State of SMB Insecurity by the Numbers
SMBs still perceive themselves at low risk from cyberthreats — in spite of attack statistics that paint a different picture.
October 17, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbae3191904f0a5bc/64f0d4fd8e08df58269424f6/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Even as attacks and breaches at small to midsize businesses (SMBs) continue unabated worldwide, these companies still don't consider themselves at high risk from cyberthreats, reports show.
"Cyberattacks are a global phenomenon — and so is the lack of awareness and preparedness by businesses globally," says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority."
The fact of the matter is that SMBs don't prioritize cybersecurity. It's to their detriment. Here, Dark Reading examines a recent Ponemon report on the state of cybersecurity at SMBs (done in partnership with Keeper Security), along with several others released over the past few months, to get a picture of SMB insecurity by the numbers.
Most SMBs have experienced cyberattacks and data breaches over the past year, according to Ponemon Institute. While the percentage of organizations that experienced an incident dipped by a percentage point worldwide, it's still up over the past two years. In particular, SMBs in the US have seen a dramatic rise in incidents over the past three years. Whereas just 55% in 2016 reported being victims, this year 76% say they've been hit by an attack in the past 12 months.
According to the Ponemon report, the average cost of dealing with security compromises at SMBs stands at $1.24 million. That's a hefty price tag for smaller organizations operating with much less room for financial leeway than the typical enterprise. And yet the perception of cyber-risk at SMBs still remains boundlessly optimistic. Another survey by ControlScan and MAC finds that 89% of SMBs believe they face low to no risk from a data compromise.
This gap between perceived and actual risks is probably what drives miniscule SMB security budgets. A different report from the firm Untangle finds 29% of SMBs spend less than $1,000 annually on IT security, and, all told, 84% of SMBs spend less than $10,000 per year on security tools and services. Further, the Ponemon study shows almost nine in 10 US organizations say they are spending less than 20% of their overall IT budgets on security.
Given the tiny budgets for cybersecurity at SMBs, it's not surprising they consider it to be one of their major challenges in achieving fully effective security postures. Ponemon finds another even bigger challenge also stemming from budgetary constraints: insufficient personnel. This is the No. 1 problem, cited by 77% of SMBs.
Lack of personnel and budget translate to some very big gaps in security coverage at SMBs. According to a report by VansonBourne on behalf of Continuum Managed Services, approximately 56% of organizations do not have any cybersecurity experts within their organizations, and 52% lack an incidence response plan in the event of a cybersecurity attack. Just over half of organizations do not have cyber insurance, either.
Attacks that rely on deception are criminals' favorite method when going after SMBs, and they're on the rise. This year more SMBs report cyberattacks against them are becoming more targeted, up nine percentage points over the past two years to 69%, according to Ponemon. Phishing/social engineering is the No. 1 attack experienced by SMBs, reported by 53% of these organizations, closely followed by Web-based attacks and general malware.
When attacks hit their mark, the impacts are far ranging. The most obvious fallout comes in the form of money and time responding to the incident and mitigating the threat, followed by data loss, according to the VansonBourne/Continuum Managed Services report. Other ramifications include loss of customers, damaged reputation, and compliance headaches.
When attacks hit their mark, the impacts are far ranging. The most obvious fallout comes in the form of money and time responding to the incident and mitigating the threat, followed by data loss, according to the VansonBourne/Continuum Managed Services report. Other ramifications include loss of customers, damaged reputation, and compliance headaches.
Even as attacks and breaches at small to midsize businesses (SMBs) continue unabated worldwide, these companies still don't consider themselves at high risk from cyberthreats, reports show.
"Cyberattacks are a global phenomenon — and so is the lack of awareness and preparedness by businesses globally," says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority."
The fact of the matter is that SMBs don't prioritize cybersecurity. It's to their detriment. Here, Dark Reading examines a recent Ponemon report on the state of cybersecurity at SMBs (done in partnership with Keeper Security), along with several others released over the past few months, to get a picture of SMB insecurity by the numbers.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024