More than half of all small businesses faced a cyberattack last year, a startling reality underscored by statistics showing that 61% were victims of incidents like data breaches and that these attacks are increasingly leading to devastating financial losses and even closure.
Key Takeaways
- In 2023, 61% of small businesses reported experiencing at least one cybersecurity incident, including data breaches, according to a survey of 1,200 SMBs
- 43% of all data breaches in 2022 targeted organizations with fewer than 1,000 employees, primarily small businesses
- Small businesses accounted for 28% of all reported data breaches in the US during 2023, up from 22% in 2021
- The average cost of a data breach for small businesses was $25,000 in direct expenses in 2023
- Small businesses lost an average of $4.45 million in total breach costs including lost business in 2023
- Notification costs alone averaged $18,000 per breach for SMBs under GDPR in 2023
- Phishing accounted for 36% of small business data breaches in 2023
- Stolen credentials caused 24% of SMB data breaches, enabling unauthorized access in 2023
- Ransomware encrypted data in 22% of small business incidents leading to breaches 2023
- 60% of small businesses that suffered a data breach closed within six months afterward
- 51% of breached small businesses lost customers, with an average churn of 25%
- Employee morale dropped 40% post-breach in small firms, leading to 15% turnover increase
- 74% of small businesses took over 200 days to identify a data breach in 2023
- Only 26% of SMBs had an incident response plan tested before a breach in 2023
- Recovery time averaged 280 days for small business data breaches in 2023
Small businesses face frequent and costly data breaches that threaten survival.
Breach Types and Methods
- Phishing accounted for 36% of small business data breaches in 2023
- Stolen credentials caused 24% of SMB data breaches, enabling unauthorized access in 2023
- Ransomware encrypted data in 22% of small business incidents leading to breaches 2023
- Misconfigurations in cloud services led to 19% of SMB breaches exposing sensitive data 2023
- Insider threats, both accidental and malicious, accounted for 15% of small business breaches 2023
- Supply chain attacks via third-party vendors caused 12% of SMB data breaches in 2023
- DDoS attacks masked data theft in 8% of small business breaches in 2023
- Malware infections via email attachments breached 27% of small retailers' systems 2023
- Unpatched software vulnerabilities exploited in 31% of small manufacturing breaches 2023
- IoT device hacks compromised 14% of small hospitality businesses' guest data 2023
- Social engineering tricked 40% of small professional services into credential breaches 2023
- POS system skimmers stole card data from 18% of small restaurants in 2023
- Weak WiFi encryption led to 23% of small cafes' customer data breaches 2023
- API vulnerabilities exposed data in 16% of small SaaS providers serving SMBs 2023
- File-sharing service misuses caused 11% of small law firms' client breaches 2023
- Remote desktop protocol exploits hit 20% of small accounting firms in 2023
- SQL injection attacks breached 13% of small e-commerce databases 2023
- Physical theft of devices led to 9% of small construction data breaches 2023
- Business email compromise stole funds and data in 17% of SMB incidents 2023
- Zero-day exploits targeted 7% of small tech startups' breaches 2023
- Shadow IT usage caused 10% of small healthcare data exposures 2023
- Mobile app vulnerabilities breached 15% of small delivery services 2023
- Voice phishing (vishing) incidents rose to 21% in small nonprofits 2023
- Container misconfigurations exposed 12% of small devops teams' data 2023
- USB drive infections led to 6% of small offices' breaches 2023
- DNS spoofing tricked 8% of small real estate firms 2023
Breach Types and Methods Interpretation
The statistics reveal that small businesses are under siege from every imaginable digital angle, where a deceptive email, a forgotten software patch, or even a stolen USB drive can serve as the master key to their entire kingdom.
