Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

7/26/2019
11:50 AM
Dark Reading
Dark Reading
Products and Releases
100%
0%

2019 SMB Cyberthreat Study: Most SMBs Severely Underestimate Their Cybersecurity Vulnerabilities

SMBs are the primary target for cyberattacks, yet most are unprepared.

CHICAGO, July 25, 2019 /PRNewswire/ -- U.S. businesses are ripe for the picking when it comes to cybercriminals and cybersecurity risks, but a new survey shows that cybersecurity efforts are not at the top of the list when it comes to where leaders are putting their focus and efforts.

The 2019 SMB Cyberthreat Study, which surveyed more than 500 senior level decision makers at companies with 500 employees or less (SMBs), was commissioned by leading cybersecurity provider Keeper Security to identify the gaps between awareness and action in business cybersecurity needs. Among the findings, two out of three business leaders surveyed (66%) don't believe they'll fall victim to a cyberattack. But a previous study conducted by the Ponemon Institute for Keeper found that 67% of business had been attacked within the prior 12 months. 

"Businesses face a vulnerability crisis when it comes to cybercriminals, and this reality won't get better until cybersecurity gets higher billing on their to-do list," said Darren Guccione, CEO and co-founder of Keeper. "Our Cyberthreat Study findings show that many companies don't know where to start with cybersecurity prevention and even more don't think they will fall victim to an attack, but it's time they dramatically change their perspectives and put a plan in place. We are working very hard to educate SMBs about how they can protect themselves quickly and on a cost-effective basis."

Misconception of Threat Vulnerability 
Of the senior decision makers surveyed, 66% think a cyberattack is not very or at all likely to happen to them, but previous Ponemon Institute research reported that nearly seven in ten (67%) businesses were attacked in the last year, pointing to a major perception gap. Keeper's 2019 Cyberthreat SMB Study found that only about one in ten (12%) understand the reality that an attack is very likely, no matter how big or small the company.

The 2019 Cyberthreat SMB Study also reveals differences in perception between newer and more mature businesses, with companies in business less than five years believing they're at a much higher risk than those operating for 10 or more years. Of companies in business less than five years, 28% believed it was "very likely" that they will be the target of a cyberattack, while only 6% operating for 10 or more years thought the same. In fact, 70% of businesses operating for 10 or more years believe a cyberattack is not very likely or not likely at all. 

Lack of organizational awareness into cybersecurity's importance 
Of the leadership polled, only 9% thought cybersecurity was the most important aspect of their business when compared with recruitment, marketing, sales, quality of internal tools, and contributing to social good. In fact, nearly one in five respondents (18%) ranked cybersecurity as the least important aspect of all six. 

Furthermore, respondents ranked a recession, damage to public reputation and a disruption to the business model as the most prominent threats to their business. Cybersecurity was ranked last by over one in five surveyed (21%), despite the fact that such an attack would likely cause both a disruption in business model and damage to public reputation. 

Disconnect between password security and cyberattack prevention strategy
Most companies understand the critical role of passwords when it comes to security. The majority of respondents (69%) expressed positive sentiment about passwords, saying passwords make them feel "confident" or "secure." Furthermore, 75% of companies have policies in place that encourage or require employees to update their passwords regularly.

However, 60% of respondents reported not having any prevention plan in place against a cyberattack. Since 81% of breaches are caused by weak or stolen passwords, the difference in reported password policies and lack of prevention plans points to a disconnect in understanding that password security is itself a strategic prevention plan.

Furthermore, a quarter of business leaders surveyed (25%) admitted they don't even know where to start when it comes to cybersecurity. Cybersecurity starts with password security. 

About the 2019 SMB Cyberthreat Study
All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 509 senior decision makers at companies with 500 employees or less. Fieldwork was undertaken between June 28 and July 5, 2019. The survey was carried out online. The figures have been weighted and are representative of all SDM at companies with 500 employees or less. 

About Keeper Security, Inc.
Keeper Security, Inc. ("Keeper") is transforming the way organizations and individuals protect their passwords and sensitive digital assets to significantly reduce cybertheft and data breaches. Keeper is the leading provider of zero-knowledge security and encryption software covering password management, dark web monitoring, digital file storage and messaging. Named PC Magazine's Best Password Manager of 2018 and awarded the Publisher's Choice Cybersecurity Password Management InfoSec Award for 2019, Keeper is trusted by millions of people and thousands of businesses to protect their digital assets and help mitigate the risk of a data breach. Keeper is SOC-2 and ISO 27001 Certified and is also listed for use by the Federal government through the System for Award Management (SAM). Keeper protects businesses of all sizes across every major industry sector. Learn more at https://keepersecurity.com.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29450
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It...
CVE-2021-21405
PUBLISHED: 2021-04-15
Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 un...
CVE-2021-29430
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
CVE-2021-29431
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
CVE-2021-29432
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.