Cyber security statistics are surprisingly pertinent for small businesses. Unfortunately, because small businesses handle customer data—and don’t necessarily have the resources to keep it as secure as larger businesses—they’re often targets for cyber crimes. As a result, it’s worthwhile to get an idea of the landscape by reading up on small business cyber security statistics.
Learning about the numbers on where cyber crime and small businesses collide might be a bit intimidating—it’s not quite comforting to hear all the different cyber risks your business might face. That said, educating yourself on the climate of small business cyber security is certainly worth any discomfort it might cause. After all, what you learn here could very well get you heighten your small business cyber security, which could end up saving your business.
All in, however disconcerting these 30 small business cyber security statistics might be, the numbers don’t lie. And getting ahead of the reality of small business cyber security will only help you that much more in making sure your business’s data is safe:
Surprisingly enough, 43% of cyber attacks are made against small businesses. And this number has seriously increased—it was a mere 18% just a few years ago. As larger businesses are dedicating more resources to and becoming more savvy about cyber security, cyber criminals seem to be turning to smaller businesses as a result. And because they’re most often after a business’s money, they typically target the employee who handles a business’s finances. 
According to the US National Cyber Security Alliance, 60% of small businesses that suffer a cyber attack go out of business within half a year. That’s right—if a cyber criminal successfully breaches your small business’s data, then odds are that your business will have to shutter within just six months.  We’ll dig into the details soon, but cyber attacks cost a lot of money to bounce back from. And, unfortunately, most small businesses aren’t able to come up with the funds to do so.
To broadly understand just how much cyber attacks cost businesses, consider that cybercrime costs small and medium businesses more than $2.2 million a year. These costs can come from various mishaps that occur in the wake of a cyber attack or vulnerability—not the least of which is downtime. 
The rate at which cyber attacks against small businesses grew last year is a staggering 424%. This means that small business cyber breaches grew more than 5 times last year when compared to the previous year.  It seems that cyber criminals are targeting small businesses in hoards. It’s easy to intuitively assume that cyber criminals would target larger businesses—more customer data and revenues equals more money, right? Unfortunately, this doesn’t seem to be the case.
You might think that banks, lenders, and credit card networks would be at most risk for cyber attacks. Interestingly enough, though, healthcare beats out financial services for the industry that’s most at-risk for cyber attacks. In just one year alone, there were 100 million cyber breaches in the healthcare sector.
But, of course, financial services were a close second in vulnerability for cyber attacks, followed by the manufacturing, government, and legals sectors. 
According to a study run by Hiscox, 66% of small businesses are either concerned or extremely concerned about cyber security risk.  While it doesn’t surprise us that two-thirds of small business owners are concerned, we do hope that the remaining third that aren’t concerned somehow land on this page. Small business cyber security is something to pay attention to, and the numbers prove it.
Small Business Trends found that a mere 14% of small businesses rate their ability to mitigate cyber risks and attacks as highly effective.  Small businesses often seriously underestimate the risk of cyber attack they face and, as a result, don’t devote much attention to setting up processes and protections for mitigating them.
Very few small businesses know where to begin with setting up cyber security protocols, though. Almost half—47%—of small businesses say they have no idea how to protect themselves against cyber attacks. Even though a lack of resources play a role in making small businesses less prepared for cyber attacks, a lack of information also plays a roll. 
Small Business Trends also found that small businesses are most concerned about a breach of customer records, above all other possible data breaches. When permitted two answers, 66% of small business owners chose customer recorders as their biggest worry. This option was followed up by:
Ninja RMM reports that 3 out of 4 small businesses simply don’t have the proper personnel to address IT security. In fact, this is the top pain point for businesses trying to set up cyber security protocol. Even when polled small businesses indicated that they were prioritizing cyber security and that they had the budget, for the most part, they weren’t able to get the right person in-seat to handle the job. 
Additionally, only 22% of small businesses encrypt their databases. Essentially, unencrypted data is extremely to access. So why do less than a quarter of small businesses encrypt their data? It likely boils down to the same reasons that small businesses don’t take cyber security as a whole. They simply don’t know how, and they lack the resources to learn or hire someone who does. 
Despite mass representations of cyber breaches as perpetrated by some masked criminal, trying to break into company databases, over half of all cyber security breaches occur because of human error or system failure. Only 48% of all data security breaches have malintent. So, while you shouldn’t discount the possibility of a malicious data breach, you should also double down on cyber security protocol for your own systems and team. 
Whether they’re malicious or not, data breaches frequently result due improper password security. According to Security Intelligence, 63% of confirmed data breaches take advantage of weak, default, or stolen passwords. So a little under two-thirds of data breaches could’ve been prevented by better password practices. Be sure to avoid team-wide passwords, enforce strong password protocols, and set up rules for password documentation. 
And cyber attacks caused by compromised employee passwords aren’t low-impact by any means. On average, cyber attacks that are caused by compromised employee passwords cost a business $383,365 on average.  This cost is particularly avoidable, seeing as password security merely requires an investment of time rather than a financial investment. Just taking the time to set up password best practices for your company could save your business form a six-figure unanticipated cost in the future.
