Monthly Archives: December 2019

Cyberattacks on SMBs rising globally, becoming more targeted and sophisticated

Larry Ponemon

Ponemon Institute is pleased to present the results of the 2019 State of Cybersecurity in Global Small and Medium Size Businesses sponsored by Keeper Security. This is the third annual study that focuses exclusively on organizations with a headcount of less than 100 to 1,000.

We surveyed 2,176 individuals in companies in the United States, the United Kingdom and for the first time DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxemburg) and Scandinavia (Denmark, Norway and Sweden).

In addition to tracking trends in cyberattacks and data breaches, this year’s study reveals how SMBs are unprepared to deal with risks created by third parties and Internet of Things (IoT).

“Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs,” said Dr. Larry Ponemon, chairman and founder, The Ponemon Institute. “The 2019 Global State of Cybersecurity in SMBs report demonstrates cyberattacks are a global phenomenon- and so is the lack of awareness and preparedness by businesses globally. Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority.”

A key takeaway from this research is that over the past three years there has been a significant increase in SMBs experiencing a data breach. In addition, 66 percent of respondents say their organization experienced a cyberattack in the past 12 months.

In the aftermath of these incidents, these companies spent an average of $1.2 million, an increase from $1.03 million in 2017, because of damage or theft of IT assets and infrastructure. In addition, disruption to normal operations cost an average of $1.9 million, an increase from $1.21 million in 2017.

Key findings:

Phishing and web-based attacks are the top two cyberattacks. Seventy-two percent of respondents say that they have experienced at least one cyberattack.  Phishing/social engineering is the number one attack SMBs experience (53 percent of respondents). Other frequent attacks are web-based attacks and general malware (50 percent and 39 percent of respondents, respectively).

The financial consequences of security compromises and business disruptions to SMBs are severe. The average cost of recovering from business disruption has increased significantly since 2017.  The average cost of dealing with damage or theft of IT assets and infrastructure declined from $1.43 million in 2018 to $1.24 million in 2019.

The time to respond to a cyberattack has increased or not improved. According to Figure 4, only 26 percent of respondents (16 percent + 10 percent) say their organizations have been able to decrease the time it takes to respond to a cyberattack.

Cyber threats against SMBs are becoming more targeted. Since 2017, SMBs report that cyber threats are more targeted, an increase from 60 percent to 69 percent of respondents in 2019. Most respondents say cyberattacks against their companies are severe and sophisticated (61 percent and 60 percent, respectively) and this has not changed since 2017 as shown in Figure 5.

More SMBs say the laptop is the most vulnerable endpoint or entry point to networks and enterprise systems. Mobile devices and laptops are considered, by far, the most vulnerable endpoint or entry point to respondents’ companies’ networks and enterprise systems. Since 2017, respondents who believe laptops are vulnerable increased from 43 percent of respondents to 56 percent of respondents.

More mobile devices will be used to access business-critical applications and IT infrastructure. On average, companies represented in this research have 120 business-critical applications and an average of 48 percent of these business-critical applications are accessed from mobile devices such as smartphones and tablets. This is an increase from 45 percent in last year’s research.  Nearly half (49 percent) of respondents say these devices diminish their companies’ security posture.

SMBs continue to struggle with insufficient personnel and money. Only 30 percent of respondents rate their organization’s IT security posture in terms of its effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise as very high.

The biggest problem is not having the personnel to mitigate cyber risks, vulnerabilities and attacks (77 percent of respondents). The next biggest challenges are insufficient budget (55 percent of respondents) and no understanding of how to protect against cyberattacks (45 percent of respondents). Since 2017, the challenge of not having sufficient enabling security technologies has decreased from 43 percent of respondents to 36 percent of respondents.

Sixty-five percent of respondents say their budget for achieving a strong security posture is inadequate or unsure and 42 percent of respondents say they have an appropriate level of in-house expertise. Only an average 13 percent of the IT budget is dedicated to IT security activities and an average of 37 percent of the IT personnel support IT security operations.

Leadership in determining IT security priorities is lacking. As shown in Figure 10, 34 percent of respondents say no one person is responsible for determining IT security priorities, an increase from 30 percent of respondents in 2017. According to the findings, responsibility for companies’ IT security strategy is dispersed throughout the company.

To access the full report. visit Keeper Security’s website

No Place to Hide podcast: When privacy is a matter of life and death

Bob Sullivan

Amy Boyer, I sometimes say, was the first person murdered by the Internet.  Twenty years ago this fall, she was gunned down in cold blood by stalker Liam Youens. He found Amy by hiring a data broker, and told everyone about that on his website.

“It’s actually obscene what you can find out about a person on the Internet,” he wrote.

It still is.

Back then, Amy’s family launched a memorial website, and urged people to think long and hard about what this new technology is doing to our world.

Alia Tavakolian and I have spent the past 7 months talking to every privacy expert we could get into to studio.  We even interviewed the private investigator who tracked down the data brokers involved in Amy’s death. And this week, we launched a 6-part series on the state of privacy in America. The series is produced by Spoke Media, my partner in Breach and So, Bob. Intel, the chipmaker, sponsored the series but has no editorial control over it. The name No Place to Hide is a tip of the cap to a great book by that name published by Washington Post reporter Robert O’Harrow in 2006.

Episode One confronts the chilling reality that privacy isn’t a first-world problem, a luxury — for violence victims on the run, privacy can be a matter of life and death.  But if we build a tech world that respects these victims, a world that presumes everyone might have a safety risk from privacy violations, we’ll all be better off.

I’m really proud of the result, and I hope you’ll give it a listen. I know there are a lot of big issues facing our time — the environment, cyberwar, extremism — but I think privacy ranks right among them as a crisis that deserves our focus and attention. What’s more, most people — even those on politically opposite sides of the spectrum — generally seem to agree on privacy.  Still, it’s getting away from us. Technology is running ahead of our laws, ethics and institutions.  Just this week, the Baltimore Sun reported on a proposal to have surveillance aircraft in the skies, taking 24-hour-a-day footage of the city, to fight crime.  It’s not science fiction. In fact, the city already tested the idea back in 2016.  It’s a tactic borrowed from war zones. Maybe, if crime was bad enough on your block, you’d agree to this kind of surveillance.  But we’ve barely begun to discuss how to control the images, who gets to see them and why, and if this is really the world we want to live in.

Privacy is very hard to define. You’ll hear in the podcast that I struggle with this, even after writing about privacy for 25 years. I hope this series helps kick-start the discussion.


(Listen to this podcast at Stitcher, or at iTunes)