The nonprofit Identity Theft Resource Center (ITRC) recently released its 2022 Business Impact Report, detailing the impacts of cybercrime on small businesses and “solopreneurs.” This is the second year in which the ITRC has released a business-focused report, based on a survey of 447 executives or IT pros at small businesses.
The top-level takeaway is that only 45% of respondents reported suffering a security breach, data breach, or both during the 12 months covered by the survey, as opposed to 58% reporting such breaches in the 2021 survey.
That’s definitely good news — as is the companion finding that the average cost of a breach declined considerably compared to last year — but it comes with a couple of important caveats that we’ll go into below as we get into some of the more detailed findings.
The other key headline is not so positive: 50% of respondents reported losing control of one or more of their social media accounts for an average of 30 days. And, of those, 87% lost revenue as a direct result of these account takeovers.
Trend or blip?
After seeing the overall number of attacks rise by 61% during 2020 and 2021, this year’s decline in data and security breaches is clearly a welcome move in the right direction. The big question, however, is whether this is the beginning of a lasting trend or simply the result of specific conditions over the past year.
The signals on this are mixed. On one hand, reported data breaches across all sectors in the U.S. were down this year. Furthermore, the cryptocurrency downturn and the war in Ukraine have both led to a reduction in the activity of cybercriminal gangs based in Russia. Neither of these factors is likely to contribute to an ongoing trend.
However, another contributing factor is the significant increase in small business investments in cybersecurity staff, technology, and training. If that is maintained over time, then it is likely to contribute to an ongoing trend of reduced security incidents. This also is likely to have contributed to another positive data point: 35% of respondents who experienced a breach reported that they recovered to pre-breach performance levels in less than one year, compared to only 22% in last year’s survey.
Room for improvement
The report draws attention to one specific finding that may be troubling. Although investments in new security tools, new training for IT staff, additional security budget, and increased vendor due diligence all ticked upward — especially new tools and new IT-staff training — there was a marked decrease in respondents reporting new training for non-IT staff, from 35% in the previous year to only 28% in the current report.
As the report points out, the growth of highly sophisticated phishing and other deception-based attacks against employees with privileged access to financial and other critical data should motivate increased security awareness training for all employees — not just for IT staff.
Indeed, this may be a contributing factor in the widespread vulnerability to social media attacks that the survey reveals.
Still, despite this, there is a great deal of confidence among respondents, 70% of whom state that they are prepared to protect their business against a cyberattack and/or recover from a data breach. While this question was not on the previous survey for comparison, this year’s response is consistent with the overall increase in cybersecurity investments.
Steps to take
If you’re responsible for cybersecurity at a small business, I strongly recommend that you download the entire report, as it contains a lot more detail than we’ve been able to cover here. In particular, there’s a lot of granular data on the costly social-media account takeovers that afflicted fully half of respondents.
And if the data that we did cover here has you wondering how to shore up your own investment in security awareness training for all your staff, you could do a lot worse than scheduling a demo or free trial of Barracuda Security Awareness Training.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.