IDENTITYTHEFT

RESOURCECENTER

OCTOBER2023

1

TableofContents

LetterfromtheCEO02

Consumer&BusinessResources12

Methodology04

Appendix13

2023BusinessImpactSurvey14

KeyTakeaways05

SummaryofKeyFindings6

SummaryandAnalysisof2023

KeyFindings

7

First-TimeQuestions10

AWordAboutSupplyChainData

Breaches

11

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

2

CEOLetter

Onceuponatime,itwastruethatsmallbusinessesand

solopreneurswerenotafavoritetargetforcybercriminals.

Attackerstendedtogofor

larger,data-richorganizationswithlotsofcashandthousandsofemployees,wherethelawofaveragesmeantitwaseasiertofindsomeonetofallfora

phishingattack.

Thathasn’tbeentruesinceatleast2020,andthepastyearhasseenabigjumpinthenumberofattackstargetingsmallbusinesses.Inour

thirdannualITRCBusinessImpactReport,

73percent(73%)ofownersorleadersofSMBssharedtheyhadexperiencedadatabreach,a

cyberattack,orbothintheprevious12months.Thatfollowsayearwhentherewasaslightdipinattacksagainstsmallerbusinesses.

Figure1

Figure1|DataBreaches,Cyberattacks,orBoth,ReportedbySMBs

2021

58%

2022

43%

2023

73%

ThesetrendsfollowthesamepatternstheITRC

hasseenin

consumerimpacts

and

data

breaches

:apeakyearofattacksin2021withasmallreductionin2022duetoavarietyof

factors,includingtheRussianinvasionof

Ukraineanddisruptioninthecryptocurrencymarkets.Sincethen,muchlikethelegitimatestockmarket,theidentitycrimemarketshave

adjustedtoconditionsthatresultedinfewerattacksin2022andreboundedwitha

vengeancein2023.

Asyouwillseeinthepagesthatfollow,the

numberoffirst-timeattacksagainstsmall

businessesjumped18percentagepoints

comparedto2022.Atthesametime,moreSMB

leadersbelievetheyarereadytotakeoncyberattackers.In2022,70percent(70%)ofSMBsbelievedtheywerereadytodefendagainstacyberattackordatabreach.Thisyear,the

numberwas85percent(85%).

Onenewareaweprobedin2023wasthe

conceptofneworemergingdatasecuritytools.Asyou’llnotice,theuptakeofnewsolutions

suchasMulti-FactorAuthentication(MFA)andpracticeslikedataminimizationwereslowto

gainacceptance.Utilizationrangedfrom34

percent(34%)forMFAto20percent(20%)fornewertoolssuchaspasskeysthatwereknowntobeeffectiveprotections.

Likewise,privacyprotectionswereyettobreakfullyintothemainstream.Theabilitytoopt-out

ofdatacollectionortohaveinformation

deletedaboutyouremainedfarlessthan

40percent(40%),evenasmorestatesmovedtowardadoptingtheirowncomprehensive

privacylaws.

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

3

SMBleadersaremorefocusedondatasecurityandprivacyprotectionthanever.That’sgreat

news,butwestillhaveatremendousamountofworktodo.Wearegoingtosetanall-timehighfordatabreachesthisyearandmorethanlikelywillexperienceatsunamiofidentityfraudinthemonthsandyearstofollow.

Weneedtoacceleratethetransitiontonewerprotectionsandcontinuetodevelopnew

resourcestoassistvictimsbasedonsolid

researchandclearevidencesimilartoour

recentstudyof

identitycrimesinBlack

communities

.Thisone-twocombinationof

enhancedprotectionsandtargetedvictim

supportwillhelpusadjusttotheever-changingandrelentlessthreatsfromcybercriminals.

Ourhopeisthatyouwillusetheinformation

presentedhereandthetoolstheITRCofferstohelpyourSMBdefendagainstcyberattacksandrespondtothedatacompromisesthatweknowareinevitable.Ifyouhavequestionsorneed

assistance,justask.Ifyouhavesuggestions,

pleasesharethoseideas,too.Justsendanemailto

communications@

.

