The State of Small Business Cybersecurity 2022

The vulnerabilities leaving small businesses exposed to attack

Cyber attacks against small
businesses are rapidly escalating.

Are leadership teams adequately prepared for growing cybersecurity threats?

Organizational readiness is vital to successfully defend against cyber attacks. From documented policies and employee training, to cybersecurity software and expert resources, small businesses must employ a full spectrum of safeguards to effectively protect their most valuable assets.

However, with limited resources at their disposal, many small businesses neglect these fundamentals. Electric surveyed 217 senior business executives, at U.S. organizations with fewer than 500 employees, to understand the maturity of their cybersecurity efforts and assess their experiences of cyber attacks.

We found that breaches are not only commonplace, they are often a repeat occurrence:

Certain vulnerabilities are rife among small businesses, and serious gaps exist in critical lines of defense. In many cases, avoidable lapses have been responsible for significant downtime and business costs.

Keep reading to learn which cybersecurity measures are widely implemented, which vital protections are lacking, and how cyber attacks are currently impacting small businesses.

Small Businesses Lack Cybersecurity Strategies and Policies

Do you think your organization is adequately prepared for a cyber attack?

Our research found that many small businesses fail to take a structured, proactive approach to cybersecurity. Just 60% of survey respondents feel their company is adequately prepared for a cyber attack.

Do you think cyber attacks against your organization are likely?

Even fewer (45%) believe their organization is likely to be a target. This contradicts established findings that small businesses are three times more likely to be targeted by cyber criminals when compared to their larger counterparts.

Who is responsible for cybersecurity at your organization?

Limited cybersecurity resources are a leading risk factor in small businesses becoming a target, so it is concerning that just a third have access to dedicated cybersecurity specialists. Responsibility for cybersecurity predominantly falls on internal IT teams, who are likely dealing with competing priorities. Outsourcing to an external service provider is a popular second choice, while some rely on a combination of all three.

Which of the following does your organization have documented?

When it comes to documenting cybersecurity policies and practices, many organizations lack the basics. Just 59% have an official employee cybersecurity policy, while 46% have a cybersecurity strategy. Disaster recovery plans and Bring Your Own Device (BYOD) policies are even less commonplace (35% and 29% respectively), and 13% of respondents report having no cybersecurity policy documentation whatsoever.

Did your organization update its cybersecurity practices in response to employees working remotely?

While many aspects of cybersecurity documentation seem to be sporadic, small businesses have been more proactive in adjusting their policies to incorporate remote and hybrid work. The majority of organizations (64%) say they updated their cybersecurity practices in response to employees working remotely.

Of course, effective cybersecurity policies are reliant on certain protections being in place. The majority of small businesses say they have implemented antivirus, firewalls, and data backups, while multi-factor authentication (MFA) is used by just under half of organizations. There is a worryingly low uptake of password managers, VPNs, Mobile Device Management (MDM), Endpoint Detection and Response (EDR), Endpoint Protection Programs (EPP), and Single Sign On (SSO)

Does your organization use any of the following?

The frequency of data backups at small businesses is mostly in line with best practices, but storage methods need improvement. 62% perform data backups on either a daily or weekly basis, while 5% say they never carry out this practice.

Does your organization perform data backups?

Where are your data backups stored?

Half of organizations store their backups securely in the cloud. However, 40% rely on their company network for data backups, which is a high risk choice in the event of an attack.

How often does your organization conduct software and device updates?

Software and device updates are carried out “as needed” in the majority of small businesses, which is positive if performed in a timely and regular manner. Yet, given the demands of rolling out these updates, it’s surprising that only 14% automate the process.

As a last line of defense, cyber insurance offers small businesses a safety net in the event of a successful cyber attack. Unfortunately, just half of those surveyed have coverage, and a further 27% are unsure of their cyber insurance status. Not only are many small businesses leaving themselves vulnerable from a policy and solution standpoint, they are also failing to plan for the worst case scenario.

Does your organization have cyber insurance?

From the survey responses, it is clear that small and medium-sized businesses still vary considerably in their organizational preparedness for cyber attack. Uptake of crucial policies and protections still lags behind larger corporations, which only solidifies SMBs’ status as vulnerable targets for cyber criminals. To bolster protection and avoid potentially catastrophic breaches, small businesses must place greater focus on their cybersecurity strategy, and find opportunities to do more with existing resources.

Employees Are Competent in Recognizing Cyber Threats

Does your organization have a procedure in place for employees to report suspected or attempted cyber attacks?

Employee awareness plays a vital role in defending against cyber attacks, particularly when it comes to initiating a timely and effective response. Workers who are unfamiliar with the process for reporting a suspected breach can inadvertently worsen its severity, as can employees who are fearful of disclosing an error. Most organizations appear to be cognizant of this risk, with 65% saying they have an official procedure in place for employees to escalate suspected attacks.

How often do you change your passwords on work-related accounts?

Another key component of employee cybersecurity is password management. The frequency with which employees update their passwords varies, but the majority adhere to best practice by changing every three months or less. A further 22% say they update their credentials when prompted by a password manager, indicating organizations recognize the need to enforce this practice among employees.

Have you ever received a phishing email?

Knowledge of phishing risks is also relatively high, most likely due to the prevalence of such attacks. The vast majority of business leaders (83%) have received a phishing email, and 81% say others at their company have also been targeted.

What level of confidence do you have in your employees’ ability to identify a phishing email?

Senior leaders also express a high level of confidence in their employees’ ability to recognize phishing emails, with 92% either somewhat or very confident that their employees can identify such messages.