Financial Costs
- The average cost of a data breach for small businesses was $25,000 in direct expenses in 2023
- Small businesses lost an average of $4.45 million in total breach costs including lost business in 2023
- Notification costs alone averaged $18,000 per breach for SMBs under GDPR in 2023
- 60% of small businesses that suffered a breach in 2023 closed within 6 months due to financial strain
- Average ransomware payment by small businesses was $1.54 million in 2023
- Lost revenue post-breach averaged 22% of annual turnover for small retailers in 2023
- Detection and escalation costs for SMB breaches hit $1.2 million on average in 2023
- Fines from regulators averaged $50,000 per breach for small US businesses in 2023
- Insurance premiums for cyber coverage rose 42% for small businesses post-breach in 2023
- Average customer churn after a SMB data breach was 28% leading to $300k revenue loss in 2023
- Post-breach legal fees averaged $75,000 for small businesses defending class actions in 2023
- SMBs spent 15% of IT budget on breach recovery in 2023, equating to $150k average
- Supply chain disruption costs from breaches averaged $200k for small manufacturers in 2023
- Small healthcare practices faced $450k average HIPAA fines per breach in 2023
- Downtime from breaches cost small businesses $9,000 per hour in 2023 operations halt
- Reputational damage led to 35% drop in SMB valuations post-breach in 2023
- Credit repair costs for affected customers reimbursed by SMBs averaged $5k per incident in 2023
- Small financial firms paid $2.1 million average in breach-related settlements in 2023
- Increased borrowing costs post-breach rose 18% for small businesses in 2023
- Forensic investigation fees hit $100k average for complex SMB breaches in 2023
- Employee training post-breach cost small businesses $20k annually in 2023
- Vendor penalties from SMB breaches averaged $150k in contract disputes 2023
- Tax implications from breach losses added 12% to effective costs for SMBs in 2023
- Marketing recovery campaigns post-breach cost SMBs $50k on average in 2023
- Small e-commerce sites lost $1.8 million in cart abandonment post-breach 2023
- Cloud storage overages due to breach monitoring added $30k yearly for SMBs 2023
- Partnership terminations cost small businesses $250k in lost deals after breaches 2023
- Small nonprofits lost 41% in donations averaging $180k post-breach in 2023
- Hardware replacement after breaches cost SMBs $40k average in 2023
Financial Costs Interpretation
The grim reality is that a single data breach doesn't just cost a small business a hefty fine; it's a full-scale financial hemorrhage where the direct costs are merely the entry fee for a catastrophic chain of events that often ends in the company's funeral.
Impacts on Businesses
- 60% of small businesses that suffered a data breach closed within six months afterward
- 51% of breached small businesses lost customers, with an average churn of 25%
- Employee morale dropped 40% post-breach in small firms, leading to 15% turnover increase
- Reputational harm caused 33% decline in SMB stock value or valuation in 2023
- Regulatory scrutiny increased audits by 55% for breached small businesses in 2023
- Supply chain partners severed ties with 28% of SMBs post-breach in 2023
- Insurance coverage denials affected 22% of small businesses after breaches 2023
- Legal battles post-breach consumed 18 months on average for small firms 2023
- Innovation stalled as 45% of SMBs cut R&D budgets post-breach 2023
- Hiring challenges rose 37% for breached small businesses seeking cyber talent 2023
- Patient trust eroded in 62% of small healthcare practices after breaches 2023
- Retail foot traffic dropped 29% for small stores post-POS breaches 2023
- Vendor contracts renegotiated unfavorably for 34% of SMBs after incidents 2023
- Community backlash affected 41% of local small businesses post-breach 2023
- Growth projections downgraded by 27% for breached SMBs in 2023 forecasts
- Employee mental health claims rose 52% in small firms after breaches 2023
- Market share loss averaged 19% for small competitors post-breach 2023
- Franchise agreements terminated for 16% of small franchisees due to breaches 2023
- Donor retention fell 36% in small nonprofits after data exposures 2023
- Loan approvals denied at 31% higher rate for breached SMBs 2023
- Board confidence eroded leading to 24% leadership changes in SMBs 2023
- Competitor poaching of clients increased 43% post-SMB breaches 2023
- Operational efficiency dropped 22% due to compliance overhauls 2023
Impacts on Businesses Interpretation
A single data breach for a small business is less like a bad day at the office and more like a modern-day business haunting, where the ghost of lost trust spooks customers, drains employees, poisons partnerships, and ultimately follows you right to the locked doors of a closed shop.