EvaVelasquez,CEO

IdentityTheftResourceCenter

October2023

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

21%

RETAIL

9%

OTHER

7%

HOSPITALITY

7%

HEALTHCARE

President,C-LevelExecutiveor

27%

DirectorPositions

AdministratororManager16%

FINANCIALSERVICES

12%

MANUFACTURING

11%

Methodology

TheITRC,usingtheSurveyMonkeyplatform,conductedanonlinesurveytoexploretheimpactsofcybercrimesonsmallbusinessesasdefinedbytheU.S.SmallBusinessAdministration.Thesurveywasconductedin

September2023,coveringtheprevious12months(unlessotherwisenotedinaspecificquestion).

Theonlinequestionnairewascompletedby551individuals;276metthecriteriaofbeingapersonina

leadershippositionoranITprofessionalatacompanyof500orfeweremployees,includingsolopreneurs.Onehundredninety-nine(199)reportedbeingthevictimofacyberattack,adatabreachorbothinthepast12months.

Thisyear’sreportreflectsresponsesfrombusinessesrangingfromsingle-employeecompaniestoorganizationswith500employees.Theresponsesalsoreflectawiderangeofindustrieswithaslightconcentrationinretailentities.

NumberofEmployees

8%SoloEntrepreneur24%1-5Employees

12%6-10Employees

25%11-50Employees21%51-200Employees10%201-500Employees

TopIndustries

TECHNOLOGY

12%

TypeofCyberattack

20%

29%

SECURITYBREACH

DATA

BREACH

24%

BOTHDATA&

SECURITY

BREACHES

PositionTitles

40%BusinessOwnerorPartner

11%SeniorManagement

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG4

BUSINESSDATA

2FA&MFARequiredforAccess

Role-BasedAccountAccessInternally

12-Character

MinimumRequired

65%

ProvidedNewTrainingforStaff

IT&NON-ITSTAFF

54%

AddedAdditionalSecurity

STAFF&BUDGET

53%

ImplementedNewSecurityTools

Our2023BusinessImpactReportlooksintowhathappensspecificallytosmallbusinessesandsolopreneursfollowingadataorsecuritybreach.Forthereport,theITRCsurveyed551smallbusinessowners,leaders,andemployeestopaintapictureofsmallorganizationsandindividualsthataresignificantlyimpactedbycybercrimes,oftenmultipletimesinashortperiodoftime.

CyberattacksExperiencedbySmallBusinessesinthePastYear

.20%DataBreach.29%SecurityBreach.24%Both

.28%NoCyberattack

28PercentagePointIncrease

SINCE2022

Financial

ImpactDuetoCybercrimes

Thoughwesawanincreaseof4%infinancialimpactstotalinglessthan$250,000since

2022,overall

financialimpactsduetocybercrimescontinuestodropcomparedto

previousyears.

Lessthan$250,000

$250,000–$500,000

Morethan$500,000

47%

26%

13%

RisingRootCausesofAttacks

16%

PHISHING

SCHEME

.

.

15%

SCAMORFRAUD

3PercentagePointIncrease

SINCE2022

TopRootCausesin2023

EXTERNALATTACKERS–30%

16PercentagePointDecreasefrom2022

MALICIOUSINSIDERS–30%

SameYear-Over-Year

THIRD-PARTYVENDORS–24%

14PercentagePointDecreasefrom2022

REMOTEWORKERS–21%

8PercentagePointDecreasefrom2022

Customer&Business

DataProtection

CUSTOMERDATA

2FA&MFARequiredforAccess

MustOpt-IntoData

Collection&Use

CanOpt-OutorLimit

InformationCollected

50%ofSmallBusinesses

SurveyedReportedTakingStepstoPreventFutureBreaches

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG5

Summaryof

KeyFindings

SummaryandAnalysisof2023KeyFindings

First-TimeQuestions

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG6

7

SummaryandAnalysisof2023KeyFindings

SmallbusinessleaderswhorespondedtotheITRC’s2023BusinessImpactSurveydescribedasecurityanddata

protectionlandscapethatreflectsthesamebroadtrends

reflectedintheITRC’sotherresearch:anoverallincreaseinidentityandcybercrimes.The2023researchrecordedthehighestlevelofbusinessesreportingattacks(73%)inthe

three-yearhistoryoftheBIR.

Figure2

Despitethestrongnegativetrends,smallbusinessowners

continuetoprojectanairofextremeconfidenceabouttheir

abilitytorespondtothethreatstheyfaceandtheoptionsforrecoverywhenanattackissuccessful.While70percent(70%)of2022respondentssaidtheywerepreparedtoprotect

againstacyberattackorrecoverfromadatabreach,

85percent(85%)ofrespondentsin2023expressedtheywerereadytorespondtoacyberevent.

