that while small organizations were doing better than their large organization counterparts last year, those big boys are finding breaches “within days or faster” in 55% of the cases. Compare this to the 47% of small ones.

5. AWS Has 72% of Market Share for SMBs That Use Public Cloud

Amazon Web Services (AWS) is the leading public cloud service provider for small businesses, according to Flexera’s 2021 State of the Cloud Report. Azure comes in second with 48% and Google follows with 39%.

As cloud becomes more widely adopted, it’s essential that businesses take the necessary steps to ensure they’re as secure as possible. For more information relating to cloud security statistics, be sure to check out our article on that topic.

6. 78% of SMBs View Security as Their Top Cloud Security Challenge

Nearly four in five of the SMB technical professional who responded to Flexera’s survey indicate that security is their biggest cloud hurdle. This is followed by concerns relating to better managing cloud spend (76%) and lacking the necessary resources and expertise (72%).  

Check out the table below to see how these cloud challenges stack up against Enterprises (as well as a breakdown of other cloud challenges):

Small business cyber security statistics graphic: This bar chart highlights the top cloud challenges for small businesses and enterprises.
Data source: Flexera’s 2021 State of the Cloud Report.

7. 93% of Small Business Data Breaches Are Financially Motivated

When it comes to money, to paraphrase a line from a popular country song, cybercriminals “like it, love it, and want some more of it.” Verizon’s 2021 DBIR report shows that the data breaches they analyzed were overwhelmingly caused by threat actors who had financial motivations. Compare this to 3% of cases that involved espionage and the remaining 4% that include “fun” and “convenience” as motives.

This differs from larger organizations (1,000 or more employees) that had 87% of breaches that were financially motivated.

8. 84% of MSPs Say SMBs Should Be “Very Concerned” About Ransomware

In their 2020 Global State of the Channel Ransomware Report, Datto reported that four in five managed service providers (MSPs) identified ransomware (68%) as the biggest malware threat to SMBs. But there appears to be a significant difference in opinion regarding the threat of ransomware attacks:

  • “84% of MSPs say that SMBs should be “very concerned” about the threats that ransomware poses to organizations, and
  • 30% report their SMB clients are “very concerned” and 32% are “moderately concerned” about ransomware.

Be sure to check out our other article that specifically focuses on ransomware statistics.

9. 63% of SMBs Report Experiencing a Data Breach in the Previous 12 Months

Data from a 2019 study by Keeper Security and the Ponemon Institute shows that the number of small and medium-sized businesses that experienced data breaches increased to 63% in FY 2019. In the two prior fiscal years, participants report 58% in FY 2018 and 54% in FY 2017, respectively.

10. Small Organizations’ Privacy Budgets Reach an Average of $1.6 Million

Cisco reports in its 2021 Data Privacy Benchmark Study that the average privacy budget for smaller organizations (250-499 employees) doubles from $0.8 million to $1.6 million. Although they didn’t have data available from last year, this year’s average privacy budget for small businesses with 50-249 employees is $1.1 million.

11. 46% of SMBs With <1K Employees Had 5-16 Hours of Breach-Related Downtime

Cisco’s 2020 CISO Benchmark Study data indicates that downtime from data breaches is an issue for all organizations with up to 10,000 employees. According to their data (as it was cited in Cisco’s “Securing What’s Now and What’s Next” report), small and mid-size organizations with 250-449 employees reported the following:

  • 43% experienced 0-4 hours of downtime
  • 45% experienced experiencing 5-16 hours of downtime, and
  • 12% experienced 17-48 hours of downtime.

For businesses with more employees — 500-999 or 1,000-9,999 employees — their numbers showed greater variance:

12. 47% of SMBs Report Keeping Data Secure as Biggest Challenge

VIPRE’s SMB Security Trends survey results indicate that nearly half of the CISOs and IT pros surveyed find data security to be their biggest IT security challenge. The next biggest hurdles they identified include preventing data loss (42%) and increasing employee security awareness (41%).

13. Credentials (44%) Represent the Most Compromised Type of Data in 2019

Credential compromise continues to be an issue for SMBs and other businesses as well. Verizon’s 2020 DBIR reports that more than half (52%) of small businesses reported issues of credential compromised in 2019. Their 2021 DBIR shows that while the number has decreased to 44%, it remains the most common type of compromised data followed by:

  • Personal (39%),
  • Other (34%), and
  • Medical (17%).

But just who does Verizon say is responsible for these attacks on small businesses?

14. 57% of SMB Data Breaches Involve External Threat Actors

By far, the overwhelming majority (57%) of the data breaches that targeted small businesses were perpetrated by external threat actors, according to Verizon’s 2021 DBIR. However, it’s worth mentioning that this is a noticeable decrease from the 74% they reported in their 2020 DBIR.

But how does this compare to insider threats? Verizon says that internal threat actors were responsible for 44% of the breaches they analyzed in their 2021 report. This is an increase from the 26% they reported the previous year’s report.

