Meanwhile, 33 percent aren't sure whether their businesses have been hit by an attack in the past 12 months, while 42 percent say they have experienced an attack, according to a new Ponemon Institute survey of 2,000 SMBs in the U.S., U.K., Germany, and Asia-Pacific.
Respondents in the more senior-level jobs are the most unsure about the real threats to their businesses, according to the Sophos-sponsored survey, and CISOs and other senior managers are not typically involved in security priority decision-making. Around 30 percent say their CIOs are in charge of setting security priorities, and 31 percent say no one person is in charge doing so.
The good news in the survey was that at least some SMBs recognized they aren't as prepared as they should be for today's threats, says John Shier, senior engineer at Sophos. Even so, many more are not: "But it's disheartening that we are in this situation of their not knowing their security posture," he says.
Nearly 30 percent don't know how much damage or theft to their IT assets would cost their organization, and nearly one-fifth don't know what an IT disruption would cost them. Budgets are tight, with more than 40 percent saying their budgets aren't sufficient for locking down their networks, and just 25 percent say they have sufficient security expertise in-house.
The study also measured the uncertainty index by industry: Retailers and education & research were the industries showing the most uncertainty about their security postures. Financial services and technology & software fared as the most sure about their situations. Shier says SMB financial services firms may be more knowledgeable about their security postures due to their regulatory requirements.
"But the fact remains in breaches that occur that [SMBs] are equally as vulnerable when it comes to breaches and security threats," he says.
Larry Ponemon, president of the Ponemon Institute, says SMBs need to get a grasp on the risks. "CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security. The industry needs to recognize the potential dangers of not taking cybersecurity seriously and create support systems to improve SMB security postures," he says.
The full report, "The Risk of an Uncertain Security Strategy: Study of Global IT Practitioners in SMB Organizations," is available here (PDF) for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.