Pavel Ignatov - Fotolia

SMEs more vulnerable than ever to cyber attacks, survey shows

The biggest cyber threat to UK and US small businesses is employees’ weak passwords, as the frequency, intensity and cost of cyber attacks continue to rise, a study has revealed

The overwhelming majority of cyber attacks on small to medium-sized enterprises (SMEs) result from poor password management, a study of 1,000 UK and US SMEs by the Ponemon Institute shows.

Despite this fact, SMEs are doing very little to boost visibility into the password practices of their employees, according to the study sponsored by password management firm Keeper Security.

The study report said employee negligence is the top root cause of successful data breaches.

“Survey respondents believe cyber attacks are becoming more targeted, more severe in terms of consequences, and more sophisticated,” said Larry Ponemon, chairman of the Ponemon Institute. “So you would think things would be getting better in terms of protecting themselves, but they are really trending to worsening.”

According to the survey – 61% of respondents reported a cyber attack, up from 55% a year ago – while 54% reported a data breach, up from 50% a year earlier.

Ransomware attacks were reported by 52% of respondents, with 53% of those reporting they were hit by more than one ransomware attack.

The total costs associated with successful cyber attacks on SMEs now total well in excess of £1m, meaning a single attack could bring an SME to its knees financially.

Amount of stolen records on the increase

Not only has the cost of data breaches risen to an average of just over £1.2m including all attack mitigation and business disruption costs from £717,909 a year ago, but the average number of records stolen has soared from just over 5,000 per attack last year to 9,350 this year – an 87% increase.

While 54% of respondents say the root cause of the attacks are negligent (not malicious) employees, a full third of the companies surveyed could not even determine the root cause.

An ongoing lack of attention to password usage underlies much of the cyber security woes at SMEs, the study said, referring to the latest Verizon Data Breach Investigations Report, which noted that 81% of all cyber attacks result from poor password management practices.

Read more about SME security

  • SMEs are failing to address cyber threats despite the risks.
  • The UK government has announced initiatives aimed at boosting SME cyber security, promoting the cyber security profession and supporting cyber security innovation projects.
  • SMEs typically face the same threats as bigger organisations, but lack the same level of expertise and other security resources.
  • The London Digital Security Centre has been set up by the Mayor’s Office for Policing and Crime as part of the mayor’s business crime strategy.

The latest Ponemon research shows that 59% of respondents said they have no visibility into their employees’ password practices, which is unchanged from a year ago.

Among the bad practices cited are using the same passwords for access to multiple accounts and servers; sharing passwords in highly insecure ways; and failing to use strong passwords, settling instead for 123456 or other very easily compromised passwords.

Less than half – 43% – of SMEs surveyed have any sort of password policy in place. And of those that do have such a policy in place, 68% (up from 65% last year) said they either do not strictly enforce the policies or are unsure if they are enforced.

“SMEs can respond to this overall situation by quickly establishing mobile device and BYOD [bring your own device] internal control policies,” said Darren Guccione, Founder and CEO of Keeper Security.

“Then implement software that controls the information being protected and transacted via these and other devices. The combination of password management software and enterprise mobility management tools can mitigate up to 80% of the cyber risk those devices pose,” he said.

Greater data protection implementation needed

According to the study, SMEs need to implement greater data protection beyond the “traditional” protection tools, with two-thirds of respondents reporting cyber attacks that evaded the company’s intrusion protection defenses, up from 57% a year ago, and 81% reporting such attacks evading traditional antivirus defences, up from 76% last year.

The Ponemon study shows that the top barriers to adopting better cyber defences are: a lack of trained security staff (73%) and inadequate budget (56%). However, the report said given the enormous costs associated with a data breach, failing to protect against today’s dynamic threat environment could prove disastrous, and the costs associated with doing so may not be as high as imagined.

“There is more great protection software targeting SMEs today than ever before,” said Guccione. “The cost-to-benefit spread in terms of value to what the real risks are, and in consideration to how productivity can actually be enhanced with the right software solutions, puts better protection well in reach of SMEs.”

For example, he said, by implementing a comprehensive password management system, many organisations have experienced a marked decline in helpdesk calls related to lost or forgotten passwords.

SMEs targeted through phishing

The Ponemon research into the rising incidence of ransomware attacks on SMEs noted earlier found the attacks were unleashed 79% of the time through phishing or other social engineering, most notably burying harmless looking clickable URLs into a scam email. A prime defense against this, said Guccione, can be ongoing phishing simulations to try to educate negligent employees.

Organisations polled also exhibited high levels of concern over security breaches caused by internet of things (IoT) devices.

They notoriously lack security mechanisms and typically come with no mandate or set of requirements regarding password length or strength or whether they should have single or two-factor authentication.

Nearly a quarter of respondents reported an IoT-related data breach, with two-thirds reporting feeling “concerned or very concerned” about their lack of security. In fact, 56% said IoT and mobile devices represent the most vulnerable endpoints in their organisations.

London is taking the lead in the UK by helping to make the city’s small businesses, which number more than one million, safe from cyber crime through the London Digital Security Centre (LDSC).

The centre was set up as a not-for-profit organisation in 2015 by the Mayor’s Office for Policing and Crime (Mopac) and is run as a joint venture between the mayor of London, the Metropolitan Police and the City of London Police.

The LDSC provides a free cyber security assessment and improvement programme for SMEs and created a “marketplace” of selected products and services to help London’s businesses protect themselves.

SMEs lacking antivirus software

LDSC research shows that 69% of London’s SMEs running outdated software, 74% lacking BYOD policies, 25% lacking antivirus software, 69% not using encryption software, 85% not using digital signatures, and 77% not using the Dmarc email authentication, policy and reporting protocol.

But improving cyber security is not always about buying new kit and spending money, according to John Unsworth, chief executive at the LDSC. A small business can do a lot to improve its cyber security posture by a simple investment in time and effort.

“This includes things like installing the latest software and app updates because they contain vital security upgrades which help to protect against viruses and hackers, using strong and separate passwords for key accounts, backing up essential data at regular intervals, never disclosing passwords, and ensuring that administrative accounts are never used for routine activities, such as browsing and emailing,” he said.

Other recommendations include: providing staff with access to simple, freely available cyber security training; conducting a cyber security risk assessment; seeking accreditation through the government-endorsed Cyber Essentials scheme; and deploying the domain-based message authentication, reporting and conformance (Dmarc) protocol and the sender policy framework (SPF) to validate a message’s email domain.

The LDSC works through a partnership programme, and recently issued a call to arms to the London cyber security community and big business sector to join the programme to help SMEs protect themselves from cyber crime. 

Read more on Hackers and cybercrime prevention

Data Center
Data Management