Prevalence and Frequency
- In 2023, 61% of small businesses reported experiencing at least one cybersecurity incident, including data breaches, according to a survey of 1,200 SMBs
- 43% of all data breaches in 2022 targeted organizations with fewer than 1,000 employees, primarily small businesses
- Small businesses accounted for 28% of all reported data breaches in the US during 2023, up from 22% in 2021
- 83% of small business owners believe their company is a target for cyberattacks leading to data breaches, based on a 2023 poll
- In Q4 2023, small businesses saw a 35% increase in phishing-related data breaches compared to the previous quarter
- 52% of small retailers experienced a data breach in the past year, with POS systems being the primary vector
- Data breaches in small healthcare practices rose by 24% in 2023, affecting patient records
- 67% of small manufacturing firms reported supply chain-related data breaches in 2022-2023
- SMBs in the EU faced 41% more data breaches under GDPR reporting in 2023 than in 2022
- 29% of small businesses in the financial services sector suffered a data breach averaging 50,000 records exposed
- During 2023, small businesses represented 55% of ransomware incidents leading to data encryption breaches
- 71% of small businesses hit by data breaches in 2023 were repeat victims from prior years
- In Australia, small businesses reported 2,300 data breaches to the OAIC in 2023, a 19% YoY increase
- 48% of small construction firms experienced data breaches via stolen credentials in 2023
- US small businesses saw 1.2 million records exposed per breach on average in 2023
- 39% of small businesses in tech services had insider-related data breaches in 2022-2023
- Small hospitality businesses reported 62% breach rate due to guest WiFi vulnerabilities in 2023
- 54% of small nonprofits faced data breaches compromising donor information in 2023
- In Canada, small businesses accounted for 37% of data breaches notified to the OPC in 2023
- 46% of small logistics firms had data breaches from IoT device hacks in 2023
- Small businesses in education sector saw 31% breach increase due to remote learning tools in 2023
- 59% of small real estate agencies experienced client data breaches via email in 2023
- UK small businesses reported 15,000 data breaches to ICO in 2023, up 12%
- 42% of small automotive repair shops had POS data breaches in 2023
- Small professional services firms faced 53% data breach rate from cloud misconfigurations in 2023
- 65% of small businesses unaware of a breach until third-party notification in 2023 surveys
- In 2023, small businesses in Asia-Pacific region saw 27% rise in state-sponsored data breaches
- 51% of small e-commerce sites had data breaches exposing payment info in 2023 Black Friday period
- Small government contractors reported 38% data breach incidents tied to federal supply chains in 2023
- 47% of small businesses in agriculture suffered data breaches from smart farm equipment in 2023
Prevalence and Frequency Interpretation
The collective small business ecosystem is currently starring in a horror film where the plot is a relentless cyberattack and the tragic twist is that most victims are forced to replay the same gruesome scene year after year.
Statistics on Response and Recovery
- 74% of small businesses took over 200 days to identify a data breach in 2023
- Only 26% of SMBs had an incident response plan tested before a breach in 2023
- Recovery time averaged 280 days for small business data breaches in 2023
- 52% of small businesses paid ransomware demands to recover data in 2023
- Backup restoration succeeded in only 41% of SMB ransomware cases 2023
- Third-party breach response services used by 67% of small businesses in 2023
- Post-breach training implemented by 78% of SMBs but only 55% effective 2023
- MFA adoption surged to 89% in SMBs after credential breaches 2023
- Endpoint detection tools deployed by 63% of small businesses post-incident 2023
- Zero-trust architecture implemented by 34% of recovering SMBs in 2023
- Breach simulations conducted annually by only 19% of small businesses 2023
- Cyber insurance claims approved for 72% of SMB breach recoveries 2023
- Data recovery from backups took 14 days on average for SMBs 2023
- Employee offboarding processes improved in 81% of post-breach SMBs 2023
- Vendor risk assessments conducted by 55% after supply chain breaches 2023
- SIEM systems adopted by 48% of small businesses during recovery 2023
- Customer notification compliance achieved by 92% of SMBs under law 2023
- Penetration testing budgeted by 37% of SMBs post-breach 2023
- Dark web monitoring subscribed by 61% of recovering small businesses 2023
- Incident reporting to authorities done by 85% of US SMBs in 2023 breaches
- Cloud security posture management tools used by 44% post-misconfig 2023
- Phishing simulation training reduced repeat incidents by 59% in SMBs 2023
- Full disk encryption enforced by 76% of SMBs after device thefts 2023
- Patch management automated in 69% of small firms post-vuln exploit 2023
- Board-level cyber reporting established in 52% of SMBs after breaches 2023
- Resilience score improved by 28% in SMBs with mature response plans 2023
- Annual cyber drills participated by 25% of small businesses in 2023
- Data classification policies created by 83% during SMB recovery efforts 2023
Statistics on Response and Recovery Interpretation
The statistics paint a vivid portrait of the small business cybersecurity experience: a chaotic and expensive game of 'whack-a-mole' where frantic, post-breach spending often outpaces the basic, preventative planning that could have saved them in the first place.
