Show Transcript

Telephone

Welcome to the Identity Theft Resource Center’s (ITRC’s)Weekly Breach Breakdown for October 29, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent events and trends related to data security and privacy. Since this is the last business day of Cybersecurity Awareness Month, we’re going to focus on the latest ITRC report, our Business Aftermath Report. The report focuses on the impacts of small business data breaches and how small businesses, including solopreneurs, are impacted by data and security compromises.

How the Business Aftermath Report Came to Fruition

First, we want to tell you the story of how this report came to be. Back in 2019, our Chief Operating Officer, James E. Lee, posted a comment on LinkedIn that included a stat about the number of small businesses that went bankrupt due to a data breach. He got the stat from a news release issued by a U.S. Senator, so he figured that was a pretty safe bet to be accurate.

Almost immediately, a former colleague questioned the integrity of the stat and challenged James, nicely, to prove it. It turns out, the most widely reported statistic used by the media and quoted in countless online reports was wrong. So wrong that the organization that was credited with the research posted a notice on their website urging people to stop citing them as the source of the bogus information.

It was like the title of this episode, a giant game of Telephone. If you ever see a quote that says half of all small businesses fail within six months after a data breach, don’t believe it. The truth is far more troubling.

ITRC Publishes Inaugural Report on Small Business Data Breaches

With no current or accurate information on the impact of data and security compromises at small businesses, of which there are tens of millions that support tens of millions of families and individuals, the ITRC decided it was time to look more closely at what really happens to the companies that make up most of the U.S. economy.

2021 Business Aftermath Report Findings

We published our research on small business data breaches this past week, and here’s what we found based on comments from hundreds of business owners and leaders:

  • Sixty-two (62) percent of the respondents have fewer than 50 employees; 37 percent have fewer than 10.
  • Fifty-eight (58) percent of the small business owners and leaders reported a data breach, a security breach or both.
  • Seventy-five (75) percent of those have experienced more than one breach; 33 percent have experienced more than three breaches.
  • Forty-two (42) percent did not return to “business as usual” for 1-2 years; 28 percent required 3-5 years; seven (7) percent said they had not returned to pre-breach performance levels at the time of the survey this summer.
  • Forty-four (44) percent of the small businesses lost revenue or incurred costs between $250,000-$500,000; 21 percent saw impacts of more than $500,000, including five percent who were impacted to the tune of $1 million or more.
  • Seventy (70) percent incurred debt to recover; 15 percent reduced headcount, extending the breach’s impact to more than just the business owners or leaders.

Trends the Data Shows

To put some of these stats into context, the U.S. Small Business Administration’s (SBA) most recent report, which reflects pre-pandemic results, shows solopreneurs average annual revenue was less than $50,000. Private research by ZenBusiness indicates only 27 percent of small businesses with employees estimated their 2020 revenue to be over $200,000. A hit of tens to hundreds of thousands of dollars in unbudgeted expenses or lost revenue is a big deal.

The data also shows a dramatic increase in the number of small businesses being targeted beginning in 2019. Nearly 80 percent of the companies that reported a breach did so in the past two years. This coincides with the overall trend of cybercriminals focusing on vendors like smaller businesses to attack larger businesses with ransomware. It also means this is likely to be a permanent condition.

There’s one final stat around small business data breaches that stands out. Small businesses have a higher incidence rate of malicious employees or contractors as the root cause of data and security breaches. Forty (40) percent of compromises are still caused by outside cybercriminals. However, 35 percent are attributed to malicious insiders.

Contact the ITRC

Next week we’ll talk about what small business owners and leaders can do to protect their business and themselves. Meanwhile, if you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to join us next week for another episode of the Weekly Breach Breakdown.