The latest Keeper Security research, conducted with YouGov, reinforces what most in the cyber security industry already know, SMBs are the weakest link in the cyber security defence chain. This research, conducted jointly with YouGov, should worry large enterprises who rely on the SMBs in their supply chain.
According to Darren Guccione, CEO and co-founder of Keeper: “Businesses face a vulnerability crisis when it comes to cybercriminals, and this reality won’t get better until cybersecurity gets higher billing on their to-do list.
“Our Cyberthreat Study findings show that many companies don’t know where to start with cybersecurity prevention and even more don’t think they will fall victim to an attack, but it’s time they dramatically change their perspectives and put a plan in place. We are working very hard to educate SMBs about how they can protect themselves quickly and on a cost-effective basis.”
Cyber security planning ignored and not relevant to us
In a long list of findings, Keeper Security
shreds sheds light on the thinking of SMBs when it comes to cyber security. Most, it seems, have no planning, don’t think it will happen to them and have management who are either disinterested or clueless.
- 60% do not have a cyberattack prevention plan.
- 18% rank cyber security as their lowest priority and only 9% rank it as a top priority.
- 67% think a cyberattack against them is unlikely (the same percentage suffered an attack last year).
- The side effects of a cyberattack such as reputation damage (19%) and business disruption (17%) ranks higher than cyber risk.
- 25% admit they don’t even know where to start with cyber security.
- 73% of companies with a turnover of < $1 million and 62% of companies with a turnover of between $1 million and $500 million see a cyberattack as unlikely.
- Only 14% of group/team heads think company leadership is responsible and instead believe it is the responsibility of a dedicated team (51%)
Not everything is a complete disaster waiting to happen
Among all the bad results there are a few bright points. Despite claims that they wouldn’t know where to start, when asked about breach prevention responses were:
- 58% enforce a company security policy: Unfortunately, 13% of CEOs, Chairs and Owners were more likely to not know company password policies. This is not a surprise, board level members and owners often see themselves as above such policies in most companies.
- 52% utilize a security vendor: This is good news for the MSSP market. However, it is only good news if they realised that they cannot simply handover the problem and walk away.
- 48% have ongoing employee education: Onsite training is costly and many companies struggle to get effective online training set up.
The age of a company is also important. It seems that more established companies believe they are unlikely to be attacked. Companies operating for less than five years, believe they are more vulnerable to a cyberattack with 28% seeing it as “very likely”. That plummets to 6% when it comes to those who have been in business for over 10 years.
Enterprise Times: What does this mean
At first glance this is just a “so what” survey. The numbers are in line with other surveys taken at shows over the last few years. It seems that many businesses either don’t understand the business risk or are willing to take the chance they will get away with it. That so many still believe this is partly ignorance (wilful or otherwise) and partly down to poor business practices.
Many of these businesses will trade with other companies, often much larger than them. Those companies should be doing much more to enforce cyber security at, or at least educate, their suppliers. Take a close look at GDPR and if your suppliers stuff up, so do you. There is no longer any option to deflect or defer responsibility.
It is also a surprise that no questions were apparently asked about compliance and regulation. Given that these SMBs include those with turnover of up to $500 million, it is something that should have been asked.
This also raises another question about these numbers – why are the turnover numbers in US$? This was a survey of UK companies carried out by YouGov so the values should have been in Pounds Sterling. Keeper has clarified that the 509 respondents were self selecting from the YouGov panel and could have come from many countries.
The hope is that once Brexit is resolved, SMBs will be able to turn their attention away from international trade issues and back to cyber security. If not, who would want to work with UK companies?
After publication, we received an email from Keeper Security’s PR company. They asked us to make a number of corrections to the piece which are noted above.