Figure3

Employeeandconsumerdatacontinuetobethemost

impactedcategoriesofinformationimpactedbyabreach.

Figure4

Thenumberoforganizationsreportingfirst-timeattackswasflatcomparedto2022(43%).

Figure5

Figure2|TypesofCyberattacks,2023

24%Both28%Neither

20%DataBreach

29%SecurityBreach

Figure3|AbilitytoRespondtoaCyberattack,2023

PreparedtoRespondandRecover

85%

Unprepared

15%

Figure4|CompromisedDatainSmallBusinesses

18%

24

%

EmployeeData

42%

CompanyIntellectualProperty

Other

CustomerorConsumerData

30%

AlloftheAbove

16%

Figure5|NumberofIncidentsExperienced

43%OneTime35%TwoTimes

13%ThreeTimes

8%FourorMoreTimes

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

30%

21%

16%

11%

9%

10%

29%

27

%

23%

AdditionalInvestorFunding

9%

8

24

%

17

%

15

%

9

%

7%

9

%

Therootcauseofbreachesshiftedin2023comparedto

previousyears,withexternalattackers,maliciousemployees,remoteworkers,andThird-PartyVendorstakingthetopslotsbutatreducedrates.BreachescausedbyPhishingandScamsincreasedinkeepingwithbroadtrends.

Figure6

Thefinancialimpactsofcyberbreachescontinuedtodrop

comparedtopreviousyears,withmoreSMBsreportinglossesof<$250,000andfewerreportinghigherdollar-valueevents.

Figure7

Cyberinsuranceemergedastheprimarysourceofrecoveryfunding(33%),followedbycashreserves.Therewasaslight

uptickinheadcountreductions(13%)asameansof

addressingthecostsofabreach.

Figure8

Figure6|RootCausesofBreachesin2023

MaliciousInsider

ExternalThreatActor

30%

wasAttacked

RemoteWorker

3rdPartyVendor

PhishingScheme

SoftwareFlaw

InsecureCloudEnvironment

ScamorFraud

BusinessEmailCompromise(BEC)

RansomwareAttack

Unknown

LostControlofSocialMedia

Other

Figure7|FinancialImpactofAttack

47%Lessthan$250,000

26%$250,000–$500,000

10%$500,001or$1Million

3%Morethan$1Million

15%Other

Figure8|FinancialRecoveryAfteranAttack

CashReserves

CyberInsuranceProceeds

33%

LoansorNewLinesofCredit

ExistingLinesofCredit

23%

HeadcountReductions

ExpenseReductions

13%

Other

17%

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

12%

1%

9

Thevastmajorityoforganizationsthatexperiencedadatabreachsentnoticestoimpactedconsumers(83%),but

17percent(17%)didnot.

Figure9

Themostcommonreasongivenfordelayingornotissuingabreachnoticewasattherequestoflawenforcement(50%),followedbyafindingthatnopersonalinformationwas

exposed(38%)oraself-determinationthattherewasnoriskofharmfromthetypeofdatacompromised(21%).

Figure10

Withmoreorganizationsissuingdatabreachnotices,

moreentitiesalsoofferedawiderrangeofrecoveryservicesthatincludedcreditmonitoring(44%),paididentity

recoveryservices(47%),andaccesstofreeservicesviaanon-profit(27%).Approximately13percent(13%)offerednoservices.

Figure11

Slightlyfewerorganizationsreportedrevenuelosses(42%)asaresultofcyberevents.However,morebusinessessawotherimpacts,includingmorecustomerslosingtrust(32%),higherregrettableemployeeturnover(32%)andincreaseddifficultyinunderstandingwhathappened.

Figure12

Figure9|AlerttoCustomersofIncident

CustomersWereNotified

83%

CustomersWereNotNotified

17%

Figure10|ReasonsforNotAlertingCustomers

Lawenforcementadvisedtowaituntilaninvestigationwascomplete.

50%

Nocustomer/employeepersonalinformationwascompromised.

38%

Therewasnoriskofidentitytheft/fraudfromthelossofdata.

21%

Legalcounseladvisednonoticewasrequired.

