OCTOBER 2023Table of ContentsLetter from the CEO02Consumer & Business Resources12Methodology04Key Takeaways05A Word About Supply Chain Data Breaches11Summary and Analysis of 2023 Key Findings7First-Time Questions10Summary of Key Findings62023 Business Impact Survey14Appendix131© IDENTITY THEFT RESOURCE CENTER 2023 | IDTHEFTCENTER.ORGCEO LetterOnce upon a time, it was true that small businesses and solopreneurs were not a favorite target for cybercriminals. Attackers tended to go for larger, data-rich organizations with lots of cash and thousands of employees, where the law of averages meant it was easier to find someone to fall for a phishing attack.That hasn’t been true since at least 2020, and the past year has seen a big jump in the number of attacks targeting small businesses. In our third annual ITRC Business Impact Report, 73 percent (73%) of owners or leaders of SMBs shared they had experienced a data breach, a cyberattack, or both in the previous 12 months. That follows a year when there was a slight dip in attacks against smaller businesses.Figure 1These trends follow the same patterns the ITRC has seen in consumer impacts and data breaches: a peak year of attacks in 2021 with a small reduction in 2022 due to a variety of factors, including the Russian invasion of Ukraine and disruption in the cryptocurrency markets. Since then, much like the legitimate stock market, the identity crime markets have adjusted to conditions that resulted in fewerattacks in 2022 and rebounded with a vengeance in 2023.As you will see in the pages that follow, the number of first-time attacks against small businesses jumped 18 percentage points compared to 2022. At the same time, more SMB leaders believe they are ready to take on cyber attackers. In 2022, 70 percent (70%) of SMBs believed they were ready to defend against a cyberattack or data breach. This year, the number was 85 percent (85%).One new area we probed in 2023 was the concept of new or emerging data security tools. As you’ll notice, the uptake of new solutions such as Multi-Factor Authentication (MFA) and practices like data minimization were slow to gain acceptance. Utilization ranged from 34 percent (34%) for MFA to 20 percent (20%) for newer tools such as passkeys that were known to be effective protections.Likewise, privacy protections were yet to break fully into the mainstream. The ability to opt-out of data collection or to have information deleted about you remained far less than 40 percent (40%), even as more states moved toward adopting their own comprehensive privacy laws.Figure 1 | Data Breaches, Cyberattacks, or Both, Reported by SMBs202158%202243%202373%2© IDENTITY THEFT RESOURCE CENTER 2023 | IDTHEFTCENTER.ORGSMB leaders are more focused on data security and privacy protection than ever. That’s great news, but we still have a tremendous amount of work to d...
