How small businesses deal with cyberattacks.
N2K logoOct 26, 2023

Small businesses grapple with implementation of best practices.

How small businesses deal with cyberattacks.

The Identity Theft Resource Center (ITRC) has published its 2023 Business Impact Report.

The effect of cyberattacks on small businesses.

The survey was directed toward small businesses. The ITRC concluded that employee and consumer data were the most significantly affected categories of information. Breaches traceable to phishing and other scams increased, and this, the Center says, is consistent with broader trends. "Cyber insurance emerged as the primary source of recovery funding (33%), followed by cash reserves. There was a slight uptick in headcount reductions (13%) as a means of addressing the costs of a breach." In addition to direct financial losses, small businesses affected by cyberattacks reported a loss of customer trust and undesirable employee turnover.

Limited adoption of best practices.

One of the survey's conclusions was that small businesses are lagging in their adoption of security best practices. "The findings show a slow rate of adoption for a variety of well-established best practices as well as new technology or processes that protect personal and business information. The vast majority of SMBs have not utilized tools such as Multi-Factor Authentication (MFA) for employee or customer use, mandatory strong passwords, or role-based access for employee access to sensitive data. Adoption rates range between 34 percent (34%) and 20 percent (20%) depending on the solution."

George McGregor, VP of Approov Mobile Security, expressed disappointed at the results. “This is disappointing, with very poor levels of implementation of basic best practices and only half of the companies taking steps to stop breaches." He also cautioned that self-reported good news should be received with a degree of skepticism. “I also think the 'good news' in the report - a reported reduced financial impact of breaches - is probably not to be taken too seriously either. If self-reported it may not be accurate. There will be more and more pressure on small businesses as new reporting requirements come into force and they will be forced to take the issue of cybersecurity more seriously.”