The State of Small Business Cybersecurity 2022

Our research found that many small businesses fail to take a structured, proactive approach to cybersecurity. Just 60% of survey respondents feel their company is adequately prepared for a cyber attack.

Even fewer (45%) believe their organization is likely to be a target. This contradicts established findings that small businesses are three times more likely to be targeted by cyber criminals when compared to their larger counterparts.

Limited cybersecurity resources are a leading risk factor in small businesses becoming a target, so it is concerning that just a third have access to dedicated cybersecurity specialists. Responsibility for cybersecurity predominantly falls on internal IT teams, who are likely dealing with competing priorities. Outsourcing to an external service provider is a popular second choice, while some rely on a combination of all three.

When it comes to documenting cybersecurity policies and practices, many organizations lack the basics. Just 59% have an official employee cybersecurity policy, while 46% have a cybersecurity strategy. Disaster recovery plans and Bring Your Own Device (BYOD) policies are even less commonplace (35% and 29% respectively), and 13% of respondents report having no cybersecurity policy documentation whatsoever.

While many aspects of cybersecurity documentation seem to be sporadic, small businesses have been more proactive in adjusting their policies to incorporate remote and hybrid work. The majority of organizations (64%) say they updated their cybersecurity practices in response to employees working remotely.

Half of organizations store their backups securely in the cloud. However, 40% rely on their company network for data backups, which is a high risk choice in the event of an attack.

Software and device updates are carried out “as needed” in the majority of small businesses, which is positive if performed in a timely and regular manner. Yet, given the demands of rolling out these updates, it’s surprising that only 14% automate the process.

From the survey responses, it is clear that small and medium-sized businesses still vary considerably in their organizational preparedness for cyber attack. Uptake of crucial policies and protections still lags behind larger corporations, which only solidifies SMBs’ status as vulnerable targets for cyber criminals. To bolster protection and avoid potentially catastrophic breaches, small businesses must place greater focus on their cybersecurity strategy, and find opportunities to do more with existing resources.

Employee awareness plays a vital role in defending against cyber attacks, particularly when it comes to initiating a timely and effective response. Workers who are unfamiliar with the process for reporting a suspected breach can inadvertently worsen its severity, as can employees who are fearful of disclosing an error. Most organizations appear to be cognizant of this risk, with 65% saying they have an official procedure in place for employees to escalate suspected attacks.

Another key component of employee cybersecurity is password management. The frequency with which employees update their passwords varies, but the majority adhere to best practice by changing every three months or less. A further 22% say they update their credentials when prompted by a password manager, indicating organizations recognize the need to enforce this practice among employees.

Knowledge of phishing risks is also relatively high, most likely due to the prevalence of such attacks. The vast majority of business leaders (83%) have received a phishing email, and 81% say others at their company have also been targeted.

Senior leaders also express a high level of confidence in their employees’ ability to recognize phishing emails, with 92% either somewhat or very confident that their employees can identify such messages.

Most organizations have made efforts to improve employee awareness of cyber risks, with 65% saying they have received company-hosted training on phishing. The frequency of general cybersecurity training for employees is also mostly positive, with just over a quarter conducting training on a monthly basis, and 29% doing so “as needed”. However, a significant cohort of respondents (18%) stated that such training is never carried out at their organization.

While many small businesses rely on fragmented cybersecurity policies, attacks continue at a concerning pace. Over a third (36%) of organizations surveyed experienced an escalation in attempted cyber attacks in the past year, with a further 28% stating they couldn’t be certain if such attempts had increased.

47% of small businesses have fallen victim to cyber attacks, with phishing, password hacking, and adware topping the list of tactics.

Alarmingly, of those businesses that have weathered an attack, 67% have endured the experience more than once. 30% have sustained between two and five attacks, 28% have experienced between five and ten, and 9% have suffered more than 10 incidents.

Across small and medium-sized businesses, certain cybersecurity vulnerabilities are consistently exploited by cyber criminals. Employee error is the leading cause in most successful attacks, indicating that training and awareness efforts still aren’t going far enough. Outdated antivirus, devices, and operating systems are other common culprits, as is the absence of a firewall.

Unsurprisingly, these responses highlight a clear disparity between organizations that successfully defend against cyber attacks, and those that fall victim: one consistently implements what the other lacks. Employee training and awareness, cybersecurity software, and regular patches and updates can make or break an organization’s ability to repel an attack.

In terms of business impact, 46% experienced downtime as a result of a cyber attack. Data loss, an inability to access the network, data leaks, and financial losses were other commonly reported consequences.

In most cases of downtime, the organization in question was back up and running within a week, although 28% took between one and two weeks to recover, and 12% were impacted for even longer.

22% say the cost of cyber attacks to their business ranged from $50,000 – $100,000, and 20% reported damages of over $100,000. Given the relatively low uptake of cybersecurity insurance, these costs can be crippling for a small business.

Following a cyber attack, a small majority of businesses updated their cybersecurity software and policies, while 46% adjusted employee training practices. Unfortunately, given that 67% of cyber attack victims go on to experience repeat breaches, it is likely that these steps are often insufficient. Worryingly, 13% say they made no changes to their cybersecurity policies or practices in response to an attack.