Another common cyber vulnerability that small businesses are particularly susceptible to? Malware emails. In fact, 1 in 323 emails that small businesses receive are malicious.  This might not sound like much, but think about how many emails you receive in a week. The average office worker receives 121 emails a day.  And if you own your small business, you’re likely receiving a lot more than that. That means that you’re likely receiving more than one malicious email from a cyber criminal every three days.
And almost all of the detected malware that small businesses receive are through email. Results from a study run by Verizon showed that the median small business got 94% of its detected malware through email. Within emails, 45% of detected malwares were sent through Office document file to the median small business, while 26% were sent through a Windows App file.  Long story short, you and your team have to be on your toes about unsolicited emails.
Here’s another small business cyber security statistic that will help you understand why cyber security isn’t necessarily a priority for small businesses: Most of them don’t think they’re big enough to be a target of a cyber attack. 54% of small businesses think that they’re too small to be targeted by cyber crime, but most of the cyber security stats we’ve highlighted indicate that “too small” isn’t really a consideration for cybercriminals. 
According to Insurance Bee, 25% of small businesses didn’t even realize that cyber attacks would cost their business money. Beyond customer, employee, and business information risks, high costs are inevitable results of cyber crime; however, a quarter of small businesses don’t realize this.  This lack of awareness of the cost of cyber attacks likely contributes to the deprioritization of cyber security in small businesses.
And this deprioritization of cyber security manifests in many ways. Notably, 83% of small businesses haven’t put cash aside for dealing with a cyber attack.  Of course, savings for reacting to a cyber attack that’s already happened might not count as cyber security in technical terms. That said, already have the funds in place to address a data breach will allow your business to react more quickly and more efficiently.
Nonetheless, over half of small businesses don’t even have a plan in place for reacting to cyber attacks on their small business. Insurance Bee reports that 54% of small businesses haven’t taken the time to proactively plan for handling a potential cyber attack. 
Even beyond hypotheticals, small businesses don’t seem to handle cyber security incidents with the seriousness they deserve. A study run by Hiscox showed that 65% of small businesses have actually failed to act after a cyber security incident. 
And cyber security incidents aren’t just happening every now and then—not even when you zoom in to the occurrence of cyber attacks on small and mid-sized businesses. Exactly half of small and mid-sized businesses—or businesses with 100 to 1,000 employees—have reported suffering at least a single cyber attack within the past year. 
Among the small and mid-sized businesses studied, the average amount spent getting business back to normal after a cyber attack was $955,429. That was on top of the average of $879,582 that was stolen from the polled businesses.  Interestingly enough, the cost of getting back to business as usual far out measures the actual amount of money taken in a cyber attack.
A crucial part of reacting productively to a cyber attack is figuring out how it even happened in the first place. And, unfortunately, this will require help that could cost as much as $15,000.  Finding and addressing the vulnerability that resulted in a cyber breach is necessary for moving forward and steeling your business against subsequent attacks, but it will likely cost you.
Ninja RMM shares that 40% of polled small and mid-sized businesses experienced at least eight hours of their systems being down thanks to a cyber breach.  Downtime for all of your small business’s digital systems means that essentially nothing gets done. Your sales team can’t access prospect information, your customers can’t access dashboards or profiles, and your partners can’t use APIs. This downtime lasts eight or more hours for almost half of small to mid-sized businesses after a cyber breach.
Ninja RMM also adds that this eight hours or more of downtime results in a whopping $1.56 million in losses on average for small to mid-sized businesses. So, the cost of cyber attacks goes way beyond any stolen money or IT personnel, it also comes in the form of missed business. 
Altogether, cyber attacks are projected to cause $6 trillion in damage by 2021.  Investing in cyber security for your small business now can help increase your odds of not becoming a part of this statistic.
Black Stratus shares that industry experts advise businesses to invest at least 3% of their total spending into cyber security. If you’re not putting this much into your cyber security, then you’re likely underspending—or completely leaving out—a key cyber security precaution. 
It’s no surprise that less than 10% of small businesses have cyber liability insurance. Because few small businesses prioritize cyber security measurements, as evidenced by many of the statistics we’ve looked into, that 91% of them don’t have cyber liability insurance doesn’t come as a surprise. 
Finally, it’s worthwhile to take a look at what can happen when businesses don’t take cyber security seriously. The biggest cyber attack to date happened back in August of 2013 when 3 billion Yahoo! Accounts were hacked.  By the very definition of small businesses, a cyber attack of this magnitude isn’t likely to happen to a small business. But setting up cyber security measures from the get-go, before you reach Yahoo!-level scale, is a crucial pillar to establish for your growing business.
There you have it—30 small business cyber security statistics to help you understand the reality of cyber crime against small businesses. Though these numbers aren’t exactly happy news, they’re the nature of running a small business. Be sure to invest in cyber security for your small business so you don’t become just another daunting number in the grand scheme of small business cyber crime.
Maddie Shepherd is a former Fundera senior staff writer and current contributing writer for Fundera.
Maddie has an extensive knowledge of business credit cards, accounting tools, and merchant services, but specializes in small business financing advice. She has reviewed and analyzed dozens of financial tools and providers, helping business owners make better financial decisions.