Cyber Security Index: Q3 2019

Q3 19 Cyber Security Survey of SMBs

The AppRiver Cyberthreat Index for Business rose from 58.1 in Q2 to 60.5 in Q3.

This is the first time the Cyberthreat Index crossed the 60-point mark since its inception.

Q3 19 Cyber Security Survey

This is a quarterly survey run by one of our Partners, AppRiver in the USA. This USA national sample of respondents comprises 1,083 C-level executives and IT professionals in small-to-medium-sized businesses and organizations (SMBs) using survey data collected online in August 2019.

You can read the Q2 2019 Survey here.


Potential cyber threats are top-of-mind for SMBs

79% of all SMB executives and IT decision makers surveyed in the third quarter report potential cyberthreats are a top-of-mind concern, which represents a 2-point jump from the second quarter. That figure increases to 88% among larger SMBs with 150-250 employees.

Actual attacks are believed to be prevalent

More SMBs report prevalence of actual attacks in their sector, growing four points since Q2; now 64% of SMBs surveyed say actual attacks are prevalent on a business such as their own. After a recent string of attacks, 82% of all SMB respondents in the Government sector say actual attacks are prevalent in their vertical. 73% of respondents in Technology report the same in Q3.

Segment of small-to-medium-sized businesses that fear they are vulnerable to “imminent” cyberattacks jumped seven percentage points in Q3

  • In Q3, 47% believe their business is vulnerable to “imminent” cyberattacks, up from 40% who believed the same in Q2. The hike was driven by increases in the 1-49 and 50-149 employee-size segments. However, it is worth noting that while the lowest-size segment of SMBs is catching up with the reality of their vulnerability and cyber risks, there is still a considerable gap (17 points) between their perception of imminent attacks and that of larger-sized SMBs’.
  • Education, Finance and Insurance, Government, and the Technology sectors experience the highest level of perceived vulnerability of “imminent” attacks.

Larger SMBs lead concerns over damages

  • Overall, 73% of all SMBs believe a successful cyber attack would be harmful to their business, with 19% believing there is a high likelihood their business will not survive a successful attack. Among SMBs with 150-250 employees, those figures jump to 81% and 21% respectively.
  • Industries most concerned about not surviving a successful cyber attack include the Education, Media and Technology sectors.


Over 7 in 10 SMBs experienced phishing

  • 72% of all SMB respondents report to have experienced at least one phishing attempt at their office within the past quarter. This is an increase from 69% who reported the same in Q2.
  • 49% of all respondents in Q3 report they were personally the phishing victim. •
  • Construction and Real Estate (78%), Government (82%), Media and Marketing (79%), Technology (77%) are among industries reporting the highest rates of experience with phishing in their offices within the past three months.

Smaller SMBs could be underestimating phishing attempts

  • SMBs with 1-49 reported a lower rate of phishing experience (66%) than respondents in mid-tier SMBs (79%) with 50-149 employees, and top-tier SMBs (79%) with 150-250 employees. As small businesses are routinely targeted by spoofed emails daily, it is possible that some respondents are unaware of phishing attempts that came through their offices.

Over half do not trust employees could detect social engineering

  • 54% of all SMB executives and IT decision makers are worried their employees would fall victim to social engineering, a rise from 48% who reported the same in Q2.
  • Only 8% say they are “not worried at all” about their employees being fooled by cybercriminals’ social engineering attempts. Among SMBs with 150-250 employees, figure for this measure drops to 3%.


Despite recording a higher AppRiver Cyberthreat Index score for the third quarter in 2019, most small-to-medium-sized businesses that participated in this survey believe they are in better shape now than in 2018 when it comes to their cyber preparedness. However, for at least some of these businesses, this could prove to be a case of wishful thinking, as a sizeable number of respondents also admit they did not make improvement in their cyber preparedness in the past year, negating sound rationale for feeling “in better shape.”

Nearly 6 in 10 made preparedness upgrades, and feel more prepared

  • 58% of all SMBs surveyed report to have made improvements in their business’s cyber preparedness in the past year, and as a result, believe they are in better shape in fighting off potential cyberattacks. Technology SMBs lead the charge in this category, with 68% reporting they have made improvements in the past year and feel more confident in their cyber preparedness.
  • The Hospitality sector is least likely to say they feel to be in better shape, with 47% reporting they have made cybersecurity improvements since 2018 and as a result feel more confident to face potential attacks. This sentiment could be partially driven by a new awareness of cyberthreat risks in this sector, after the revelation of a breach of unprecedented scale affecting Marriott’s customers last year.

1 in 10 also made preparedness upgrades, but still feel behind

  • It is interesting that 10% of all SMBs surveyed report to have made cyber preparedness upgrades since 2018, however, they believe they still trail cybercriminals who they estimate have done even more to perfect their hacking strategies during the same period.
  • The Government sector is most likely to be in this pessimistic segment, with 18% saying they have made improvements while also feeling “in worse shape” in their preparedness compared to in 2018. This could be a reaction to recent strings of attacks targeting government agencies and local municipalities across the country, which had left many in the sector feeling exposed.
  • Another sector more likely to feel pessimistic is again the Hospitality sector, with 16% saying they have made improvements since 2018, but still feel to be in worse shape. Hospitality, along with Government, should be receptive prospects for new cybersecurity products and system upgrades. Only 37% of SMB respondents in Hospitality and 36% in Government say they believe they currently invest enough in their cybersecurity.

Nearly 3 in 10 feel to be in better shape, despite lack of preparedness improvement

  • 29% report to feel in better shape than they did in 2018 in terms of their business’s cyber preparedness, despite not having made improvements to their cybersecurity. Their rationale rests on the assumption that cybercriminals “have done even less” during the same period. This is a segment of the SMB market that could be overly confident, and could be caught off guard as a result of underestimating the real threats they face.
  • SMB respondents in the Legal, Retail, and Transportation and Logistics verticals are most likely to fall in this segment.

Misconception about small business as a threat target

  • One possible explanation for some SMBs’ (nearly 3 in 10) optimism in being “in better shape” despite lack of preparedness upgrades may be linked to their misconception that small businesses are unlikely targets of cyber crimes. 41% of all SMBs currently believe their smaller size means criminals will not target them. This is a perception discrepancy in the face of real attack reports that show small businesses of all sizes are routinely targeted daily by cybercriminals.


Fewer than 4 in 10 apply security patches immediately

  • When asked how long it takes them to apply patches to security vulnerabilities after they are made available, 38% of all SMB respondents report they apply patches immediately.
  • This is an indication that there is a disconnect among SMB executives – while 79% report potential cyberthreat is a top-of-mind concern for their business, fewer than half as many are leveraging turnkey and accessible everyday solutions to minimize their risks.
  • Among the fourteen key verticals surveyed, none reports more than half of all IT decision makers who apply patches immediately, not even in the Technology sector.
  • Another 32% say they typically apply patches within seven days. This leaves 30% of all SMBs surveyed that take over a week to apply patches.
  • This is one of the few areas where higher degree of vigilance is not reported among larger-sized SMBs compared to their smaller peers. 67% of SMBs with 150-250 employees say they apply patches within seven days, which leaves 1 in 3 businesses still vulnerable a week after a security patch is made available.

Install of security patches by SMBs

Is your business prepared for a cyber attack?  Give us a call for a FREE Cyber Security and IT Health Check

About Us

We provide supportive leadership enabling our business community to succeed and prosper through effective use of IT and Technology. PAAC IT is an IT Company in Surrey offering small businesses the personal attention and care that their IT systems deserve. If your company has between 1 and 100 employees and need a IT Company in Surrey we would love to hear from you!

Find out more