These SMB Cybersecurity Statistics Show How SMB Risk is Changing

Cybercriminals are gunning for businesses of every size. In today’s booming dark web markets, the data that your business has including user records, financial information and identity documents are a powerful lure for bad actors who want to make a quick buck and reuse it to facilitate even more cybercrime. But today’s risk atmosphere is especially dangerous for small and medium businesses (SMB).

A record-breaking overall cybercrime rate combined with skyrocketing incident recovery costs and the challenges of securing a dynamic workforce have formed a perfect storm of risk. These SMB cybersecurity statistics illustrate just how dangerous this storm can be – and how you can protect your business effectively without breaking the bank.

Insider Threats

For companies with a small staff, one insider threat is a major risk. The majority of insider threats are non-malicious, accidental flubs that can’t be helped. But unfortunately, not everyone on your team really has your best interests at heart. Altogether, insider threat data breach risk rose about 40% in 2020, tripling in the last three years – and malicious insider actions are responsible for almost 25% of confirmed breaches. This can hit SMBs disproportionately hard. With fewer hands on board, more people have a larger scope of work, and that means that more people have access to sensitive data and systems. Those outsize risks come with equally outsize consequences.  According to IBM and the Ponemon Institute’s The Cost of Insider Threats Global Report 2020, the average cost of an insider threat to small organizations (500 employees or less) was $7.68 million.


Ransomware is the monster under the bed for cybersecurity teams. A favored tool of cybercriminals, ransomware is employed by nation-state threat actors as well as small-time gangs. This versatile weapon can be used to disrupt infrastructure like we recently saw with Colonial Pipeline as well as stop factory production, encrypt systems and steal data. An estimated 61% of organizations worldwide experienced a damaging ransomware incident in 2020, a 20% increase over the same period in 2019. A successful ransomware attack is inevitably an expensive, disruptive disaster, and the pace is not slowing down. Ransomware attacks in 2021 are already up more than 300% over the same period last year, beating 2020’s record-setting pace.


Most of today’s nastiest cybersecurity incidents all start with a phishing email. In fact, 90% of incidents that end in a data breach start with a phishing email. A huge increase in the volume of email trafficked since March 2020 has created a wealth of opportunity for cybercriminals to perpetrate phishing schemes, and they haven’t been idle. Phishing attacks can quickly turn into dangerous and expensive disasters like business email compromise (BEC), brand impersonation, credential compromise, ransomware and other malware.  While many companies do engage in phishing resistance training, they often fail to refresh it often enough. Experts recommend that employees take 11 courses per year for maximum efficacy. Haphazard training often reflects a poor cybersecurity culture that enables bad behavior like sloppy email hygiene by employees. In a 2020 survey of 1,000 employees, a disturbing fact stands out: 96% of employees are aware of digital threats like phishing, but 45% click emails they consider to be suspicious anyway.

10 SMB Cybersecurity Statistics That Every Business Needs to Know

In a rapidly evolving threat landscape, it’s important to keep a few facts in mind when considering the best solutions to secure business systems and data. Here are 10 SMB cybersecurity statistics that every business needs to know.

Face Facts: 60% of Companies That Experience a Cyberattack Go Out of Business

As is clearly illustrated by our 10 SMB cybersecurity statistics above, today’s SMBs are facing new threats around every corner. Creating a healthy cybersecurity culture is essential for defending businesses from cybercrime. By making cybersecurity a priority and training everyone to recognize threats, you’re making every employee feel like they’re part of the security team too. This is especially important in a tumultuous threat landscape. in the last 12 months, the epic changes that businesses have faced serve as a strong illustration of why building a strong cybersecurity culture staffed by security-savvy employees can be a game-changer for SMBs in every sector. Maintaining agility, building cyber resilience and empowering staffers to pivot quickly in the face of new challenges should be every organization’s goal in 2021.

At the center of building that culture is phishing resistance training. The majority of today’s nastiest, most devastating cybercrimes are phishing-based, and get staffers on board to fight back strengthens an organization’s cyber resilience dramatically. If just one employee spots and stops a phishing email because they’re invested in maintaining a strong defense, that can save a company millions of dollars as well as uncountable headaches in recovering from a cyberattack.

Secure identity and access management is also crucial for keeping systems and data safe. By adopting an access control solution that includes multifactor authentication (MFA), businesses can add strong protection against intrusion by hackers and credential thieves. An estimated 99% of password-based cybercrime can be stopped in its tracks just by adding MFA to your security plan. The other half of guarding against credential compromise is making sure that unpleasant password-based cybercrimes aren’t heading your way from the dark web. Using a real-time, always-on monitoring solution is a smart way to keep an eye on potential new dangers.

Why wait until there’s trouble? Now that you’ve seen a snapshot of the danger that every organization is in through our list of 10 troubling SMB cybersecurity statistics, it’s time to take the next step.  Contact us today to learn more about how our solutions can protect your business from cybercrime. 

Comments are closed.