Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:37 PM
Connect Directly

SMBs Unsure And At Risk, Survey Finds

New study highlights uncertainty among small to midsize businesses on cyberattacks, threats

Nearly 60 percent of small to midsize businesses (SMBs) say upper management doesn't consider cyberattacks a big risk to their organizations.

Meanwhile, 33 percent aren't sure whether their businesses have been hit by an attack in the past 12 months, while 42 percent say they have experienced an attack, according to a new Ponemon Institute survey of 2,000 SMBs in the U.S., U.K., Germany, and Asia-Pacific.

Respondents in the more senior-level jobs are the most unsure about the real threats to their businesses, according to the Sophos-sponsored survey, and CISOs and other senior managers are not typically involved in security priority decision-making. Around 30 percent say their CIOs are in charge of setting security priorities, and 31 percent say no one person is in charge doing so.

The good news in the survey was that at least some SMBs recognized they aren't as prepared as they should be for today's threats, says John Shier, senior engineer at Sophos. Even so, many more are not: "But it's disheartening that we are in this situation of their not knowing their security posture," he says.

Nearly 30 percent don't know how much damage or theft to their IT assets would cost their organization, and nearly one-fifth don't know what an IT disruption would cost them. Budgets are tight, with more than 40 percent saying their budgets aren't sufficient for locking down their networks, and just 25 percent say they have sufficient security expertise in-house.

The study also measured the uncertainty index by industry: Retailers and education & research were the industries showing the most uncertainty about their security postures. Financial services and technology & software fared as the most sure about their situations. Shier says SMB financial services firms may be more knowledgeable about their security postures due to their regulatory requirements.

"But the fact remains in breaches that occur that [SMBs] are equally as vulnerable when it comes to breaches and security threats," he says.

Larry Ponemon, president of the Ponemon Institute, says SMBs need to get a grasp on the risks. "CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security. The industry needs to recognize the potential dangers of not taking cybersecurity seriously and create support systems to improve SMB security postures," he says.

The full report, "The Risk of an Uncertain Security Strategy: Study of Global IT Practitioners in SMB Organizations," is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.