Cyber Security Index: Q3 2019

BusinessCyber Security | 28 September, 2019 by Eddie Paterson

The AppRiver Cyberthreat Index for Business rose from 58.1 in Q2 to 60.5 in Q3.

This is the first time the Cyberthreat Index crossed the 60-point mark since its inception.

Q3 19 Cyber Security Survey

This is a quarterly survey run by one of our Partners, AppRiver in the USA. This USA national sample of respondents comprises 1,083 C-level executives and IT professionals in small-to-medium-sized businesses and organizations (SMBs) using survey data collected online in August 2019.

You can read the Q2 2019 Survey here.

GROWTH IN PERCEIVED ATTACK PREVALENCE AND IMMINENCE

Potential cyber threats are top-of-mind for SMBs

79% of all SMB executives and IT decision makers surveyed in the third quarter report potential cyberthreats are a top-of-mind concern, which represents a 2-point jump from the second quarter. That figure increases to 88% among larger SMBs with 150-250 employees.

Actual attacks are believed to be prevalent

More SMBs report prevalence of actual attacks in their sector, growing four points since Q2; now 64% of SMBs surveyed say actual attacks are prevalent on a business such as their own. After a recent string of attacks, 82% of all SMB respondents in the Government sector say actual attacks are prevalent in their vertical. 73% of respondents in Technology report the same in Q3.

Segment of small-to-medium-sized businesses that fear they are vulnerable to “imminent” cyberattacks jumped seven percentage points in Q3

In Q3, 47% believe their business is vulnerable to “imminent” cyberattacks, up from 40% who believed the same in Q2. The hike was driven by increases in the 1-49 and 50-149 employee-size segments. However, it is worth noting that while the lowest-size segment of SMBs is catching up with the reality of their vulnerability and cyber risks, there is still a considerable gap (17 points) between their perception of imminent attacks and that of larger-sized SMBs’.
Education, Finance and Insurance, Government, and the Technology sectors experience the highest level of perceived vulnerability of “imminent” attacks.

Larger SMBs lead concerns over damages

Overall, 73% of all SMBs believe a successful cyber attack would be harmful to their business, with 19% believing there is a high likelihood their business will not survive a successful attack. Among SMBs with 150-250 employees, those figures jump to 81% and 21% respectively.
Industries most concerned about not surviving a successful cyber attack include the Education, Media and Technology sectors.

MOST SMBS EXPERIENCED PHISHING IN THE PAST QUARTER

Over 7 in 10 SMBs experienced phishing

72% of all SMB respondents report to have experienced at least one phishing attempt at their office within the past quarter. This is an increase from 69% who reported the same in Q2.
49% of all respondents in Q3 report they were personally the phishing victim. •
Construction and Real Estate (78%), Government (82%), Media and Marketing (79%), Technology (77%) are among industries reporting the highest rates of experience with phishing in their offices within the past three months.

Smaller SMBs could be underestimating phishing attempts

SMBs with 1-49 reported a lower rate of phishing experience (66%) than respondents in mid-tier SMBs (79%) with 50-149 employees, and top-tier SMBs (79%) with 150-250 employees. As small businesses are routinely targeted by spoofed emails daily, it is possible that some respondents are unaware of phishing attempts that came through their offices.

Over half do not trust employees could detect social engineering

54% of all SMB executives and IT decision makers are worried their employees would fall victim to social engineering, a rise from 48% who reported the same in Q2.
Only 8% say they are “not worried at all” about their employees being fooled by cybercriminals’ social engineering attempts. Among SMBs with 150-250 employees, figure for this measure drops to 3%.

MOST SMBS FEEL IN BETTER SHAPE NOW THAN IN 2018

Despite recording a higher AppRiver Cyberthreat Index score for the third quarter in 2019, most small-to-medium-sized businesses that participated in this survey believe they are in better shape now than in 2018 when it comes to their cyber preparedness. However, for at least some of these businesses, this could prove to be a case of wishful thinking, as a sizeable number of respondents also admit they did not make improvement in their cyber preparedness in the past year, negating sound rationale for feeling “in better shape.”

