The threat of cyberattacks continues to increase and evolve, forcing everyone from federal governments to individual consumers to consider how to best protect themselves.

According to a new survey from Digital.com, one group that may need to take cybersecurity more seriously is small and medium-sized businesses (SMBs). From March 11-14, 2022, Digital.com surveyed 1,250 owners of businesses with 500 employees or less, finding that less than half of them currently have measures in place to protect them from cyberattacks.

Not only does this lack of cybersecurity increase the risk that companies will lose data or have operations interrupted, but it makes customers who share their information with these businesses vulnerable as well.

Key Findings

  • As of March 2022, 51% of small businesses don’t have cybersecurity measures in place
  • 21% are developing cybersecurity plans; 30% have no protection against cyberattacks
  • 59% of small business owners who don’t have cybersecurity measures in place say their business is ‘too small’ to be a target
  • 36% of small business owners are ‘not at all concerned’ about cyberattacks
  • 1 in 5 online small businesses have been the victim of a cyberattack

More than half of small businesses don’t have cybersecurity measures in place

Only 42% of SMB owners say their companies currently have cybersecurity measures in place.

Twenty-one percent don’t have any measures in place but are in the process of developing and implementing cybersecurity plans.

Meanwhile, 30% of SMB owners say their companies have no cybersecurity measures in place, and 7% aren’t sure about the state of cybersecurity at their companies.

How a business operates plays a role in whether it has protections in place. Companies that operate in person are less likely than those that conduct all or some business online to be protected against cyberattacks.

Forty-five percent of companies that operate in-person don’t have any protection against cyberattacks. Twenty-seven percent of companies that solely operate online, and 21% of companies that do business online and in-person don’t have cybersecurity measures in place.

However, in today’s hyper-connected environment, even companies that do most of their business offline may not be as safe as they think, according to small business and startup consultant Dennis Consorte.

“Cyberattacks can occur in any context,” he says. “A company that does most of their business in-person may still process transactions across an insecure connection, or they may store data in an unencrypted format, such as credit card numbers in an unencrypted spreadsheet.”

Consorte also points out that cyberattacks may not target businesses specifically. “Hackers may attack the servers at the hosting service that stores a company’s web files. There have also been a number of high profile data center fires where files were destroyed. In some cases, backup files were in the same physical location and were destroyed, too. Anything is possible, so it’s helpful to secure your data, and keep encrypted backups of that data at a different physical location than the source.”

6 in 10 small businesses aren’t protected because they think they’re ‘too small to be a target’

Among businesses with no cybersecurity protection, 59% say it’s because they’re too small to be a target, far outpacing any other reason given for not having protective measures in place.

According to Consorte, that belief is a misconception.

“Companies of all sizes should take cybersecurity seriously,” he says. “Customer data is valuable, and bad actors will stop at nothing to get it. In fact, they may target SMBs because they have less budget for protecting their customers’ information and are therefore softer targets.”

Twenty-five percent of these small businesses also say they don’t need cybersecurity because their online business is limited. Nineteen percent cite cost as a reason for not implementing cybersecurity practices, saying it’s too expensive.

For businesses that have cybersecurity measures in place, or are developing a plan, the most popular forms of protection are antivirus software (58%), firewalls (49%), VPNs (44%), password management tools (39%), and secure payment processing tools (38%).

87% of small businesses have customer data that could be compromised

SMBs that have a lax attitude about cybersecurity aren’t just leaving themselves vulnerable to attack – they’re jeopardizing their customers’ privacy and information.

Eighty-seven percent of SMBs surveyed collect at least some customer information, with name (72%), address (66%), and phone number (65%) being the most commonly collected data.

Thirty-three percent collect customers’ birth date, 32% collect credit card information, 19% collect bank account info, and 17% collect Social Security numbers.

Companies that don’t currently have cybersecurity measures in place, or aren’t sure if they do, collect sensitive data from customers at rates that are slightly lower, although that’s unlikely to make those customers feel any less vulnerable.

Twenty-six percent of SMBs without cybersecurity protections collect customers’ credit card information, 15% store customers’ bank account information, and 14% have customers’ Social Security numbers.

Some survey respondents have firsthand experience with customers’ sensitive information being stolen. Twelve percent of the SMBs surveyed have been the victim of a cyberattack. In 25% of those situations, customer data was lost or compromised.

Other ripple effects of the cyberattack include damage to the company’s reputation (24%) and loss of customers (16%).

“When you don’t take privacy and security seriously, you risk losing your customers to competitors who put effort into protecting their data,” Consorte says, adding that there are steps consumers can take to make sure they’re patronizing businesses that protect their data.

“Look for the lock icon in the browser address bar, which generally tells you if your data is encrypted when passed between your browser and the company’s server,” Consorte says. “Read or at least skim the company’s privacy policy. Choose authoritative login and payment options when available. Look for trust seals on websites and verify that it’s real and that the service is legitimate. Remember, no system is perfect, so use common sense in protecting your privacy and finances.”

Nearly 2 in 5 small business owners are ‘not at all concerned’ about cyberattacks

Despite the fact that cyberattacks continue to rise, 36% of SMB owners are ‘not at all concerned’ about their businesses being the victim of a cyberattack. Twenty-six percent are ‘very concerned,’ while 38% are ‘somewhat concerned.’

Among different types of small businesses, those that operate primarily in-person are least likely to be concerned about being a target for cyberattacks. Only 49% of these types of businesses are concerned about cyberattacks, compared to 71% of online-only businesses, and 72% of small businesses that operate both in-person and online.

For businesses that are concerned about being the target of a cyberattack, 50% believe that professional hackers, either domestic or foreign-based, are likely to be behind the attack.

Eighteen percent of SMB owners are also suspicious of their own current and former employees, saying they may be the ones to stage some form of cyberattack.

1 in 5 online small businesses have been the target of a cyberattack

Overall, 12% of small businesses have been the victim of a cyberattack, although that number varies by how a business operates.

Twenty percent of SMBs that operate primarily online were victims of cyberattacks, along with 12% of businesses that conduct business both online and in-person, and 7% of businesses that operate primarily in-person.

Ninety percent of the victims of cyberattacks lost revenue as a result of the attack.

Among those that lost revenue, the majority, 68%, lost $250,000 or less. However, 19% lost $500,000 or more, with 6% losing over $1 million.

Despite the loss of revenue and other consequences, 8% of small businesses that suffered a cyberattack made no changes to their cybersecurity practices, leaving themselves vulnerable to another attack.

For those victims that did use the attack as a wake-up call to better protect themselves, 44% installed antivirus or antimalware software, while 43% started using a VPN. Twenty-nine percent hired dedicated IT staff or an outside cybersecurity firm, and 25% started training staff cybersecurity best practices.

In the event a business is the victim of a cyberattack, Consorte has some advice.

“Customers trust companies more when there is transparency,” he says. “If you are the victim of a cyberattack, you need to let your customers know promptly. Tell them what happened, what steps you will take to remedy the problem, and what they need to do to secure their logins, finances, and other personal information.”

Methodology

All data found within this report derives from a survey commissioned by Digital.com and conducted online by survey platform Pollfish. In total, we surveyed 1,250 owners or partners of businesses with 500 employees or less. Appropriate respondents were found using Pollfish’s screening tools. This survey was conducted between March 11, 2022 and March 14, 2022. All respondents were asked to answer all questions truthfully and to the best of their abilities. For full survey data, please email Content Marketing Specialist Kristen Scatton at [email protected].