Cyberattacks cause revenue losses in 42% of small businesses

85% of small business leaders say they are ready to respond to a cyber incident despite a record-high 73% reporting an attack in 2023, according to Identity Theft Resource Center.

Employee and consumer data continue to be the most impacted categories of information affected by a data breach. The number of organizations reporting first-time attacks was flat compared to 2022 (43%). 42% of small businesses lost revenue due to a cyber event.

While down three percentage points from 2022, more businesses saw other increased impacts, such as more customers losing trust (32%), higher regrettable employee turnover (32%) and increased difficulty understanding what happened.

The financial impacts of cyber breaches continued to drop compared to previous years, with more small businesses reporting losses under $250,000 and fewer reporting higher dollar-value events. Cyber insurance emerged as the primary source of recovery funding (33%), followed by cash reserves.

There was a slight increase in headcount reductions (13%) to address data breach costs.

Focus on data security grows among small business leaders

17% of organizations that experienced a data breach did not send data breach notices to impacted consumers. 50% of those who did not send a notice said it was at the request of law enforcement, followed by 38% claiming no personal information was exposed. 21% said there was no risk of harm from the type of data compromised.

“The trends identified in the report follow the same patterns the ITRC has seen in our other reports around consumer impacts and data breaches,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “We saw a spike in attacks in 2021 before a reduction last year due to the Russian invasion of Ukraine and disruption in the cryptocurrency markets. Identity crime markets have rebounded this year, leading to record levels of breaches, suicide rates, and business attacks.

“The good news is that small business leaders are focused on data security and privacy protection. However, we still have a lot of work to do. We must accelerate the transition to newer protections and continue to develop new resources to assist victims based on solid research and unmistakable evidence,” added Velasquez.

According to the report, most small businesses have not utilized tools such as MFA for employee or customer use, mandatory strong passwords or role-based access for employee access to sensitive data. Depending on the solution, adoption rates range between 20 and 34%.

The report shows similar adoption rates for consumer data collection, use, and storage practices and policies designed to protect personal information and privacy. Adoption rates range from 21 to 37%, partly due to state laws requiring data best practices, including data access, opt-in to data collection, opt-out of data sales, and rights to correct and delete certain types of information.