The newly released 2017 State of Cybersecurity Among Small Businesses in North America is a 24 page summary of an extensive survey of small businesses (SMB’s) and consumers primarily from the US (71.4%) and Canada (28.5%). SMB’s had revenues less than $5m with the vast majority under $500k.

Awareness & Education

Awareness among SMB’s is very high ranging from 76% to 93% depending on the axis measure. The level of education, as measured by a 10 question quiz, is relatively low with much room for improvement. This corresponds with the finding that lack of expertise/understanding is a leading barrier to cybersecurity initiatives. It is underscored by the finding that an IT or security vendor’s approach was very important, which presumably measures the perception that knowledgeable vendors will bridge the education gap.

Framework Adoption

PCI-DSS was the most widely adopted “framework”, but over a quarter of SMB’s haven’t even heard of this industry regulation. The NIST Cybersecurity Framework came in second place with 17% of SMB’s having adopted the framework primarily to help decision making. Pressure from regulatory authorities and clients are also driving adoption of the NIST Cybersecurity Framework.

Financial Impact & Spending

While the median loss for SMB’s is relatively low at $2k, the average was nearly $80k and peaked around $1m. Spending ranged from $200 annually for SMB’s with 0-5 employees to $65k annually for firms with 250 employees or more.

Return On Cybersecurity Investment

A recurring theme throughout the report is helping SMB’s understand the “Return on Cybersecurity Investment” (ROCI). Page 21 lays out five step process for estimating the ROCI on various investments, which encourages business owners to evaluate investments against the familiar probability times impact formula.


The BBB’s report is a significant step forward in understanding the state of, and needs of, small businesses in the US and Canada. Kudos to the whole team and everyone who participated. I spoke at length with the lead author, Bill Fanelli, this past fall and it was refreshing to find a kindred soul that understands that cybersecurity a business problem, not just an IT problem. Something which this recent report clearly illustrates.

Further Reading