Other

3%

Figure11|RemediationServicesOfferedtoAffected

PaidRemediationServicesfromaFor-Profit

47%

CreditMonitoringfromaCreditReportingAgency

44%

AccesstoFreeServicesfromaNon-Profit

27%

NoneoftheAbove

13%

Other

Figure12|ProblemsFollowingCyberIncident

LossofRevenue

42%

RegrettableEmployeeTurnover

32%

DifficultyRespondingtoConcerns

28%

DifficultyObtainingInsurance

10%

Other

1%

35

%

32%

DifficultyUnderstanding

LossofCustomerTrust

AffordableSolutions

DifficultyFinding

25%

NoneoftheAbove

5%

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

23%

20%

6%

4%

10

First-TimeQuestions

Eachyear,theITRCexploresnewtopicsthatrelateto

cybersecurityanddataprotection.In2022,weexploredthe

riseofsocialmediaaccounttakeoverandtherelationshipwithidentityfraud.Inthisreport,weaskedSMBleadersaboutthelatestbestpracticesforaccountaccessandfordatausebasedontheriseofcomprehensivedataprivacyandsecuritylawsatthestatelevelintheabsenceofanationalprivacylaw.

Thefindingsshowaslowrateofadoptionforavarietyof

well-establishedbestpracticesaswellasnewtechnologyorprocessesthatprotectpersonalandbusinessinformation.ThevastmajorityofSMBshavenotutilizedtoolssuchas

Multi-FactorAuthentication(MFA)foremployeeor

customeruse,mandatorystrongpasswords,orrole-basedaccessforemployeeaccesstosensitivedata.Adoptionratesrangebetween34percent(34%)and20percent(20%)

dependingonthesolution.

Figure13

The2023BusinessImpactReportshowssimilarratesof

adoptionforconsumerdatacollection,use,andstorage

designedtoprotectpersonalinformationandprivacy.

Adoptionratesrangefrom37percent(37%)to21percent

(21%),driven,inpart,bystatelawsthatrequiredatabest

practices,includingdataaccess,opt-intodatacollection,

opt-outofdatasales,andrightstocorrectanddeletecertaintypesofinformation.

Figure14

Theinformationgatheredthisyearwillformthebasisfor

follow-upresearchin2024toexplorethebarrierstoadoptionofbestpractices.

Figure13|CurrentProtectiveMeasures

2FAorMFAisRequiredforExternalAccountAccess

34%

2FAorMFAisRequiredforInternalSystemAccess

27%

Role-BasedAccountAccessInternally

27%

12CharacterMinimumPasswords

26%

DataMinimization

23%

App-BasedMFAisDefault

Passkeys

Other

Figure14|DataPrivacyBestPracticesFollowed

Consumerscanopt-outorlimitinformationcollectedaboutthem.

37%

Consumersmustopt-intodatacollectionanduse.

34%

Consumershaveeasyaccesstoinformationaboutthem.

33%

Consumerscanopt-outorlimituseofinformationaboutthem.

28%

Consumers

caneasilycorrectinformationaboutthem.

25%

transactionisdeleted.

retainedaftera

Informationnotrequiredtobe

22%

Consumers

caneasilyrequestinformationaboutthembedeleted.

21%

Other

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

11

AWordAboutSupplyChainDataBreaches

Thenumberofdatacompromisesin2023willrepresenta

single-yearrecord.AsthisreportisreleasedinOctober,more

than2,100datacompromiseshavebeenreportedin2023–

farexceedingthepreviousannualrecordhighof1,862setin

2021.Morethan1,300organizationshavebeenimpactedto

datebyattacksagainstjust87vendors,manyofwhichare

SMBswhoarepartofthesupplychainoflargerorganizations.

Increasedduediligencebyorganizationspromptedbycyber

insurancerequirements,stateprivacylaws,andfederal

regulationsiscreatingdemandforinformationaboutpast

Formoreinformationabout

BreachAlertforBusiness,

contact

DorindaMiller

,Directorof

BusinessDevelopement.

databreacheventsandnearreal-timealertsasnewbreaches

arediscovered.TheITRChascreatedabreachalertsolution

fororganizationsofallsizesthatwillhelpsatisfycorporate

andlegalrequirementsforunderstandingthecybersecurity

historyandperformanceofvendors(andvendors’vendors).

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

Consumer&BusinessResources

TheITRCoffersavarietyoflow-costidentityeducation,protection,and

recoveryservicesforsmallbusinessesaswellasfreevictimassistanceand

educationopportunitiesforconsumers.Tolearnmore,email

dorinda@

.

ForMedia

Foranymedia-relatedinquiries,pleaseemail

media@

.