Nearly 6 in 10 made preparedness upgrades, and feel more prepared

58% of all SMBs surveyed report to have made improvements in their business’s cyber preparedness in the past year, and as a result, believe they are in better shape in fighting off potential cyberattacks. Technology SMBs lead the charge in this category, with 68% reporting they have made improvements in the past year and feel more confident in their cyber preparedness.
The Hospitality sector is least likely to say they feel to be in better shape, with 47% reporting they have made cybersecurity improvements since 2018 and as a result feel more confident to face potential attacks. This sentiment could be partially driven by a new awareness of cyberthreat risks in this sector, after the revelation of a breach of unprecedented scale affecting Marriott’s customers last year.

1 in 10 also made preparedness upgrades, but still feel behind

It is interesting that 10% of all SMBs surveyed report to have made cyber preparedness upgrades since 2018, however, they believe they still trail cybercriminals who they estimate have done even more to perfect their hacking strategies during the same period.
The Government sector is most likely to be in this pessimistic segment, with 18% saying they have made improvements while also feeling “in worse shape” in their preparedness compared to in 2018. This could be a reaction to recent strings of attacks targeting government agencies and local municipalities across the country, which had left many in the sector feeling exposed.
Another sector more likely to feel pessimistic is again the Hospitality sector, with 16% saying they have made improvements since 2018, but still feel to be in worse shape. Hospitality, along with Government, should be receptive prospects for new cybersecurity products and system upgrades. Only 37% of SMB respondents in Hospitality and 36% in Government say they believe they currently invest enough in their cybersecurity.

Nearly 3 in 10 feel to be in better shape, despite lack of preparedness improvement

29% report to feel in better shape than they did in 2018 in terms of their business’s cyber preparedness, despite not having made improvements to their cybersecurity. Their rationale rests on the assumption that cybercriminals “have done even less” during the same period. This is a segment of the SMB market that could be overly confident, and could be caught off guard as a result of underestimating the real threats they face.
SMB respondents in the Legal, Retail, and Transportation and Logistics verticals are most likely to fall in this segment.

Misconception about small business as a threat target

One possible explanation for some SMBs’ (nearly 3 in 10) optimism in being “in better shape” despite lack of preparedness upgrades may be linked to their misconception that small businesses are unlikely targets of cyber crimes. 41% of all SMBs currently believe their smaller size means criminals will not target them. This is a perception discrepancy in the face of real attack reports that show small businesses of all sizes are routinely targeted daily by cybercriminals.

MOST SMBS ARE NOT QUICK TO APPLY PATCHES

Fewer than 4 in 10 apply security patches immediately

When asked how long it takes them to apply patches to security vulnerabilities after they are made available, 38% of all SMB respondents report they apply patches immediately.
This is an indication that there is a disconnect among SMB executives – while 79% report potential cyberthreat is a top-of-mind concern for their business, fewer than half as many are leveraging turnkey and accessible everyday solutions to minimize their risks.
Among the fourteen key verticals surveyed, none reports more than half of all IT decision makers who apply patches immediately, not even in the Technology sector.
Another 32% say they typically apply patches within seven days. This leaves 30% of all SMBs surveyed that take over a week to apply patches.
This is one of the few areas where higher degree of vigilance is not reported among larger-sized SMBs compared to their smaller peers. 67% of SMBs with 150-250 employees say they apply patches within seven days, which leaves 1 in 3 businesses still vulnerable a week after a security patch is made available.

Install of security patches by SMBs

Is your business prepared for a cyber attack? Give us a call for a FREE Cyber Security and IT Health Check

Cookie	Type	Duration	Description
_abck	1	11 months 29 days 23 hours 59 minutes	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
bm_sz	1	3 hours 59 minutes	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
IDE	1	1 years 23 days 23 hours 59 minutes	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	1	5 months 29 days 23 hours 59 minutes	This cookie is used to a profile based on user's interest and display personalized ads to the users.
VISITOR_INFO1_LIVE	1	5 months 26 days 23 hours 59 minutes	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Type	Duration	Description
_ga	1	1 years 11 months 28 days 23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
GPS	1	29 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
vuid	1	1 years 11 months 28 days 23 hours 59 minutes	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.