The average breach causes an average of $149,000 in damages, yet most small-to-medium-sized businesses thought cyberattacks would cost them under $10,000

Small and medium-sized businesses are severely underestimating the financial burden associated with a cyberattack, according to a new survey from cloud security firm AppRiver. 

In AppRiver’s Q3 Cyberthreat Index for Business Survey, the company spoke with 1,083 executives and cybersecurity decision-makers at small and medium-sized companies across the US. 

Nearly 70% of those surveyed thought they would lose less than $25,000 in the event of a successful cyberattack while more than half said they would lose less than $10,000 in damages. 

AppRiver noted that according to Kaspersky, the average cost of a breach in North America is $149,000. Costs associated with data breaches usually include damages, data retrieval, system repairs and upgrades, lost businesses, potential ransom payment, PR and damage control, potential lawsuits and compensation to customers.

Just 19% of respondents, mostly in the government and healthcare sectors, estimated that losses from a cyberattack could reach upwards of $100,000.

« Nearly two decades of constant fear-based messages have taken their toll on smaller SMBs, » said Geoff Bibby, vice president of marketing of AppRiver’s parent company Zix. 

« Fatalism and a false sense of security are signs that they need more straightforward education and awareness. The threats are very real, and the stakes are incredibly high, but there are simple ways to make startups and early stage companies much harder targets. »

More than 70% of small and medium-sized businesses said they experienced a phishing attempt in the last three months, yet only 38% reported that they apply patches immediately once available.

These statistics even held true for businesses handling extremely sensitive data like healthcare institutions, government entities, law firms, and retailers, all of which had less than 40% of respondents who applied patches immediately once available. Cyberattack attempts, most of which involved phishing, increased in the construction and real estate sector as well.

According to the report, « This slight uptick should not be a surprise, after a quarter of news coverage on attacks inflicted on larger, presumably iron-clad organizations such as Equifax and LabCorp that affected over 150 million victims in the US, as well as increasingly frequent cyberattacks on US local government agencies and municipalities.

« The attacks on the latter and subsequent reports of ransom payments could be particularly unnerving to small businesses, knowing that even government agencies had to surrender to cybercriminals’ demands. »

Respondents in the government sector were particularly pessimistic about efforts to increase cybersecurity preparedness, due in no small part to the spate of attacks against cities and states in the last nine months.

Almost 20% of government officials who spoke with AppRiver said the recent cybersecurity improvements left them feeling like they were « in worse shape. » Less than 40% said they believed the government was spending enough on cybersecurity. The hospitality industry was similarly pessimistic about their ability to protect themselves from hackers whose tactics were evolving. 

« There have been highly publicized cyberattacks on government agencies and local municipalities in the past quarter, with victims spanning from the city of Baltimore, MD, the city of Riviera Beach, FL, to the states of Louisiana and Texas, » the report said.

The study noted that many businesses with 50-149 employees were in the process of moving out of the start-up phase, meaning they were transitioning from largely cloud-based systems to bigger systems that could handle more users and more data. 

The increase in phishing attempts was forcing more companies to become aware of the cybersecurity dangers that come with having more employees and expanding.

« Small businesses still have a way to go to close the gap between their current cybersecurity attitudes and the realistic cyberthreats they are exposed to, » the report stated. « Small businesses, specifically at the 1-49 employee-size segment, continue to grossly underestimate their cyber vulnerability, cybercriminals’ technological sophistication and their estimated damage costs in the event of a successful attack. »

More than half of executives and IT professionals in the survey said they were worried that their employees would fall victim to a phishing attempt. 

Many small businesses told AppRiver they were behind on security updates, with almost one third saying they have not beefed up their cybersecurity plan since 2018. Almost 40% said they believed they were in better cybersecurity shape this year and that they « believe cybercriminals have done even less to improve their tactics during this period. »

« In the wake of major cybersecurity crises this year – from American Medical Collection Agency breach to the continual hits we’ve seen on local governments in places like Maryland, Florida, and most recently, Texas — it’s not surprising that most small businesses, and the public at large are increasingly concerned, » said Troy Gill, manager of security research at AppRiver. « The challenge is in helping them translate that concern into positive action rather than passive acceptance. »