Small Business Owners and Cybersecurity Risk Statistics

Numbers don’t lie: These statistics give small business owners something to think about  when it comes to cybersecurity. Small business…

Numbers don’t lie: These statistics give small business owners something to think about 

when it comes to cybersecurity.

Small business owners are doers. They’re not afraid to roll up their sleeves and tackle whatever the business needs, often problem-solving and multi-tasking on the fly. Cybersecurity is a challenge for these owners because they don’t see their risk clearly – and they know cybersecurity is an operating expense that’s difficult to prioritize. Unfortunately, hackers know it, too, making small businesses a prime target for their schemes.

Think you know where things stand with your cybersecurity risk? These three commonly held beliefs are given a reality check when paired with recent statistics about businesses. If these sound like you or your company’s owner, take another look at the numbers as you determine your plans for the year ahead.

“We’re too small to be a cyber target!”

Fifty-nine percent of small business owners believe they are too small to be attacked and therefore have no cybersecurity. The myth persists despite research that shows 46% of all cyber breaches impact businesses with fewer than 1,000 employees, according to Verizon’s 2021 Data Breach Investigations Report. 

In fact, certain kinds of attacks are aimed at small businesses. Companies with fewer than 100 employees are subject to 350% more social engineering attacks, including phishing, baiting, and pretexting, than their larger counterparts. 

It’s difficult to believe your small operation is a tempting target. That’s because cybercriminals aren’t concerned with your company at all. They want your money. The funds they receive from a number of small business attacks can easily add up to what they’d receive from a larger scheme. And, since small businesses are easier to breach due to weaker security measures, it takes less time and effort to accomplish an attack.

“We’re low-tech. Cyber doesn’t impact the business.”

When you’re a small company or only have in-person operations, it’s easy to believe that your limited use of technology protects you from cyberattacks. The reality is that 87% of small businesses have customer data that could be compromised in an attack, according to research from, including sensitive data like credit card info, social security numbers, bank account info, phone numbers, and addresses. 

Even if your operations aren’t sophisticated, the cost of an attack can add up due to downtime, lost business, emergency solutions, legal expenses, and regulatory fines, not to mention reputational loss and angry customers impacted by identity theft and privacy violations. Small companies are frequently without emergency funds or insurance to cover these expenses.

How much could an attack cost? According to Verizon, 95% of cybersecurity incidents at small businesses add up to between $826 and $653,587. 

What’s more, 75% of small businesses could not continue operating if they were hit with ransomware, according to a CyberCatch survey. Paying the ransom and having operations disrupted would simply be too much of a hit.

Despite all this, a Corvus Risk Insights survey of U.S. small businesses found that only 17% had cybersecurity insurance to cover costs in the event of a cyber breach and 48% of those companies only purchased insurance after they were attacked. 

“We can’t afford cybersecurity.”

While the pandemic forced many businesses to rethink their information technology for remote work, many are still not prioritizing security measures, with 51% having no cybersecurity at all (

A CNBC survey indicates that one-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions, where they feel enterprise-grade technology is too complex or expensive to use. 

The fact is that it’s easy to protect your business, whether you’re a solo entrepreneur, a team of 10, or a growing staff of 30. Cyber insurance policies could protect your company from financial hardship if you were to suffer an attack and give you peace of mind that you would have someone to call for help, as many policies include security forensics and legal advice.

Even better, establishing some basic cyber hygiene, including security awareness and training programs, backing up data, multi-factor authentication, and patch management for hardware, software and apps, can be a proactive investment in business continuity. 

To assess your unique risk and determine the services that best meet your needs, visit Numbers don’t lie, so knowing your risk score can give you the knowledge to avoid being on the wrong side of these numbers.