Ponemon Institute is pleased to present the results of the 2019 State of Cybersecurity in Global Small and Medium Size Businesses sponsored by Keeper Security. This is the third annual study that focuses exclusively on organizations with a headcount of less than 100 to 1,000.
We surveyed 2,176 individuals in companies in the United States, the United Kingdom and for the first time DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxemburg) and Scandinavia (Denmark, Norway and Sweden).
In addition to tracking trends in cyberattacks and data breaches, this year’s study reveals how SMBs are unprepared to deal with risks created by third parties and Internet of Things (IoT).
“Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs,” said Dr. Larry Ponemon, chairman and founder, The Ponemon Institute. “The 2019 Global State of Cybersecurity in SMBs report demonstrates cyberattacks are a global phenomenon- and so is the lack of awareness and preparedness by businesses globally. Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority.”
A key takeaway from this research is that over the past three years there has been a significant increase in SMBs experiencing a data breach. In addition, 66 percent of respondents say their organization experienced a cyberattack in the past 12 months.
In the aftermath of these incidents, these companies spent an average of $1.2 million, an increase from $1.03 million in 2017, because of damage or theft of IT assets and infrastructure. In addition, disruption to normal operations cost an average of $1.9 million, an increase from $1.21 million in 2017.
Phishing and web-based attacks are the top two cyberattacks. Seventy-two percent of respondents say that they have experienced at least one cyberattack. Phishing/social engineering is the number one attack SMBs experience (53 percent of respondents). Other frequent attacks are web-based attacks and general malware (50 percent and 39 percent of respondents, respectively).
The financial consequences of security compromises and business disruptions to SMBs are severe. The average cost of recovering from business disruption has increased significantly since 2017. The average cost of dealing with damage or theft of IT assets and infrastructure declined from $1.43 million in 2018 to $1.24 million in 2019.
The time to respond to a cyberattack has increased or not improved. According to Figure 4, only 26 percent of respondents (16 percent + 10 percent) say their organizations have been able to decrease the time it takes to respond to a cyberattack.
Cyber threats against SMBs are becoming more targeted. Since 2017, SMBs report that cyber threats are more targeted, an increase from 60 percent to 69 percent of respondents in 2019. Most respondents say cyberattacks against their companies are severe and sophisticated (61 percent and 60 percent, respectively) and this has not changed since 2017 as shown in Figure 5.
More SMBs say the laptop is the most vulnerable endpoint or entry point to networks and enterprise systems. Mobile devices and laptops are considered, by far, the most vulnerable endpoint or entry point to respondents’ companies’ networks and enterprise systems. Since 2017, respondents who believe laptops are vulnerable increased from 43 percent of respondents to 56 percent of respondents.
More mobile devices will be used to access business-critical applications and IT infrastructure. On average, companies represented in this research have 120 business-critical applications and an average of 48 percent of these business-critical applications are accessed from mobile devices such as smartphones and tablets. This is an increase from 45 percent in last year’s research. Nearly half (49 percent) of respondents say these devices diminish their companies’ security posture.
SMBs continue to struggle with insufficient personnel and money. Only 30 percent of respondents rate their organization’s IT security posture in terms of its effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise as very high.
The biggest problem is not having the personnel to mitigate cyber risks, vulnerabilities and attacks (77 percent of respondents). The next biggest challenges are insufficient budget (55 percent of respondents) and no understanding of how to protect against cyberattacks (45 percent of respondents). Since 2017, the challenge of not having sufficient enabling security technologies has decreased from 43 percent of respondents to 36 percent of respondents.
Sixty-five percent of respondents say their budget for achieving a strong security posture is inadequate or unsure and 42 percent of respondents say they have an appropriate level of in-house expertise. Only an average 13 percent of the IT budget is dedicated to IT security activities and an average of 37 percent of the IT personnel support IT security operations.
Leadership in determining IT security priorities is lacking. As shown in Figure 10, 34 percent of respondents say no one person is responsible for determining IT security priorities, an increase from 30 percent of respondents in 2017. According to the findings, responsibility for companies’ IT security strategy is dispersed throughout the company.
To access the full report. visit Keeper Security’s website