Small- and Medium-Sized Businesses: Cyber Threats by the Numbers

October 10, 2017
Categories: Cybersecurity

When it comes to cybersecurity, large organizations typically will dedicate a range of resources to defend against cyberattacks – from implementing technology controls to training employees and other measures. For small and mid-sized businesses (SMBs) that do not have the resources to devote to an information technology (IT) department, facing cybersecurity risks can be daunting. However SMBs need to be ever vigilant – increasingly bad actors are targeting smaller companies as a means to connect into the systems of larger organizations. Smaller companies may also be vulnerable to cyber risks due to a lack of IT hygiene (e.g., inconsistent updates of security patches, unlicensed software or downloading apps with malware), employees not trained on best practices for cybersecurity, and outdated systems, to name a few issues.

In 2016 the Ponemon Institute released a report – The 2016 State of Cybersecurity in SMBs – which found that only 14 percent of SMBs rated their ability to mitigate cyber risks and attacks as “highly effective.” Furthermore, 65 percent of respondents said that if their employer had a password policy, it was not enforced. Passwords are the minimum that can be done to secure a device. Failure to adhere to a password policy can mean it is easier for a hacker to overcome and remotely access an organizations network. The report also stated:

  • 49% of cyber-attacks experienced were web-based
  • 43% of cyber-attacks experienced were phishing / social engineering
  • 48% of breaches were caused by a negligent employee or contractor
  • 66% of respondents say customer records are their biggest concern
  • 69% of respondents say they do not have the in-house expertise adequate for achieving a strong cybersecurity posture

Symantec released a report in early 2017 which addressed some SMB cyber-risks. The report, titled Internet Security Threat Report, noted that malware and phishing emails are an issue for individuals as well as organizations of every size. However, upon examination, the businesses hit hardest by email malware were SMBs with between 251 and 500 employees. The rate of malware occurring in an email was one in every 95 emails. This SMB size bracket also had the highest prevalence for phishing emails with one in every 2,554 emails. Smaller SMBs with one to 250 employees were the most affected by spam with 54.2 percent of overall emails being spam.

Email malware rate for SMBs by company size:

Company Size Email Malware Rate (1 in)
1-250 127
251-500 95
501-1000 139

Spam rate for SMBs by company size:

Company Size Spam Rate %
1-250 54.2
251-500 53.1
501-1000 53.4

In addition to malware and phishing emails, SMBs also need to be aware of social engineering emails meant to entice the user to give out personal or financial information. Symantec noted that there were certain words that appeared in the subject line of these emails more frequently than others. These words included: request, payment and urgent. It is possible that the user may mistake such emails as legitimate and give information believing that it is a legitimate, business related enquiry or request. It is also possible that a user will open and go through the email fearing that they have been charged for a purchase they have not made.

Also of concern to SMBs is the business environment in the United States. The U.S. leads the world in the number of total data breaches for 2016 with 1023. The country with the second highest number of breaches is the UK with a far lower 38. The U.S. is also the world leader in the number of identities stolen as a result of cyber-breaches with 791,820,040 identities stolen. The country ranked second for number of data breaches is France with a far lower 85,312,000.

Helping to dispel a common myth that SMBs are simply not big enough to be targets is the 2017 Data Breach Investigation Report produced by Verizon which states that at the time of its publication (May 2017) 61 percent of data breach victims had been businesses with fewer than 1000 employees. Finally, for those SMBs that are part of the supply chain for a larger organization it is important to get a handle on their cybersecurity policy since, according to Gartner, by 2018, 50 percent of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship.

The cyber-attacks targeting SMBs do not differ greatly from the threats faced by large organizations; however SMBs typically do not have the benefit of dedicated resources to help mitigate risks. In the coming months, the Cyber Readiness Institute will be researching and developing new ways for small- and medium-sized businesses to better address escalating cyber threats. Learn more in this press release.

This content was first featured on the Cyber Readiness Institute website, an organization co-founded by and the Center for Global Enterprise (CGE).