ITRC 2023 SMB Impact Report; Experts Predict Fraud Tsunamis in 2024 and Beyond
Table of Contents
- By Steven
- Published: Jan 31, 2024
- Last Updated: Feb 02, 2024
The Identity Theft Resource Center (ITRC) is a non-profit organization that minimizes and mitigates the risks of identity threats. Their role as a reputable security solution enables them to collect and analyze data from survey respondents; this report asked questions of small business (SMB) owners and employees to assess the state of identity threats better. Experts have found that while some vectors have changed, SMBs and their consumers remain constantly threatened when interacting through tech environments like the internet and the Cloud, even with vendors and sister systems. Specifically, ITRC’s CEO—Eva Velasquez—suggests 2024 will be a highly active breach year, one that may culminate in a tsunami of identity fraud for businesses and consumers.
How Do the Attacks Occur?
In 2023, the most dangerous attack vectors came from external threat actors (30%), malicious insiders (30%), and third-party vendor attacks (24%); these are the top three methods for SMB cyberattacks, although when combined, they suggest an overall occurrence decreased of around 15% from 2022 to 2023. Other notables include an overall trend of a 3% increase for phishing schemes (16%) and scams or fraud (15%). The shuffling of top attack vectors suggests that SMB leadership must prepare for similar events and anticipate more phishing and fraudulent schemes than ever.
What Information is Targeted or Stolen?
At 42% occurrence, employee data was a significant target for cyberattacks. Following behind employee information was reportedly customer and consumer data (30%), while 18% of attacks exfiltrated intellectual properties. Worst of all, some respondents (16%) reported a loss of all prior categories. Based on these percentages, SMB leadership must consider their employee and consumer cyber security policies; with better protections given to employees and consumers, the protection of other properties will also increase.
How Do Companies Respond to Breaches?
Nearly a third (28%) of ITRC’s respondents reported no successful breaches in 2023; while this statistic is excellent for those SMBs, it reflects those SMB leaders who take cybersecurity threats seriously. In 2022, 70% of the survey respondents reported feeling prepared to defend and recover from a breach; this figure rose to 85% in 2023. This increase in extreme confidence likely comes from SMBs’ securing recovery funding (33%) through cyber insurance. New or updated tools, additional securities, and consistent threat response training will significantly determine the outcomes of SMB breaches.
What Happens to the Stolen Information?
As cyberattacks increase, the threat to employee and consumer data becomes exponentially more potent. Despite this, SMBs don’t always notify the public of a cyberattack; the purported reasons for the 17% of non-notice come at the request of law enforcement (50%) when the breached data does not include personal information (38%) or if the organization has determined the data leak will cause no harm to individuals (21%). These figures suggest that while some SMBs may not notify the public until later (past the point of proactive protections), other SMBs may decide that the data lost is not “harmful” to individuals.
What Can Individuals Do to Fight Data Breaches?
Individuals must consider their securities; password managers are safe and efficient ways to generate complex passwords for any account; monitoring services allow professionals to notify victims the moment suspicious activity happens; Explanations of Benefits can point victims to fraudulent occurrences in their medical records; and adopting a zero-tolerance for interacting with strangers online and over the phone can help limit successful phishing schemes and fraudulent scams.
