The less-than-encouraging news: Only 33 percent of U.S. small businesses consider cyber risk high or very high.

The somewhat encouraging news: 53 percent of U.S. small businesses have either a standalone cyber insurance policy or have cyber coverage through another policy.

The annual Hiscox Cyber Readiness Report, which gauges businesses’ preparedness to combat cyber incidents and breaches, surveyed over 5,000 cybersecurity professionals across the globe, including more than 500 small business professionals in the U.S.

Among the U.S. businesses surveyed, the reported median cost of cyber attacks has decreased from $10,000 in 2022 to $8,300 in 2023. However, the median number of attacks has risen from three in 2022 to four in 2023.

While over half reported that they are insured against cyber attacks, preventative measures in systems and training lag.

Despite a 10 percent increase in median IT budgets and a 24 percent increase in cybersecurity spending over the last 12 months, 59 percent of small businesses don’t use security awareness training.

Two out of five (43 percent) businesses surveyed don’t have network-based firewalls, and 41 percent do not use data backup recovery and restoration systems. When it comes to cyber expertise, 63 percent of small businesses in the U.S. are intermediates, and only 4 percent are cyber experts.

“In the never-ending arms race of cyber criminals versus cybersecurity, new technology developments and employee training can tip the scales either way,” said Chris Hojnowski, vice president and product head of Technology and Cyber for Hiscox in the U.S.

“Phishing is still the most common point of entry for ransomware attacks, and new developments like AI can undermine our tried and trusted ways of spotting a phishy email,” he said. “Proactivity is the best form of defense when it comes to cyber, and a team is only as strong as the weakest link — or least-trained employee — in the chain.”

Both training and up-to-date system protection are critical to stopping attacks.

In ransomware attacks, the most common points of entry were phishing (53 percent), unpatched servers/VPN (38 percent) and credential theft (29 percent).

Is paying the ransom worth it? The numbers say probably not. Among businesses that paid ransoms, only half (50 percent) recovered all their data, and 27 percent of the time, hackers made additional demands for money. On top of that, 50 percent of businesses that paid a ransom were forced to rebuild systems.