News
Webroot Global Report: Despite More Training, SMBs Feel Unprepared for Cyberattacks
June 2018 by Webroot
Webroot announced the results of a new global report – “Webroot SMB Cybersecurity Preparedness.” Webroot found that businesses in the U.S., U.K. and Australia are taking cybersecurity seriously – with almost 100 percent of respondents conducting some form of employee cybersecurity training. However, despite these efforts, 79 percent say they aren’t completely ready to manage IT security and protect against threats.
In a study of 600 IT decision makers (ITDMs) at small- to medium-sized businesses (SMBs), Webroot found that the attacks organizations believed themselves to be most susceptible to in 2017 are rapidly shifting in 2018, while the estimated cost of a breach is decreasing.
View the Report: Webroot SMB Cybersecurity Preparedness
Key Global Findings:
• Most Dangerous Threats Evolving: Phishing displaces new forms of malware globally as the No. 1 attack that ITDMs believe their organizations are most susceptible to in 2018.
o Fear of phishing is up from No. 3 last year, with new forms of malware dropping to No. 6, behind DDoS attacks and mobile attacks.
o Post WannaCry, ransomware also rose from the fifth most susceptible attack to third globally – and topped the charts to reach No. 1 in the U.K.
o Five years after Edward Snowden’s story broke, businesses reported to be least susceptible to insider threats in 2018 – only 25 percent globally.
• Top Threats Vary by Country: U.S. ITDMs think their business will be most susceptible to phishing threats (56 percent), while the U.K. fears ransomware attacks (44 percent) and Australia DNS attacks (52 percent).
o SMBs in the U.K. are significantly less concerned about DDoS attacks (17 percent) than the U.S. (52 percent) and Australia (49 percent).
o Australian businesses view insider threats as a bigger concern than in other regions surveyed (32 percent in Australia vs. 25 percent globally).
o U.S. ITDMs are more concerned about new forms of malware infections (37 percent) than the UK (32 percent) or Australia (34 percent).
• Training Isn’t Continuous: Although almost 100 percent of businesses train employees on cybersecurity best practices, that figure drops to half or a third when asked about training “continuously,” which is vital for effectiveness. This leads to the next stat, 79 percent can’t say they are “completely ready to manage IT security and protect against threats.”
o Compared to last year, SMBs feeling “very confident” their business is “completely ready to manage IT security and protect against threats” dropped from 48 percent to 21 percent globally.
o Businesses in the U.S. (54 percent) are more likely to offer continuous training to employees than those in the U.K. (31 percent) or Australia (32 percent).
o U.K. businesses (26 percent) are more likely to only conduct security training after a data breach takes place compared to those in the U.S. (9 percent) or Australia (19 percent).
• The Cost of a Breach Drops: While breaches continue to proliferate, the estimated cost of a breach may be on the decline.
o ITDMs estimate a cyberattack in which their customer records or critical business data were lost would cost an average of:
– $527,256 in the U.S. – a 9 percent decrease from 2017.
– £305,357 in the U.K. – a 59 percent decrease from 2017.
– AU$994,025 in Australia – a 48 percent decrease from 2017.
Charlie Tomeo, Vice President of Worldwide Business Sales, Webroot
“As our study shows, the rise of new attacks is leaving SMBs feeling unprepared. One of the most effective strategies to keep your company safe is with a layered cybersecurity strategy that can secure users and their devices at every stage of an attack, across every possible attack vector. And for many businesses, relying on a managed service provider (MSP) when time and expertise aren’t readily available is a crucial step to strengthen their security efforts.”
Cybersecurity Guidelines for Small to Medium-Sized Businesses:
• Always Be Educating: With threats continuously evolving, so must employee cybersecurity training. Training during onboarding isn’t enough. Employees need ongoing training to address the latest and most dangerous attacks.
• Don’t Forget About Mobile. BYOD is now a reality for many companies. And while everyone wants to be connected, unknown devices brought in by employees also bring in unknown risks to the network. Finding a balance between providing employees corporate access and ensuring information security requires device control policies, device-level security and mobile workforce security training.
• Email from My Boss or My Attacker? Phishing is the top attack vector, with cybercriminals becoming sneakier than ever. Even if the sender looks familiar, be sure to check the senders email address is legitimate and don’t click unknown links in social media, email, or text. Regular phishing attack simulations maximize awareness of different phishing methods and minimize the many consequences.
• Evaluate Your Risk Profile: Every business has different risk factors. If you don’t have the expertise, an MSP can assess your security posture and work with you to develop a plan for ongoing risk mitigation.
• Plan for the Worst: Develop a data breach response plan that includes security experts to call and a communications response plan to notify customers, staff, and the public. Make sure you are regularly backing up your data with hard data and offline versions. Remote computer backup could be vulnerable from ransomware and other threats if not ‘air gapped’. Research by the Better Business Bureau revealed that 50 percent of SMBs would operate at a loss within a month of a total data loss incident.
