U.S. businesses are ripe for the picking when it comes to cybercriminals and cybersecurity risks, but a new survey shows that cybersecurity efforts are not at the top of the list when it comes to where leaders are putting their focus and efforts.
The 2019 SMB Cyberthreat Study, which surveyed more than 500 senior-level decision-makers at companies with 500 employees or less (SMBs), was commissioned by leading cybersecurity provider Keeper Security to identify the gaps between awareness and action in business cybersecurity needs. Among the findings, two out of three business leaders surveyed (66%) don't believe they'll fall victim to a cyberattack. But a previous study conducted by the Ponemon Institute for Keeper found that 67% of business had been attacked within the prior 12 months.
"Businesses face a vulnerability crisis when it comes to cybercriminals, and this reality won't get better until cybersecurity gets higher billing on their to-do list," said Darren Guccione, CEO and co-founder of Keeper. "Our Cyberthreat Study findings show that many companies don't know where to start with cybersecurity prevention and even more don't think they will fall victim to an attack, but it's time they dramatically change their perspectives and put a plan in place. We are working very hard to educate SMBs about how they can protect themselves quickly and on a cost-effective basis."
Misconception of Threat Vulnerability
Of the senior decision-makers surveyed, 66% think a cyberattack is not very or at all likely to happen to them, but previous Ponemon Institute research reported that nearly seven in ten (67%) businesses were attacked in the last year, pointing to a major perception gap. Keeper's 2019 Cyberthreat SMB Study found that only about one in ten (12%) understand the reality that an attack is very likely, no matter how big or small the company.
The 2019 Cyberthreat SMB Study also reveals differences in perception between newer and more mature businesses, with companies in business less than five years believing they're at a much higher risk than those operating for 10 or more years. Of companies in business less than five years, 28% believed it was "very likely" that they will be the target of a cyberattack, while only 6% operating for 10 or more years thought the same. In fact, 70% of businesses operating for 10 or more years believe a cyberattack is not very likely or not likely at all.
Lack of organizational awareness into cybersecurity's importance
Of the leadership polled, only 9% thought cybersecurity was the most important aspect of their business when compared with recruitment, marketing, sales, quality of internal tools, and contributing to social good. In fact, nearly one in five respondents (18%) ranked cybersecurity as the least important aspect of all six.
Furthermore, respondents ranked a recession, damage to public reputation and a disruption to the business model as the most prominent threats to their business. Cybersecurity was ranked last by over one in five surveyed (21%), despite the fact that such an attack would likely cause both a disruption in business model and damage to public reputation.
Disconnect between password security and cyberattack prevention strategy
Most companies understand the critical role of passwords when it comes to security. The majority of respondents (69%) expressed positive sentiment about passwords, saying passwords make them feel "confident" or "secure." Furthermore, 75% of companies have policies in place that encourage or require employees to update their passwords regularly.
However, 60% of respondents reported not having any prevention plan in place against a cyberattack. Since 81% of breaches are caused by weak or stolen passwords, the difference in reported password policies and lack of prevention plans points to a disconnect in understanding that password security is itself a strategic prevention plan.
Furthermore, a quarter of business leaders surveyed (25%) admitted they don't even know where to start when it comes to cybersecurity. Cybersecurity starts with password security.
About the 2019 SMB Cyberthreat Study
All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 509 senior decision-makers at companies with 500 employees or less. Fieldwork was undertaken between June 28 and July 5, 2019. The survey was carried out online. The figures have been weighted and are representative of all SDM at companies with 500 employees or less.