Despite improving preparedness, US small businesses are still highly vulnerable to cyber incidents. A new report shows that while the segment paid less to respond to a cyber incident last year, this was offset by increased attacks and breaches.
In its annual cyber readiness report, Hiscox revealed the median cost of cyber-attacks decreased for small businesses in the US from $10,000 in 2022 to $8,300 in 2023. At the same time, the median number of attacks has risen from 3 in 2022 to 4 in 2023.
Additionally, 41% of small businesses fell victim to a cyber attack in 2023, a rise from 38% in the 2022 report and close to double from 22% in 2021. US small businesses paid over $16,000 in cyber ransoms over the past 12 months.
For Chris Hojnowski (pictured), vice president and product head of technology and cyber, Hiscox USA, the rise is highly concerning.
“Forty-one percent isn't that far off from a coin flip of it happening to you,” said Hojnowski.
Hiscox polled over 500 US small business professionals and gauged their preparedness to combat cyber incidents. This was part of a global survey involving over 5,000 professionals responsible for their company’s cyber security strategy.
Some of the cyber readiness report’s key findings are:
“The cost has decreased a little bit year over year, which is good from the eyes of people affected by cyber breaches,” said Hojnowski.
“With that said, the number of attacks has grown, so you're getting a little bit of offset from how much these acts cost.”
New artificial intelligence (AI) developments have also undermined some tried and trusted ways of spotting phishing emails.
“We used to be able to identify phishing emails pretty easily because the grammar used to be not perfect, punctuation would be off – the emails would just seem off,” Hojnowski said.
“Now, with the implements of artificial intelligence and ChatGPT, there are ways of making emails sound more realistic.”
But he added that AI tools – and constant vigilance – can also help small business owners protect themselves.
“There are ways to protect yourself from it, such as an inbox scanner that can spot any bad links or a corrupted email address. But you always have to be looking and aware,” Hojnowski said.
The growing complexity of cyber-attacks also underscores the importance of additional investments in cyber security, training, and insurance. But while IT security spending has increased, there are still areas of vulnerability.
Hiscox’s report showed that despite a 10% increase in median IT budgets and a 24% increase in cybersecurity spending over the last 12 months, 59% of small businesses don’t use security awareness training. Further, 43% of the surveyed companies don’t have network-based firewalls.
“From a claims perspective, better-trained employees are your number-one defence against many types of losses. Training needs to be better in this space,” Hojnowski said.
For all business sizes, the US ranks second (behind France, 2.98) for cyber maturity, scoring 2.94. Regarding cyber expertise, 63% of small businesses in the US are intermediates, and only 4% are cyber experts, according to Hiscox’s survey.
What are your thoughts on Hiscox’s cyber readiness report for small businesses in the US? Please share them in the comments.
