Dive Brief:
- One-third of small- to medium-sized businesses were hit by a cyberattack in the past year, Microsoft Security said this month in a report conducted by research firm Bredin.
- The average total cost of a cyberattack on SMBs was nearly $255,000, but some incidents cost as much as $7 million, the report found. The highest average costs were attributed to investigation and recovery, and the reputational impact on a SMB in the wake of an attack.
- “Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security,” Scott Woodgate, general manager of threat protection at Microsoft Security, said in a report released alongside the survey results.
Dive Insight:
The frequency and cost of cyberattacks on SMBs accentuates the sometimes underappreciated fact that attackers have and will target businesses of all types and sizes. Attacks on the trucking industry in particular have escalated, with the average cost of a breach reaching $4.3 million.
SMBs confront additional pressure because they often lack the resources and expertise to enact and manage advanced security measures that could detect, thwart or mitigate an attack. Less than 1 in 3 respondents said their SMBs manage security internally, while the remainder rely on consultants, managed service providers and cyber insurance recommendations for tool selection.
The mindset of some security leaders surveyed for the report underscores false impressions that put SMBs at a further disadvantage. More than 2 in 5 respondents said their organization probably won’t be attacked a second time if they’ve already experienced an incident. One-quarter said they’re likely safe because they’re too small or haven’t been attacked before.
The majority of respondents, 4 in 5, said they intend to increase cybersecurity spending and the top objectives for those investments include data protection, firewalls, protection from phishing and ransomware, access control and identity management.
The report is based on a September survey of 2,000 IT security product decision makers at U.K. and U.S. businesses with under 300 employees.