Appendix

TheITRC,usingtheSurveyMonkeyplatform,conductedanonlinesurveytoexploretheimpactsofcybercrimesonsmallbusinessesasdefinedbytheU.S.SmallBusiness

Administration.ThesurveywasconductedinSeptember2023.

2023BusinessImpactStudy

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG13

14

2023BusinessImpactStudy

Areyoutheownerorleaderofasmallbusinesswithfewerthan500employees,includingsolopreneursandgig

workers?

Yes

51%

No

49%

Hasyourcompanyexperiencedasecurityordatabreachinthepast12months?

SecurityBreach

29%

DataBreach

20%

Both

24%

Neither

28%

Whatdatawascompromised?Selectallthatapply.

EmployeeData

42%

Customer/ConsumerData

30%

CompanyIntellectualProperty

18%

AlloftheAbove

16%

Other

24%

Howmanytimeshaveyouexperiencedadataorsecurityincident?

One

43%

Two

35%

Three

13%

FourorMore

8%

Whatwastherootcause(s)oftherecentdataorsecurityincident?Selectallthatapply.

ExternalThreatActor(Hacker)

30%

MaliciousInsider(EmployeeorContractor)

30%

3rdPartyVendorwasAttacked

24%

RemoteWorker

21%

SoftwareFlaw

17%

PhishingScheme

16%

ScamorFraud

15%

InsecureCloudEnvironment

11%

BusinessEmailCompromise(BEC)

9%

RansomwareAttack

9%

LostControlofSocialMediaAccount

7%

Unknown

10%

Other

9%

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

15

Whatwastheapproximatetotalfinancialimpactofthesecurityordatabreach,includinglostrevenue,lost

customers,legalcosts,finesandpenalties,insurance,

marketingcosts,improvedsecurity,etc.?

Lessthan$250,000

47%

$250,000–$500,000

26%

$500,001–$1M

10%

Morethan$1M

3%

Other

15%

Howdidyouaddressthefinancialimpactsofthedataorsecurityincident?Selectallthatapply.

CyberInsuranceProceeds

33%

CashReserves

29%

ExistingLinesofCredit

27%

LoansorNewLinesofCredit

23%

ExpenseReductions

23%

HeadcountReductions

13%

AdditionalInvestorFunding(e.g.VCorPE)

9%

Other

17%

Didyousendabreachnoticetoalertconsumersofthe

incident?

Yes

83%

No

17%

Whydidn’tyousendabreachnoticeaftertheincident?

Lawenforcementadvisedtowaituntilaninvestigationwascompleted.

Noconsumersoremployeepersonalinformationwascompromised

Therewasnoriskofidentitytheftorfraudfromthelossofthedata.

Legalcounseladvisednonoticewasrequired.

Other

50%

38%

21%

12%

3%

Didyouofferanyofthefollowingremediationservicestocustomersorconsumersimpactedbythebreach?

Paidremediationservicesfromafor-profitidentitymanagementprovider,acybersecurity

company,orconsumerreportingagency.

47%

Creditmonitoringfromacreditreportingagency.

44%

Accesstofreeservicesfromanon-profit.

27%

NoneoftheAbove

13%

Other

1%

?IDENTITYTHEFTRESOURCECENTER2023|IDTHEFTCENTER.ORG

16

Didyouexperienceanyofthefollowingissuesfollowingyourcyberincident?Selectallthatapply.

LossofRevenue

42%

DifficultyUnderstandingWhatOccurredandHow

35%

RegrettableEmployeeTurnover

32%

LossofCustomerTrust

32%

DifficultyRespondingtoCustomerConcerns

28%

DifficultyFindingAffordableSecuritySolutions

25%

DifficultyObtainingorRenewingCyberInsurance

10%

NoneoftheAbove

5%

Other

1%

Areyoupreparedtoprotectagainstacyberattackorrecoverfromadatabreach?

Yes

85%

No

15%

Whatstepshaveyoutakentopreventfuturesecurityordatabreaches?Selectallthatapply.

NewSecurityTools

NewTrainingforITStaff

NewTrainingforNon-ITStaff

AdditionalSecurityStaff

AdditionalSecurityBudget

IncreasedVendorDueDiligence

Other

53%

35%

30%

27%

27%

14%

5%

Doyoucurrentlyutilizeanyofthefollowingsolutionstohelpprotectbusinessandcons