35 Alarming SMB Cybersecurity Stats in 2023

Floating Item

2023 SMB Cybersecurity Statistics 


Many small businesses fail to give due importance to cybersecurity or develop comprehensive strategies to prevent or respond to attacks – a fact well-known to hackers. The following statistics provide a glimpse into the threat landscape that small businesses simply cannot afford to overlook.


1. 46% of all cyber breaches impact businesses with fewer than 1,000 employees.

2. 61% of SMBs were the target of a Cyberattack in 2021.

3. At 18%, malware is the most common type of cyberattack aimed at small businesses.

4. 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.

5. 37% of companies hit by ransomware had fewer than 100 employees.

6. Small businesses receive the highest rate of targeted malicious emails at one in 323.

7. Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.

 87% of small businesses have customer data that could be compromised in an attack.

9. 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info.

10. 55% of people in the U.S. would be less likely to continue doing business with companies that are breached.

 95% of cybersecurity incidents at SMBs cost between $826 and $653,587.

 50% of SMBs report that it took 24 hours or longer to recover from an attack.

13. 51% of small businesses said their website was down for 8 – 24 hours.

14. In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.

15. Nearly 40% of small businesses reported they lost crucial data as a result of an attack.

16. 51% of small businesses that fall victim to ransomware pay the money.

17. 75% of SMBs could not continue operating if they were hit with ransomware.

18. Just 17% of small businesses have cyber insurance.

19. 48% of companies with insurance did not purchase it until after an attack.

20. 64% of all small businesses are not familiar with cyber insurance.

21. 47% of businesses with fewer than 50 employees have no cybersecurity budget.

22. 51% of small businesses have no cybersecurity measures in place at all.

23. 36% of small businesses are “not at all concerned” about cyberattacks.

24. 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked.

25. Only 17% of small businesses encrypt data.

26. 20% of small businesses have implemented multi-factor authentication.

27. 80% of all hacking incidents involve compromised credentials or passwords.

28. One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions.

29. 76% of small businesses that increased cybersecurity spending cited rising fear of new threats.

30. 42% of small businesses have revised their cybersecurity plan since the COVID-19 pandemic.

31. Nearly half of small businesses spend less than $1,500 monthly on cybersecurity.

32. 22% of small businesses increased cybersecurity spending in 2021.

33. SMBs spend 5% to 20% of their total IT budget on security.

34. 29% of businesses that suffered a breach responded by hiring a cybersecurity firm or dedicated IT staff.

35. Antivirus software (58%), firewalls (49%), VPNs (44%), and password management (39%) are the top four cybersecurity tools SMBs are adopting.

Cybersecurity concerns?

Schedule an appointment to talk to a security specialist today!

International Organization for Standardization (ISO)
ISO compliance is achieved when an organization meets the requirements outlined in a specific standard developed by the International Organization for Standardization (ISO). ISO has developed thousands of standards that cover all areas of business. These ISO frameworks are used by organizations to embed internationally standardized business practices.
WordPress Popup
Health Insurance Portability and Accountability Act (HIPAA)
Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires companies that deal with protected health information (PHI) to have physical, network, and process security measures in place and follow them. HIPPA laws are a series of federal regulatory standards that outline the lawful use and disclosure of protected health information in the United States.
WordPress Popup
Health Information Trust Alliance (HITRUST)​
The Health Information Trust Alliance (HITRUST) is a non-profit company that delivers data protection standards and certification programs to help organizations safeguard sensitive information, manage information risk, and reach their compliance goals. HITRUST stands out from other compliance frameworks because it harmonizes dozens of authoritative sources such as HIPAA, SOC 2, NIST, and ISO 27001. It is also the only standards development organization with a framework, assessment platform, and independent assurance program, which has helped drive widespread adoption.
WordPress Popup
Clinical Laboratory Improvement Amendments (CLIA)
Clinical Laboratory Improvement Amendments (CLIA) of 1988 contains the Code of US Federal Regulations that govern any entity that returns patient test results for the purposes of caring for that patient. CLIA ensures that there is a standard of quality associated with test results across laboratory testing performed on specimens from humans such as blood, body fluid, and tissue, for the purposes of diagnosis, prevention, or treatment of disease or assessment of human health. This ensures the accuracy, reliability, and timeliness of laboratory test results regardless of where the test was performed.
WordPress Popup
National Institute of Standards and Technology (NIST)​
NIST was created to improve U.S. innovation and competitiveness across industries “by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
Today, NIST remains one of the nation’s oldest physical science laboratories with a focus on three core competencies:
1. Measurement science
2. Rigorous traceability
3. Development and use of standards
NIST’s technical contributions to the development of information security standards have saved private industries more than $1 billion and drive consumer and business confidence.
WordPress Popup
General Data Protection Regulation (GDPR)
The goal of GDPR is to provide more stringent data privacy and security measures and more user-friendly disclosures and reporting on data protection practices. The regulations aim to allow individuals to control the use and storage of their own data, including any personally identifiable information.
WordPress Popup
Sarbanes-Oxley Act (SOX)​
The Sarbanes-Oxley (SOX) Act of 2002 was passed by the United States Congress into law to cut down on corporations that took part in fraudulent financial reporting. The act was passed on July 30 and its main intention is to protect investors. It’s regularly referred to as the SOX Act of 2002, and it includes strict reforms to previous securities regulations. By mandating these reforms, lawbreakers were now subject to stricter and tougher penalties.
WordPress Popup
Service Organization Control 2 (SOC 2)​
SOC 2 is coveted and hard to obtain information-security certification, and it demonstrates that an independent accounting and auditing firm has examined an organization’s non-financial reporting control objectives and activities. The auditing firm tests our controls over time to ensure that they are operating securely and effectively. Developed by the American Institute of CPAs (AICPA), SOC stands for Service and Organization Control. It defines criteria for managing customer data based on five “trust services principles” — security, availability, processing integrity, confidentiality, and privacy.
WordPress Popup