15. 22% of SMBs Switched to Remote Work Without a Cybersecurity Threat Prevention Plan

The COVID-19 global pandemic forced the hands of businesses worldwide to allow their employees to work from home at unprecedented rates starting in 2020. But what does this mean for small business cybersecurity preparations? Research from Alliant Cybersecurity shows that one-in-five small businesses jumped head-first into remote working without having a clear cybersecurity mitigation or prevention policy in place.

Now, consider that more than half (52%) of these SMBs indicate that they didn’t regularly allow their employees to work remotely prior to the start of the pandemic. With this in mind, it’s easy to imagine what kind of Pandora’s box this opens in terms of cybersecurity vulnerabilities and risks.  

Unfortunately, what makes matters worse is findings from the Keeper Security/Ponemon Institute survey we mentioned earlier. Their data shows that 39% of their SMB survey respondents report that their organizations lack any incident response plans. So, this means that when (not if) crap hits the proverbial cooling system, they won’t have a plan in place that helps them to respond to cyber-related events. 

Why SMBs Are Thought to Be More Vulnerable to Cyber Attacks & Data Breaches

Small businesses are the drivers of the U.S. economy. The most recent data from the U.S. Small Business Administration (SBA) reports that there are 32.5 million small businesses in the U.S. Furthermore, a significant part of the country’s workforce includes 61.2 million small business employees.

Historically, there’s been this common notion that small businesses are at greater risk to cybercrimes because they lack the resources — funds, personnel, time, etc. — to properly monitor and mitigate cyber threats. However, Verizon’s 2021 DBIR findings indicate that the gap between the number of breaches that SMBs and larger organizations experience is narrowing, and the top breach patterns targeting both groups were largely identical:

  • 80% — This small business cyber security statistic represents the percentage of breaches that involved system intrusion, miscellaneous errors, and basic web app attacks.
  • 74% — Much like SMBs, large organizations also share these three top patterns for nearly three in four data breaches.

However, where they still differ is in their detection capabilities. Large organizations are doing better in terms of detecting breaches faster than their smaller counterparts.

Unfortunately for consumers, some business owners and executives still convince themselves that their businesses are too small to be of interest to hackers. Some businesses take a head-in-the-sand approach to cyber security even though they say they experienced cyber attacks and data breaches in the past! This means that they may not put the time, money, training, and other resources in place to protect their businesses (and their customers as a result).

How You Can Protect Your Small Business from SMB Cyber Security Attacks

At the SSL Store, we’re a small company with about 80 employees. We specialize in secure sockets layer/transport layer security (SSL/TLS) to create encrypted connections. As such, we’re happy to help you configure your servers for maximum protection and to get that lauded “HTTPS” in your web address. However, that’s only one piece of the puzzle — SSL only secures certain attack vectors. As such, you’ll need to invest in additional security measures to increase the digital security of your small or medium-sized business.

Some such methods that should be used to create multi-layered protection include:

  • Firewalls, antivirus, and endpoint security solutions
  • Network penetration testing and vulnerability assessments
  • Cyber security audits
  • Computer use, device, and password policies
  • Strong PKI management practices
  • Access management and access control policies and procedures
  • Email security solutions (such as anti-phishing solutions, spam filters, email signing certificates [S/MIME certificates])
  • Employee cyber security awareness training and phishing simulations
  • Incident response and disaster recovery plans
  • Current data backups
  • Updates and patching

But what are some of the most common methods of defense that SMBs implement? According to 2020 survey data from The Manifest:

The most popular small business cybersecurity measures include limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best practices (34%).”

TL;DR? A Quick Summary of These SMB Cybersecurity Statistics Findings

We know you’ve already got a lot on your plate and probably don’t have time to read a long article. Here’s what we covered in today’s discussion on small business cyber security statistics:

We know you’ve already got a lot on your plate and probably don’t have time to read a long article. Here’s what we covered in today’s discussion on small business cyber security statistics:

  • $2.98 million is the average cost of a data breach for small businesses, according to IBM and the Ponemon Institute.
  • Small and medium-sized businesses need to get their butts in gear and put cybersecurity threat mitigation and incident response plans in place.
  • Consumer-grade cybersecurity products simply aren’t going to cut it for securing small businesses.
  • Phishing still leads the way in terms of being the leading threat action that attackers use against SMBs.
  • The largest percentages of surveyed SMBs experienced between 5 and 16 hours of downtime during a breach.
  • You need security beyond just SSL – this should include the use of firewalls, email security protections, secure CDNs, two-factor authentication (2FA), and endpoint security.
  • Ensure all software, hardware, servers, and other devices are up to date.

Editor’s Note: This article was originally published in June 2019. It was updated with new SMB cyber security statistics and research on Dec. 9, 2020 and again on Nov. 11, 2021. It will be updated again in 2022 to include new small business cyber security statistics.


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.