In the last 12 months, small businesses and those who are self-employed saw fewer cyberattacks and data breaches although significant risks remain, according to the Identity Theft Resource Center’s (ITRC) 2022 Business Impact Report.
ITRC recently surveyed 450 people who led small businesses or were self-employed about their experiences with cybercrime. They found that 45% of respondents experienced a security or data breach between July 2021 and 2022, a drop from 58% from the previous year. They also incurred lower costs in addressing a breach. More businesses reported losing less than $250,000, while fewer reported losing between $250,000 and $1 million.
“While any reduction in the impact of a cybercrime on a small business or individual is welcome and significant, it’s also too early to tell if the improvements reflected here are medium or long-term trends or simply unique to the current environment,” wrote ITRC.
Cybercriminals most frequently targeted customer and employee data, with roughly half of respondents reporting compromises of both data types. Just over one-quarter reported a compromise of company intellectual property. External threat actors were the most common root cause of data breaches, followed by compromises from remote workers, malicious insiders, compromises from third-party vendors, and human error. ITRC noted social media continued to be a pain point for many respondents. Half of the survey respondents reported cybercriminals taking over their social media accounts, and nearly 90% of impacted companies said they lost revenue as a result. It also uncovered what it considers a worrisome trend in cybersecurity training.
Half of the survey respondents reported cybercriminals taking over their social media accounts, and nearly 90% of impacted companies said they lost revenue as a result. Mistakenly sharing account credentials with someone pretending to be a friend or customer or phishing attacks were the most common causes of account takeovers. Respondents said they are increasing investment in new security tools, IT staff, and IT staff training, but are spending less on overall staff cybersecurity training.
“Given the volume and velocity of these attacks, now is not the time to reduce the training opportunities for non-IT employees,” ITRC wrote. “Yet, that is exactly the trend described by the small business leaders whose experiences are described here.”