Cyber Attacks Cost U.S. Small Businesses Over $8,000 Annually: Hiscox

Source: Hiscox | Published on December 8, 2023

Cyber premium growth levels off

Hiscox, the international specialist insurer, reveals the median cost of cyber-attacks has decreased for U.S. small businesses from $10,000 in 2022 to $8,300 in 2023.

The annual Hiscox Cyber Readiness Report, which gauges businesses’ preparedness to combat cyber incidents and breaches, surveyed over 5,000 professionals responsible for their company’s cyber security strategy from the USA, UK, France, Germany, Spain, Belgium, Republic of Ireland and The Netherlands. Key findings specific to the more than 500 US small business professionals surveyed include:

  • Small businesses are aware of the cyber risk: Small businesses see cyber as a real threat. Thirty-three percent of US small businesses consider cyber risk high or very high, which is ahead of economic issues and competition.
  • The cost of cyber-attacks has dropped: The median cost of cyber-attacks for one business in a year is approximately $8,300, down from about $10,000 last year. Although the cost is down, the median number of attacks has risen from 3 in 2022 to 4 in 2023.
  • Ransomware is costing small businesses in a big way: US small businesses paid over $16,000 in cyber ransoms over the past 12 months. For businesses that paid ransoms, only half (50%) recovered all their data and 27% of the time, hackers made additional demands for money.
  • Phishing is still the primary point of vulnerability: In ransomware attacks, the most common points of entry were phishing (53%), unpatched servers/VPN (38%), and credential theft (29%).
  • While IT security spending has increased, there are still areas of vulnerability: Despite a 10% increase in median IT budgets and a 24% increase in cybersecurity spending over the last 12 months, 59% of small businesses don’t use security awareness training. Further, 43% of the businesses surveyed don’t have network-based firewalls.
  • Small businesses are protecting themselves: 53% of US small businesses have either a standalone cyber insurance policy or have cyber coverage through another policy.
  • When it comes to cyber maturity, there is more work to be done: For all sizes of business, the US ranks second (behind France, 2.98) for cyber maturity with a score of 2.94. When it comes to cyber expertise, 63% of small businesses in the US are intermediates and only 4% are cyber experts.

“In the never-ending arms race of cyber criminals versus cyber security, new technology developments and employee training can tip the scales either way,” said Chris Hojnowski, Vice President and Product Head of Technology and Cyber for Hiscox in the US. “Phishing is still the most common point of entry for ransomware attacks, and new developments like AI can undermine our tried and trusted ways of spotting a phishy email. Proactivity is the best form of defense when it comes to cyber, and a team is only as strong as the weakest link – or least-trained employee – in the chain.”

About the Study

Hiscox commissioned Forrester Consulting to gather information about businesses cyber activities and readiness. In total 5,005 professionals responsible for their company’s cyber security strategy were surveyed (over 900 each from the USA, UK, France and Germany; more than 400 from Spain; and 200-plus from the Belgium, Republic of Ireland and The Netherlands). Respondents completed the online survey between 9 January 2023 and 2 February 2023.

We have adopted median rather than mean or average figures and restated prior-year figures in the same terms. Given the extreme variation in the underlying figures between the smallest and largest firms, this provides a more accurate representation of the respondents as a whole.