A Q2 2019 survey of 1035 Small and Medium Enterprises rated the current Cyber Threat index as “High”.
We’ve found this survey interesting and relevant as its offers really simple way of expressing how SMEs view the current threat of a cyber-attack, and the companies in the surveys are broadly similar to our customers. This is a quarterly survey run by one of our Partners, AppRiver in the USA. The AppRiver Cyberthreat Index for Business was developed by independent firms Idea Loft and Equation Research, in consultation with the University of West Florida Center for Cybersecurity, using survey data collected online in April 2019.
An interesting take way from this survey is that larger SMEs (with 150 – 250 staff) are more wary and aware of cyber threats than their smaller counterparts. This despite the fact that larger SMEs spend more and have a higher level of cyber preparedness than smaller SMEs. This consistent pattern suggests smaller SMEs could be underestimating their real cyberthreat risks. Reports of real threat incidents indicate cybercriminals do not discriminate; they are just as prolific in targeting smaller businesses – garnering smaller gains but with higher frequency of success – as they do large enterprises.
CYBER THREATS ARE TOP OF MIND
Potential cyber threats are top-of-mind for SMEs:
- 77% of all SME executives and IT decision makers surveyed in the second quarter report potential cyberthreats are a top-of-mind concern.
- That figure jumps to 91% among larger SMEs that employ 150-250 employees.
Actual attacks are believed to be prevalent:
- The concern for potential threats are not surprising, considering 75% of SME respondents say actual attacks are prevalent on a business such as their own.
- 40% of SMEs believe their business is vulnerable to “imminent” cyberattacks.
Most SMEs do not believe they can escape a successful attack unharmed:
- 75% of all SMEs believe a successful attack would be harmful to their business; this rises to 88% for larger SMEs (150-250 employees).
- Only 36% of all SMEs estimate they can survive a successful attack without sustaining short- and long-term business losses.
- Interestingly, larger SMEs – which presumably have more or better cybersecurity resources – are most likely to believe business losses are unavoidable after a hacker’s attack.
Majority of SMEs believe cybercriminals have the upper hand:
- 58% of C-level executives and IT decision makers at SMEs estimate hackers’ attack strategies and technology are more sophisticated than their own threat prevention resources.
- Larger SMEs appear again more cautious and feel less optimistic than smaller SMEs. In Q2, 66% feel they are outmatched by cyberhackers. Even given their presumably more abundant resources and better technology than smaller SMEs, only 1 in 5 (21%) of all larger SMEs surveyed believe their technology is more advanced than hackers they are up against.
- Overall, 47% of all SMEs give their own business a positive rating for cyber preparedness, a slight increase from Q1 (again this is likely correlated with the absence of a high-profile breach in the beginning of 2019). Larger SMEs again rate themselves lower (45% positive) than smaller SMEs (48% positive) in cyber preparedness in Q2, as they did in Q1.
OVER HALF OF ALL SMEs ARE WILLING TO PAY RANSOM TO CYBERCRIMINALS
- 55% of all SMEs admit they are willing to pay a ransom to hackers in order to recover breached data or to prevent it from being shared.
- 74% of large SMEs say they would be willing to pay ransom; 39% go as far as saying they “definitely would pay ransom at almost any price” to prevent their stolen data from being lost or leaked.
- 45% of all SMEs say they are not willing to give in to cybercriminals, regardless of the ransom amount or value of the hacked data.
A related study by Datto (another partner of ours) found the initial ransom demand is typically not what breaks the bank. Instead, the aftermath and cost of downtime are the crippling factors. The ransom demanded from SMEs averages at $4,300 while the average cost of downtime related to a ransomware attack is ten times that at around $46,800.
SOCIAL MEDIA CONSIDERED A CYBERSECURITY RISK
The use of social media apps and websites at the workplace or on a business device concerns SME leaders and IT decision makers as a cybersecurity risk, according to 84% of all respondents surveyed. That figures increases to 89% among the larger SME community.
Among those concerned, 77% say they are most worried about employees’ use of Facebook as a security risk, followed by 21% who say the same about Twitter (each respondent was given the option to name none, one, or two social media platform that concerns them most as a cybersecurity risk).
SMEs VALUE MSPs MOST FOR THREAT PREVENTION SUPPORT
Among SMEs surveyed that use an outside managed service provider (MSP) or technology consultant:
- 43% say they are most in need of support for threat prevention.
- 25% say the same about network monitoring and visibility, while
- 16% wanted support related to collecting and analysing data, and
- Another 16% value support for access and device management.
Threat prevention was chosen as the service they need most from their MSPs in all key SME industry verticals surveyed, with the exception of the legal sector, where SMEs say they most value MSP’s support in network monitoring and visibility, ahead of threat prevention.
Among the 1,035 total SME executives and IT decision makers surveyed in Q2, 22% (228 respondents) say they do not use an external managed service provider.