Identity cyberattacks on small businesses continue to grow along with the reported losses from those incidents, but more of these companies are implementing data protection best practices and adopting new security tools and training their employees.

Those are among the findings in the Identity Theft Resource Center’s (ITRC) latest annual report this week about the effect identity attacks have on both small businesses and consumers and they represent a rare moment for the nonprofit, with CEO Eva Velasquez writing that “it’s not very often that we get to report good news.”

For small businesses – which span single-employee firms or entrepreneurs (“solopreneur”) to companies with up to 500 employees – the good news is that they’re fighting back harder against the rising tide of threats. James Lee, ITRC’s COO, noted that according to the Small Business Administration (SBA), there 33.3 million small businesses in the United States.

“All these businesses share a common issue: They are targets for cyber and identity criminals,” Lee wrote, adding that they’re “making significant changes in their cyber routines that will lead to few identity crimes in the future.”

They also are implementing an array of data protection practices that will mean in less personal data being available to identity thieves, cyber insurance policy proceeds are now the top source of funds to pay for the cost of recovering from a cyber event, and most small business leaders know if their state had a comprehensive privacy law, he wrote.

Evolving Cyberattacks

All of that is good, because the cyberthreats are mounting. Looking at the situation between June 2023 and this year, more than 80% of small businesses were the victim of a cyberattack, a data breach, or both, according to the organization’s 2024 Consumer and Business Impact Report. In addition, the number of cases where financial losses topped $500,000 doubled and more than three-quarters of business leaders worry about how they will comply with those state privacy laws.

The numbers come from an online questionnaire completed by 461 people selected by SurveyMonkey and who work in a range of industries, from financial services and manufacturing to retail, healthcare, and education.

Breaking down the kinds of attacks that small businesses are seeing, the ITRC found that companies hit by a security breach fell year-over-year from 28% of respondents last year to 16% this year. However, those sustaining a data breach jumped to 26%, and those being attacked with both shot up to 39%, from 24% last year. Companies reporting no breaches fell from 28% in 2023 to 19% this year.

“The interesting data points here are not the drop in cyberattacks,” the report’s authors wrote. “Rather, the rise in combination attacks (cyberattacks that led to data breaches) and the steep drop in the number of organizations that experienced no form of attack at all.”

Building Protections

Small businesses are responding by expanding their spending in such areas as security tools, IT and non-IT staff training, and security budgets. In addition, the growing number of supply-chain attacks drove the doubling of the amount of money being spent on vendor due diligence tools.

At the same time, there were jumps in all categories regarding the adoption of or compliance with security best practices, including making it easier for consumers to opt in or out of data being collected or used and for limiting how their data is used, easy access to personal information, and simple ways for their data to be deleted.

State Privacy Laws Fueling Investments

In previous years, small business executives tended to focus more on implementing such tools at multifactor authentication (MFA) and mandating longer passwords, which weren’t specifically managed by law or most regulations. However, more states are passing privacy and data protection laws, which fueled a shift by small businesses toward compliance.

As of this month, 20 states have enacted such comprehensive laws that not only give consumers more control over how their personal information is used an processed, but also mandate data security and similar practices, according to the report’s authors.

Among small business leaders, 77% said they were “very aware” of those new requirements, thought 76% were concerned about how they would comply.

Some of the ITRC’s findings echo what other organizations are seeing. In a survey earlier this year conducted by Vanson Bourne and commissioned by ConnectWise, 96% of small- and midsize businesses said they had been victims of a cyberattack and 83% planned to invest more money in cybersecurity in the coming 12 months.