Sources & References
- Reference 1VERIZONverizon.comVisit source
- Reference 2IBMibm.comVisit source
- Reference 3FTCftc.govVisit source
- Reference 4SBAsba.govVisit source
- Reference 5UPGUARDupguard.comVisit source
- Reference 6PONEMONponemon.orgVisit source
- Reference 7HHShhs.govVisit source
- Reference 8MANUFACTURINGmanufacturing.netVisit source
- Reference 9GDPRgdpr.euVisit source
- Reference 10FINRAfinra.orgVisit source
- Reference 11SOPHOSsophos.comVisit source
- Reference 12CSOONLINEcsoonline.comVisit source
- Reference 13OAICoaic.gov.auVisit source
- Reference 14AGCagc.orgVisit source
- Reference 15HAVEIBEENPWNEDhaveibeenpwned.comVisit source
- Reference 16ISACAisaca.orgVisit source
- Reference 17HOTELSMAGhotelsmag.comVisit source
- Reference 18NONPROFITTECHYnonprofittechy.comVisit source
- Reference 19PRIVpriv.gc.caVisit source
- Reference 20SUPPLYCHAINDIVEsupplychaindive.comVisit source
- Reference 21EDTECHMAGAZINEedtechmagazine.comVisit source
- Reference 22NARnar.realtorVisit source
- Reference 23ICOico.org.ukVisit source
- Reference 24AUTONEWSautonews.comVisit source
- Reference 25ACCOUNTINGTODAYaccountingtoday.comVisit source
- Reference 26DARKREADINGdarkreading.comVisit source
- Reference 27ACSCacsc.gov.auVisit source
- Reference 28BIGSCOMMERCEbigscommerce.comVisit source
- Reference 29GSAgsa.govVisit source
- Reference 30FARMJOURNALfarmjournal.comVisit source
- Reference 31RETAILDIVEretaildive.comVisit source
- Reference 32INSURANCEJOURNALinsurancejournal.comVisit source
- Reference 33GARTNERgartner.comVisit source
- Reference 34LAWlaw.comVisit source
- Reference 35CIOcio.comVisit source
- Reference 36UPTIMEINSTITUTEuptimeinstitute.comVisit source
- Reference 37FORBESforbes.comVisit source
- Reference 38CONSUMERREPORTSconsumerreports.orgVisit source
- Reference 39MANDIANTmandiant.comVisit source
- Reference 40KNOWBE4knowbe4.comVisit source
- Reference 41IRSirs.govVisit source
- Reference 42MARKETINGDIVEmarketingdive.comVisit source
- Reference 43SHOPIFYshopify.comVisit source
- Reference 44CLOUDWARDScloudwards.netVisit source
- Reference 45PWCpwc.comVisit source
- Reference 46CHARITYNAVIGATORcharitynavigator.orgVisit source
- Reference 47TECHREPUBLICtechrepublic.comVisit source
- Reference 48CSIScsis.orgVisit source
- Reference 49CLOUDFLAREcloudflare.comVisit source
- Reference 50RETAILCYBERSECURITYretailcybersecurity.comVisit source
- Reference 51PROOFPOINTproofpoint.comVisit source
- Reference 52NRFnrf.comVisit source
- Reference 53WIFINOWGLOBALwifinowglobal.comVisit source
- Reference 54AKAMAIakamai.comVisit source
- Reference 55AMERICANBARamericanbar.orgVisit source
- Reference 56IMPERVAimperva.comVisit source
- Reference 57FBIfbi.govVisit source
- Reference 58ZDNETzdnet.comVisit source
- Reference 59HIMSShimss.orgVisit source
- Reference 60APPSEALINGappsealing.comVisit source
- Reference 61SYSDIGsysdig.comVisit source
- Reference 62MALWAREBYTESmalwarebytes.comVisit source
- Reference 63NATIONALCYBERSECURITYALLIANCEnationalcybersecurityalliance.orgVisit source
- Reference 64SHRMshrm.orgVisit source
- Reference 65INSURANCEBUSINESSMAGinsurancebusinessmag.comVisit source
- Reference 66LAW360law360.comVisit source
- Reference 67MCKINSEYmckinsey.comVisit source
- Reference 68INDEEDindeed.comVisit source
- Reference 69MAINSTREETmainstreet.orgVisit source
- Reference 70DELOITTEdeloitte.comVisit source
- Reference 71BCGbcg.comVisit source
- Reference 72FRANCHISETIMESfranchisetimes.comVisit source
- Reference 73NONPROFITQUARTERLYnonprofitquarterly.orgVisit source
- Reference 74NACDONLINEnacdonline.orgVisit source
- Reference 75HBRhbr.orgVisit source
- Reference 76COBALTcobalt.ioVisit source
- Reference 77FORRESTERforrester.comVisit source
- Reference 78MICROSOFTmicrosoft.comVisit source
- Reference 79CROWDSTRIKEcrowdstrike.comVisit source
- Reference 80NISTnist.govVisit source
- Reference 81MARSHmarsh.comVisit source
- Reference 82******.comVisit source
- Reference 83OKTAokta.comVisit source
- Reference 84BITSIGHTbitsight.comVisit source
- Reference 85SPLUNKsplunk.comVisit source
- Reference 86CORESECURITYcoresecurity.comVisit source
- Reference 87EXPERIANexperian.comVisit source
- Reference 88IC3ic3.govVisit source
- Reference 89BITDEFENDERbitdefender.comVisit source
- Reference 90IVANTIivanti.comVisit source
- Reference 91DILIGENTdiligent.comVisit source
- Reference 92RESILIENTXresilientx.comVisit source
- Reference 93FIREEYEfireeye.comVisit source
- Reference 94VARONISvaronis.comVisit source