How often does your organization conduct cybersecurity training for employees?

Most organizations have made efforts to improve employee awareness of cyber risks, with 65% saying they have received company-hosted training on phishing. The frequency of general cybersecurity training for employees is also mostly positive, with just over a quarter conducting training on a monthly basis, and 29% doing so “as needed”. However, a significant cohort of respondents (18%) stated that such training is never carried out at their organization.

Prioritization of cybersecurity awareness evidently varies, but it appears that small businesses are taking steps to address what is typically an organization’s weakest link: employee error. However, it is worth noting that complete, robust protection cannot be achieved through awareness and training alone, especially without supporting technology in place.

Small Businesses Fail to Learn From Cyber Attacks

Has your organization experienced an increase in attempted cyber attacks in the past year?

While many small businesses rely on fragmented cybersecurity policies, attacks continue at a concerning pace. Over a third (36%) of organizations surveyed experienced an escalation in attempted cyber attacks in the past year, with a further 28% stating they couldn’t be certain if such attempts had increased.

Has your organization ever been a victim of a successful cyber attack?

47% of small businesses have fallen victim to cyber attacks, with phishing, password hacking, and adware topping the list of tactics.

Ransomware is another common occurrence among survey respondents. 26% of organizations have been targeted with ransomware, of which 60% paid the ransom involved. In those cases, one third failed to retrieve the ransom payment post-attack.

What type of cyber attack has your organization experienced?

How many cyber attacks has your organization experienced?

Alarmingly, of those businesses that have weathered an attack, 67% have endured the experience more than once. 30% have sustained between two and five attacks, 28% have experienced between five and ten, and 9% have suffered more than 10 incidents.

What cybersecurity vulnerabilities contributed to the attack(s)?

Across small and medium-sized businesses, certain cybersecurity vulnerabilities are consistently exploited by cyber criminals. Employee error is the leading cause in most successful attacks, indicating that training and awareness efforts still aren’t going far enough. Outdated antivirus, devices, and operating systems are other common culprits, as is the absence of a firewall.

Among businesses that have fought off attempted attacks, the majority attribute their successful defense to a combination of antivirus software, employee awareness, firewalls, and regular patches and updates.

Which of the following contributed to your successful defense against the attack?

Unsurprisingly, these responses highlight a clear disparity between organizations that successfully defend against cyber attacks, and those that fall victim: one consistently implements what the other lacks. Employee training and awareness, cybersecurity software, and regular patches and updates can make or break an organization’s ability to repel an attack.

Cyber Attacks Have Devastating Consequences for Small Businesses

Not only is the incidence of cyber attacks on the rise, the methods involved are becoming more sophisticated, leading to increasingly severe consequences for affected organizations. In a digital-first environment, most small businesses possess multiple targets of interest to cyber criminals, from customer data to company finances. Without adequate safeguards in place, even minor breaches can quickly snowball to produce far-reaching business impacts.

What was the target of the cyber attack(s)?

Among small businesses that have experienced cyber attacks, the most commonly reported targets include business disruption, closely followed by customer financial data, and email addresses or login credentials.

What was the business impact of the cyber attack(s)?

In terms of business impact, 46% experienced downtime as a result of a cyber attack. Data loss, an inability to access the network, data leaks, and financial losses were other commonly reported consequences.

If your organization has experienced downtime as a result of a cyber attack, how long did it last?

In most cases of downtime, the organization in question was back up and running within a week, although 28% took between one and two weeks to recover, and 12% were impacted for even longer.

If your organization has experienced downtime as a result of a cyber attack, how long did it last?

22% say the cost of cyber attacks to their business ranged from $50,000 – $100,000, and 20% reported damages of over $100,000. Given the relatively low uptake of cybersecurity insurance, these costs can be crippling for a small business.

Did your organization change or improve any of the following in response to the attack?

Following a cyber attack, a small majority of businesses updated their cybersecurity software and policies, while 46% adjusted employee training practices. Unfortunately, given that 67% of cyber attack victims go on to experience repeat breaches, it is likely that these steps are often insufficient. Worryingly, 13% say they made no changes to their cybersecurity policies or practices in response to an attack.

Limited resources are often blamed for inadequate cybersecurity in small businesses, but budgetary limitations are all the more reason to invest. The financial implications of an attack are likely to far outweigh the cost of preventing such incidents. When a full scale breach has the potential to dismantle an organization’s most valuable assets, cybersecurity should command a non-negotiable allocation in every small business’s budget.

Cybersecurity Gaps Leave Small Businesses Vulnerable

While some organizations make strides to strengthen their defenses, others lack the most basic essentials.

Unfortunately, this inconsistency is core to small businesses’ appeal for cyber criminals. Haphazard application of protective measures leaves organizations vulnerable to attack, and failure to learn from mistakes means repeat breaches are an all-too-common occurrence.

To contend with ever-evolving threats, small businesses require meaningful cybersecurity policies, solutions, and training. But, the reality of limited resources means a cost-effective approach is necessary.

Electric supports small businesses to secure their most valuable assets, while alleviating the demands on your internal teams. By outsourcing to our cybersecurity experts, you will access industry-leading knowledge and best-in-class software to keep your network, applications, and devices protected.

Contact us today to learn more about how you can strengthen and streamline your organization’s cybersecurity.


Electric Research and Insights Division

The Electric Research and Insights Division studies the use of IT in small and medium-sized businesses. With a focus on identifying IT challenges and opportunities, our research shares technology best practices for business leaders, as well as HR, Ops, and IT teams.

Electric Logo

IT powers People Teams, Electric powers IT.