SAN FRANCISCO – October 24, 2024 – Every year, billions of dollars in the U.S. are lost to cyberattacks, but new research shows that one quarter of U.S. small and medium-sized businesses (SMBs) that have been hit by a cyberattack aren’t aware of the full financial impacts of the incidents*, in addition to the business fallout from operational and workforce impacts. A new study* from Okta, Inc. (NASDAQ: OKTA), the leading independent Identity partner, found that SMBs operate within an unfamiliar and unpredictable landscape, facing far-reaching impacts to their business.
This lack of awareness reveals a significant vulnerability. While nearly 70% of U.S. SMBs cite financial loss as the top risk– closely followed by loss of customer trust (65%), many fail to recognize the full financial consequences of cyberattacks until they face them:
- One in five SMBs invest $200,000 or more in cybersecurity measures following an attack, compared with nearly 5% who have not experienced a cyberattack.
- Holistic recovery is often lengthy. More than 50% of SMBs recovered financially in less than one month. However, less than 50% reported reputation recovery for the same time period.
“Many SMBs rely on identity via their email providers, assuming these gaps won’t be exploited. In reality, cybercriminals are targeting these weaknesses,” said Arnab Bose, Chief Product Officer, of Workforce Identity Cloud at Okta. “As AI-powered attacks become more sophisticated, SMBs must strengthen their identity protections to safeguard operations and, most importantly, customer trust.”
The stressful reality of cyberattacks
While U.S. SMBs face significant financial losses due to cyberattacks, the toll extends far beyond dollars.
According to Okta’s research, 65% of U.S. SMB owners rank cyberattacks as a top concern—second only to inflation and higher interest rates. Nearly 50% of small business owners who have experienced a cyberattack reported a noticeable negative impact on their mental well-being.
The mental toll also trickles down through organizations. Smaller companies, with limited staff and stretched resources, find it even harder to rebuild trust and morale after a security breach, with 41% citing a direct impact on employee morale. Nearly one-fourth of SMBs with larger workforces (100-499 employees) noted significant impacts, finding it harder to rebuild internal trust and morale after a cyberattack.
Customer trust is also collateral damage following cyberattacks:
- Following an incident, approximately 2 in 5 (more than 40%) of U.S. SMBs cited a breach in customer trust while nearly 40% reported significant reputational damage.
- These effects are felt even more by SMBs with larger workforces, with half citing significant impacts to both trust and reputation.
“The impacts of a cyberattack on small and medium-sized businesses in the U.S. are wide-reaching, encompassing not only financial but also psychological and operational repercussions that can disrupt businesses and their workforces for months,” said Bose. “Today’s business owners need a proactive and holistic approach to cybersecurity that can scale with their operational and budget needs, and as leaders, it’s essential to not only ensure robust security measures but also to empower their teams with clarity and confidence.”
Basic security tools leave SMBs exposed in today’s sophisticated threat landscape
An overwhelming majority – more than 90% – of U.S. SMBs rely primarily on basic security measures, such as antivirus software and tools like SSO that are bundled with email systems, which are no longer sufficient against increasingly complex attacks. More advanced solutions, such as identity management (40%) and biometrics (32%), remain underutilized, leaving many businesses exposed – particularly businesses with 99 employees or less.
The survey also found that a more layered approach to security leads to higher confidence. SMBs using both multi-factor authentication and antivirus solutions reported feeling significantly more secure (76%), with confidence rising to 84% when tools like identity management and biometrics are added.
It’s time to focus on security culture
While many SMBs worry about team stress from attacks, fewer provide adequate cybersecurity training. The survey found that while the majority of U.S. SMBs (80%) are confident that employees understand their company’s cybersecurity compliance measures and 55% offer some type of employee training, fewer provide it consistently:
- Only about a third (32%) of SMB owners regularly provide updates and training to support their cybersecurity measures.
- Alarmingly, approximately one-in-six businesses don’t offer any updates to their teams at all.
This gap between confidence and action reveals a cultural oversight that can leave a significant portion of businesses vulnerable, even with the right technology in place.
Fostering a strong security culture is essential for protecting SMBs from cyberattacks. This not only empowers employees with the tools to recognize threats but also builds a collective responsibility toward maintaining security. Given the significant risks facing today’s businesses, addressing these challenges requires more than just technology. It demands a multifaceted approach that includes tools, resources, and a strong security culture.