Cyber criminals have tended to have a preference for larger enterprise-scale businesses, but that preference has been narrowing in recent years. A recent investigative report published by Verizon found that about 43% of all cyber attacks target small to medium-size business (SMB) operations, and that margin has been hovering on either side of 50% for some years now.
That makes it all the more surprising that a recent study from Keeper Security found that 66% of senior decision-makers at SMBs do not believe they are likely to be targeted by cyber attacks, and 60% report that they do not have a cyber attack prevention plan.
SMB study – results and findings
The 2019 SMB Cyberthreat Study surveyed 500 senior decision-makers at SMBs in mid-2019. To qualify for the survey, companies had to have no more than 500 employees.
In addition to the concerning amount of leaders who appear to not worry about cyber attacks and do not have a plan in place for them, only 9% ranked cybersecurity as a top business priority and 25% reported having “no idea where to start” in terms of a digital security strategy.
Keeper Security cites internal numbers drawn from a 2018 Ponemon Institute study that show that 67% of SMBs experienced a cyber attack (the Verizon study from that time period reported that 58% of all cyberattacks were directed at SMBs). If those numbers are accurate, the number of SMBs being attacked almost exactly lines up with the number of company leaders that believe that they won’t be targeted for an attack.
21% of the respondents ranked cybersecurity dead last in terms of their business concerns, and 60% put it somewhere in the bottom half of their concerns.
Respondents overwhelmingly seem to believe that company revenue correlates with likelihood of being attacked. 73% of respondents with an annual company revenue of less than $1 million felt that they were not likely to be attacked, while that number lowered to 47% among the companies that made more than $1 million per year.
There is also a correlation between length of time in business and confidence about not being breached. New companies formed in the last five years showed much more concern about being attacked, while 70% of respondents in companies that had been around for at least 10 years felt that they were unlikely to be a target.
Here’s how Darren Guccione, CEO and co-founder of Keeper Security, summed up this observation:
“We’ve observed this trend throughout the data, and several indicators such as the age of the respondents surveyed or the longevity of the businesses reveal differences in prioritization of cybersecurity. It could be that the businesses operating for longer periods erroneously assume that they won’t be attacked if they haven’t been already, or that cybercriminals have no interest in them. Given the rapid speed at which technology has advanced in recent years, it’s possible that that newer businesses and younger leadership are more ingrained with technology and thus better understand the security risks it presents, although there is still plenty of work to be done from an awareness and preparedness standpoint across the board.”
There is also an age correlation – younger decision-makers (32%) are much more likely to believe they are going to be attacked as leaders over the age of 55 (5%) are.
Other factors that caused respondents to be more aware of cyber risks included the industry they worked in (with extremes of 47% of financial industry decision-makers vs. only 4% of those in the entertainment industry), their level of education (postgrad degrees were much more likely to expect attacks), and being in a subordinate position to the CEO (such as CFO or COO).
Interestingly, of all the decision-makers CEOs were the most likely to believe that cyber attacks were not likely (43%). This was also the leadership group that was most likely to not know what their own company’s password security policies were.
Though the results of the survey paint a mostly negative picture of SMB cybersecurity readiness, there was one lone bright spot. At the very least, the importance of strong passwords and ongoing password management to rein in negligent employees seems to be getting through to these companies.
75% of the companies surveyed have a policy in place that regularly prompts employees to change their passwords, and 69% felt confident that these policies were adequate to keep the company’s sensitive digital assets secure. Though it’s just one element of a company’s security strategy, employee passwords do appear to be strong when good password policy is in place.
Cyber attacks and corporate disconnect
There are some reasonable inferences to be drawn from this data. One of the main ones is a reinforcement of something that is already widely known – older CEOs tend to have less experience with modern internet and security technology, and this appears to be a major blind spot for them. It’s fair to bring age into this, as the numbers in this study indicate that younger CEOs and decision-makers who got their training and initial experience in the age of the internet are much more likely to anticipate cyber attacks.
Company size and revenue also seem to lull SMBs into a false sense of security. Given the new prevalence of automated cyber attacks, we know that any company with a vulnerability that is connected to the internet is equally at risk as these are being probed and scanned for constantly. The rise of inexpensive automated tools sold over the dark web also make smaller companies attractive to a wider variety of criminals.
SMBs also do not appear to have a healthy respect for the speed with which cyber attacks develop and mutate. Another false sense of security appears to develop if they manage to simply avoid an attack for enough years. While avoiding an attack for a decade could be a sign of solid cybersecurity, it could also just be a matter of luck.
The biggest takeaway from all of this is that SMBs very often do not take cybersecurity seriously until they’ve been stung at least once. Unfortunately, just one attack could be fatal to a smaller business. Research from 2018 indicates that 60% of SMBs that experience cyber attacks go out of business within six months; also consider that this data was collected in the United States, where massive fines for data breaches such as those levied under the terms of the GDPR do not exist.