A new Ponemon report on SMB cyber security reveals the top challenges and threats facing global small and medium-sized businesses

If you think your company is too small to be hacked, think again. According to a new report on SMB cyber security by the Ponemon Institute and Keeper Security, 66% of small and medium-sized businesses (SMBs) around the world experienced a cyberattack in the past year. In the U.S., the situation is particularly dire, with 76% of SMBs having been attacked in the last 12 months – up from only 55% in 2016.

Further, respondents agreed that over the past 12 months, their businesses had noticed attacks becoming more frequent, sophisticated, and severe in terms of consequences, such as cleanup costs.

Insider mistakes & social engineering are the biggest threats to SMB cyber security

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses was compiled from interviews with leaders at companies worldwide with headcounts ranging from under 100 up to 1,000. It paints a picture of an environment where SMBs are struggling to cope with cyberthreats that are becoming increasingly more dangerous as hackers adjust their attack methods to get around technical security defenses, such as firewalls and anti-virus software. Sixty-nine percent of respondents said they’d experienced an attack that got past their intrusion detection systems, and 82% got hit by attacks that evaded anti-virus programs.

How are hackers getting past technical security defenses? By “hacking” humans and stealing their login credentials. Negligence on the part of an employee or third-party vendor caused 63% of global SMB data breaches in the past year, and 70% in the U.S. Third-party mistakes caused 60% of breaches in the U.S. and 55% globally. In the U.S., SMBs are twice as likely to be victimized by a negligent or malicious insider than an external hacker.

Phishing was, by far, the most common type of cyberattack launched against SMBs in the past year; 57% of respondents whose firms were attacked were phished. Other common attack methods included web-based attacks (47%), general malware (36%), compromised or stolen devices (33%), and credential theft (30%).

Proactive cyber security measures could prevent most data breaches

SMBs are fully aware of their “human hacking” problem, but they’re not taking the proactive steps they need to keep their employees from getting hacked. Seventy percent of respondents said that employee passwords being stolen or compromised was a major pain point, and 61% complained about employees using weak passwords. But over half (54%) have no visibility into employee password practices, and 45% admitted that their security postures were ineffective at mitigating risks, vulnerabilities, and attacks. A separate study by GetApp, which found that only 27% of companies provide their employees with social engineering training, bolsters these findings.

Hackers like social engineering because it works. Armed with a set of legitimate login credentials, cybercriminals can access enterprise networks undetected, steal data, install ransomware and other malware, and alter or destroy files. Many SMBs have not yet invested in robust, proactive cyber security because they think they’re “too small” to be hacked. As the Ponemon report demonstrates, this is clearly not the case, especially in the U.S. It’s not a matter of if a hacker will try to con an employee or vendor into giving up their login credentials, only when.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.