No business is too small to evade a cyber attack or data breach. Unfortunately, smaller organizations may not have the budget and in-house expertise to harden their systems and networks against potential threats. In fact, only 14 percent of the companies represented in this study rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. Moreover, the introduction of cloud applications and infrastructure and more mobile devices is creating more security risks that will stretch these companies’ resources.
Ponemon Institute is pleased to present the results of the 2016 State of Cybersecurity in Small and Medium-Sized Business sponsored by Keeper Security. We surveyed 598 individuals in companies with a headcount from less than 100 to 1,000.
Some 55 percent of these respondents say their companies have experienced a cyber attack in the past 12 months, and 50 percent report they had data breaches involving customer and employee information in the past 12 months. In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets. In addition, disruption to normal operations cost an average of $955,429.
The following 10 findings reveal the state of cybersecurity in smaller businesses.
- The most prevalent attacks against smaller businesses are Web-based and phishing/social engineering.
- Negligent employees or contractors and third parties caused most data breaches. However, almost one-third of companies in this research could not determine the root cause.
- Companies are most concerned about the loss or theft of their customers’ information and their intellectual property.
- Strong passwords and biometrics are believed an essential part of the security defense. However, 59 percent of respondents say they do not have visibility into employees’ password practices such as the use of unique or strong passwords and sharing passwords with others.
- Password policies are not strictly enforced. If a company has a password policy, 65 percent of respondents say they do not strictly enforce it. Moreover, the policy does not require employees to use a password or biometric to secure access to mobile devices.
- Current technologies cannot detect and block many cyber attacks. Most exploits have evaded intrusion detection systems and anti-virus solutions.
- Personnel, budget and technologies are insufficient to have a strong security posture. As a result, some companies engage managed security service providers to support an average of 34 percent of their IT security operations.
- Determination of IT security priorities is not centralized. The two functions most responsible are chief executive and chief information office. However, 35 percent of respondents say no one function in their company determines IT security priorities.
- Web and intranet servers are considered the most vulnerable endpoints or entry points to networks and enterprise systems. The challenge of not having adequate resources may prevent many companies from investing in the technologies to mitigate these risks. Web application firewalls, SIEM, endpoint management, network traffic intelligence are not considered very important in current security strategy. At a minimum anti-malware and client firewalls are considered the most important security technologies.
- Cloud usage and mobile devices that access business-critical applications and IT infrastructure will increase and threaten the security posture of companies in this study. However, only 18 percent of respondents say their company uses cloud-based IT security services and most password policies do not require employees to use a password or biometric to secure access to their mobile devices.