If you think your company is too small to be hacked, think again. According to a new report on SMB cybersecurity by the Ponemon Institute and Keeper Security, 66% of small and medium-sized businesses (SMBs) around the world experienced a cyberattack in the past year. In the U.S., the situation is particularly dire, with 76% of SMBs having been attacked in the last 12 months – up from only 55% in 2016.

Further, respondents agreed that over the past 12 months, their businesses had noticed attacks becoming more frequent, sophisticated, and severe in terms of consequences, such as cleanup costs.

Insider mistakes & social engineering are the biggest threats to SMB cybersecurity

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses was compiled from interviews with leaders at companies worldwide with headcounts ranging from under 100 to 1,000. It paints a picture of an environment where SMBs are struggling to cope with cyberthreats that are becoming increasingly more dangerous as hackers adjust their attack methods to get around technical security defenses, such as firewalls and anti-virus software. Sixty-nine percent of respondents said they’d experienced an attack that got past their intrusion detection systems, and 82% got hit by attacks that evaded anti-virus programs.

How are hackers getting past technical security defenses? By “hacking” humans and stealing their login credentials. Negligence on the part of an employee or third-party vendor caused 63% of global SMB data breaches in the past year, and 70% in the U.S. Third-party mistakes caused 60% of breaches in the U.S. and 55% globally. In the U.S., SMBs are twice as likely to be victimized by a negligent or malicious insider than an external hacker.

Phishing was, by far, the most common type of cyberattack launched against SMBs in the past year; 57% of respondents whose firms were attacked were phished. Other common attack methods included web-based attacks (47%), general malware (36%), compromised or stolen devices (33%), and credential theft (30%).

Proactive cybersecurity measures could prevent most data breaches

SMBs are fully aware of their “human hacking” problem, but they’re not taking the proactive steps they need to keep their employees from getting hacked. Seventy percent of respondents said that employee passwords being stolen or compromised was a major pain point, and 61% complained about employees using weak passwords. But over half (54%) have no visibility into employee password practices, and 45% admitted that their security postures were ineffective at mitigating risks, vulnerabilities, and attacks. A separate study by GetApp, which found that only 27% of companies provide their employees with social engineering training, bolsters these findings.

Hackers like social engineering because it works. Armed with a set of legitimate login credentials, cybercriminals can access enterprise networks undetected, steal data, install ransomware and other malware, and alter or destroy files. Many SMBs have not yet invested in robust, proactive cybersecurity because they think they’re “too small” to be hacked. As the Ponemon report demonstrates, this is clearly not the case, especially in the U.S. It’s not a matter of if a hacker will try to con an employee or vendor into giving up their login credentials, only when.

The cybersecurity experts at Lazarus Alliance have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cybersecurity®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help your organization adhere to cybersecurity regulations, maintain compliance, and secure your systems.