Report: Cyberattacks against SMBs on the rise

Oct. 16, 2019
New study reveals trends in hacker tactics and how organizations are addressing the problem

Reported incidents of businesses being victimized by cyberattacks have become so numerous in recent years that many C-level executives and rank and file employees have become numb to them. Rarely a week goes by that a data breach or ransomware infection at a large organization doesn’t make national headlines. However, for every attack against an entity like Target or Equifax, there are numerous others carried out on small and mid-sized businesses (SMBs) which don’t generate the same level of media attention but are just as damaging – not only to those whose personal information is compromised but to the businesses impacted.

In fact, according to the results of a new study, attacks against SMBs continue to rise at an increasing rate. The “2019 Global State of Cybersecurity in Small and Medium-Sized Business,” which was commissioned by security and encryption software provider Keeper Security and conducted by The Ponemon Institute, found that 66% of SMBs globally had suffered a cyberattack within the past 12 months. Additionally, 76% of U.S. SMBs indicated that they had a suffered an attack over the same period, which is up from 55% in 2016.

SMBs also reported that the attacks being perpetrated against them are growing in their sophistication. Among the most common attacks suffered by SMBs globally included phishing (57%), compromised or stolen devices (33%) and credential theft (30%). The most common impact of these attacks on SMBs globally (63%), according to the report, was the loss of sensitive information about customers and employees. In the U.S., 69% percent of SMBs reported losing sensitive information, which was up from 50% in 2016.    

Though there has been an increased focus on data protection in places like Europe where the General Data Protection Regulation (GDPR) went into effect last year and can have a significant impact on the bottom line of businesses that fail to act, Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, says that the study, which polled 2,000 IT and IT security professionals in the U.S. and a variety of European countries, shows that there aren’t big differences globally in how SMBs approach cybersecurity. “We basically found that small and medium-sized organizations are just not doing what they need to do, which is to have a strong security posture across the board,” he says.

Darren Guccione, CEO, and Co-Founder of Keeper Security, says one of the biggest problems that SMBs have in common is a lack of visibility or control over their password security practices.

 “If you go into a small or medium-sized business and talk to the person who is in charge of IT and you ask, ‘Do you know which employees, on every single device they use – tablet, smartphone or computer – in your entire organization, who is using random, high-strength passwords on every single application on all those devices?’ Ninety-nine percent of the time they do not have that answer and when you follow-up and ask, ‘Should you know?’ they say absolutely we should know,” Guccione explains. “A lot of this problem is a result today of a lack of education and awareness around cybersecurity.”   

Other highlights from the report among U.S.-based business include:

  • 82% of U.S. respondents reported experiencing a cyberattack in their organization’s lifetime, which is higher than any other region
  • U.S. businesses are more confident in their in-house security expertise than any other region
  • Nearly 9 in 10 (88%) of U.S. respondents indicated they spend less than 20% of their overall IT budget on security
  • U.S. businesses are nearly twice as likely to be the victim of a cyberattack due to a company insider (77%) versus an external hacker (40%)

The ‘It Won’t Happen to Me’ Mentality

Despite the increasing number and sophistication of cyberattacks, the majority of SMBs still remain woefully unprepared. Nearly half (45%) of those surveyed described their organization’s IT posture as ineffective and 39% said they didn’t have an incident response plan in place.

“One of the misconceptions we’ve seen for a long time is the belief by leadership at small and medium-sized organizations that they don’t have a bullseye on their back, that basically the bad guys are hunting for the big brand, the big names and if they want to get some real results as a hacker they’ll have to go after the Fortune 100, for example,” Ponemon says. “That is not only a myth, it’s not true.”

“At the end day, roughly 30,000-plus websites are breached every day,” Guccione adds. “There is this presumption that legacy hardware that was protected by anti-virus (software) is going to be a continued security benefit to an SMB and that is not what the focus is on anymore. Cyber criminals don’t really care too much about placing viruses on computers to make them unusable, on the ransomware side that’s true, but the cyber criminal wants to monetize and the way you monetize is either through ransomware attacks where you lock up the computer and force someone to pay to unlock it but also, more specifically, is to steal information and sensitive digital assets, take that information and resell it on the Dark Web.”  

Guccione says that there is still a lot of work to be done by the cybersecurity community and vendors, in particular, when it comes to educating SMBs about the threats they face.

“This is a massive market opportunity for these vendors but traditionally, a lot of the vendors focus more on larger enterprises and government agencies as opposed to the SMB. This is where it becomes very important because SMBs are no less receptive to learning about how to mitigate a cyberattack than a larger organization, it’s just that their resources, in terms of both human capital and financial capital are more limited, which means that the vendor itself has to be more targeted,” he explains. “They have to approach the SMB or the prospect differently and they have to basically facilitate the information in a different way that’s more easily digestible for the SMB and that’s a big change over conventional, enterprise -scale marketing, messaging and sales tactics.”

Key Takeaways

One of the biggest takeaways from the study, according to Guccione, is that those in charge of security at organizations need to be proactive and practice what he refers to as “self-help.”

“They need to educate themselves on the basics of cybersecurity and focus on what they can do to have a cybersecurity strategy in place for their business,” he says. “There are four prongs of that; prevention, which is having software and processes in place to prevent data breach; detection, which is again having software in place to detect that there is an anomaly; remediation, which involves removing bad actors and patching (vulnerabilities) quickly; and finally, there is response and understanding when and how you have to respond to your customer base, stakeholders and the public.”

Lastly, Guccione says that SMBs can’t continue to live in denial about the threats they face.

“Here’s an example. We recently had the DoorDash breach. There are a lot of SMBs that use DoorDash for delivery and if they don’t have, for example, a Dark Web monitoring service that they’re using, they’re login credentials for that service were taken upwards of five months ago, placed on the Dark Web and monetized by cyber criminals," he says. "Cyber criminals know those login credentials, more than 60 percent of the time are reused over and over again by an individual to login to different websites, systems and services. If I have to rely on public disclosure by a news source, by then it is too late.”

Joel Griffin is the Editor-in-Chief of and a veteran security journalist. You can reach him at [email protected].
About the Author

Joel Griffin | Editor-in-Chief,

Joel Griffin is the Editor-in-Chief of, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.