Small Business Data Breaches: The Latest Findings

Brad Dorsey

4 min read ·


Verizon’s 2021 Data Breach Investigations Report (DBIR) is a thorough review of data breach statistics, incidents, actors, and the current state of cybersecurity. The report offers a deep dive into small business data breaches too. We know you’re busy starting up or running a business. So, this article shares some of the major findings from the DBIR related to small businesses.

First, a little background. The DBIR, now in its 14th year, aims “to increase awareness of where possible dangers lie.” The 2021 report “looked at 29,207 incidents, which boiled down to 5,258 confirmed data breaches…sampled from 88 countries around the world.”

The report looks at data breaches from many angles. Overall findings that help capture the current cybersecurity environment include:

  • Phishing remains one of the top breach varieties (36% of breaches, up from 25% last year)
  • Financially motivated attacks continue to be the most common
  • Ransomware more than doubled its frequency from last year
  • Organized crime continues to be the number one type of bad actor

Of the 29,207 incidents studied, 1,037 were at small businesses (up to 1,000 employees), 819 were at large businesses (1,000+), and the remaining 27,351 were unknown. Some 263 of the 5,258 known breaches targeted small businesses. So, what can we learn from the analysis specific to small businesses? The report has insights into:

  • Types of industry impacted
  • Top patterns of attack
  • Time to discovery
  • Threat actors
  • Actor motives
  • Data compromised


Types of Industry Impacted

Of the 263 known breaches at small businesses, professional, scientific, and technical services were the hardest hit, with 76 cases. Information and healthcare rounded out the top three with 35 and 32 incidents, respectively. The only other category to break 20 cases was the finance industry at 26. The remaining double-digit incident industries were education (17), manufacturing (13), public (13), and retail (10).

The professional services sector is a broad one, “eclectic” even, per the report. But one thing this sector’s businesses “seem to have in common is their reliance on internet connected infrastructure, and the risk inherent in that architecture.”


Top Patterns of Attack

Small business is standing apart from bigger business far less this year, at least as far as data breaches. As the report noted, “the top patterns have aligned across both org sizes,” and for the first time, “the two groups are very similar to each other.”

Common patterns of attack include system Intrusion and basic web application attacks. System intrusion in the DBIR “consists of more complex attacks, typically involving numerous steps. The majority of these attacks involve Malware (70%), usually of the Ransomware variety, but also of the Magecart attack type used to target payment card data in web applications. Hacking (40%) also appears in many attacks and most often consists of the Use of stolen credentials or Brute force attacks.”

Basic web application attacks “are those with a small number of steps or additional actions after the initial Web application compromise. They are very focused on direct objectives, which range from getting access to email and web application data to repurposing the web app for malware distribution, defacement, or future [Denial of Service] attacks.”


Time to Discovery

While large organizations moved to find data breaches within “days or less” in 55% of cases, smaller businesses were not as quick. Only 47% of breaches were found by small organizations in “days or less.”

This represents progress as the sooner a breach is detected, the quicker the business can move to mitigate the damage. Plus, it can let affected parties know sooner, which goes a long way to reducing the brand reputation loss of a data breach.


Threat Actors

External actors were the top threat actors, responsible for 64% of the known breaches. After that, internal actors were at fault 36% of the time. What is the distinction between the two? External actors are those who, even though they gain access to internal systems, are strangers on the outside. In 2020’s breaches, nearly 80% of external actors were affiliated with organized crime.

Meanwhile, the internal type of breach could represent misuse (the threat is due to internal misconfigurations) or errors (humans do make mistakes, regrettably).


Actor Motives

It’s all about the money. At least, that is the primary motive for a business data breach. Since many external actors are part of professional criminal gangs, it’s no surprise. Of course, the DBIR’s writers pointed out that most amateur criminals are motivated by financial gain too.

No wonder ransomware was reported to have doubled from last year. That’s when someone encrypts the business data and shuts the business down until a ransom is paid.


Data Compromised

Unwavering from previous DBIR reports, credentials remain the most sought-after data for the bad actors. The percentage of credentials compromised is nearing 60%. Meanwhile, personal data comes a close second as a target, at over 40%. 

It makes sense. Credentials give the cybercriminal access to the systems to take their ill-intentioned actions. Personal data—including Social Security numbers, insurance information, names, and addresses—is useful for financial fraud. If the bad actors themselves aren’t using it, they can resell it easily on the dark web.


What This Means for Small Business

The DBIR is an informative document, but it’s certainly not a happy bedtime reading. The report does help organizations of all sizes to reduce risks by understanding what is going on right now in the cybersphere. 

Ultimately, you need to keep up with the latest, update your systems and software, backup your data and business website, and educate employees about potential cyber risks. You can’t predict the future, but you can try to protect your business from the worst.

Brad Dorsey