I don't have any in-depth research on this, but certainly from the little bits that my team has looked at in the past, it's not so much the cost that would be the first thing I would address, though that is an issue. For some things, such as making sure you have up-to-date systems, etc., there is a cost involved, but a lot of it is down to education. How do I actually protect my systems? What is actually necessary, and how do I quantify the risk that my company faces? Is the risk I face because I have a food truck and I take credit cards? Is that the same as the risk I might face if I ran a small boutique store and I was taking personal information because I wanted to create a loyalty scheme? Are the risks the same? Is the data going to be looked at in the same way in terms of actors who might be interested in attacking my organization?
I think the bigger challenge is not so much the cost; it's a more fundamental issue. It's around education and it's around getting small businesses to understand where their risks are and what simple steps they can take to actually deal with them.