Small & Medium Businesses Are Under Increasing Risk Of Attack

Uploaded on 2019-10-23 in TECHNOLOGY--Hackers, FREE TO VIEW, TECHNOLOGY--Resilience

There has been an upward trend in cyber attacks on small-to-medium size businesses (SMBs) for several years and they now find themselves on a roughly equal footing with their larger counterparts in terms of likelihood of experiencing an attack.

Ponemon’s annual SMB survey included 2,391 IT security professionals and decision makers from companies located in the United States, United Kingdom, and throughout Europe. The 2019 Report indicates that attacks on SMBs have been sharply on the rise in the past year around the world. While the overall number of attacks on global SMBs stayed roughly even from the previous year, attacks in specific regions jumped as much as 21%.

Significant 2019 Findings :

  •  Overall, attacks are increasing dramatically - 76% of U.S. companies were attacked within the last 12 months, up from 55% in 2016. Globally, 66% of respondents reported attacks in the same timeframe.
  • Attacks that rely on deception are rising - Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%) and credential theft (30%) among the most common attacks waged against SMBs globally.
  • Data loss among the most common impact - Globally, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the past year. That number is 69% in the U.S -  an increase from 50% in 2016.

The State of Cyber Security for SMBs
The annual Ponemon survey of SMBs is important as it looks specifically for targeted attacks. One would expect SMB attack numbers to grow across the board as indiscriminate automated hacking tools become more prevalent, but the attacks logged in the survey are sophisticated and involve actions such as targeted email phishing of an employee or a focus on obtaining specific company data.

While roughly 2/3 of the world’s SMBs are now experiencing cyber-attacks, 45% still feel that their cybersecurity posture is “ineffective.” 39% still do not have an incident response plan in place. 

The companies range from 100 to 1,000 employees in size and the data was collected in August and September.
New attacks appear to be focusing on SMBs in specific regions, with the United States getting the worst of it. The overall number of global SMB attacks stayed fairly steady, perhaps even decreasing slightly (moving down from 67% in 2018 to 66% in 2019). 

This comes after years of steady and significant growth, however; from 55% in the inaugural study in 2016 to 61% in 2017.
76% of SMBs in the United States reported a cyber-attack this year, compared to only 55% in 2018. Additionally, 82% of these respondents have now experienced a cyber attack in their lifetime. In spite of all of this, 88% of these companies spend less than 20% of their IT budget on cyber security.

Attacks in the United Kingdom also increased at a smaller but still significant rate, up from 55% to 65%.

Smarter Cyber Attacks
These attacks are increasing not just in frequency, but in quality as well. The most common global attack type is phishing, something that 57% of global SMBs fell victim to this past year. Stolen and compromised devices (33%) and credential theft (30%) are also common avenues of attack.

Data loss is the most common result of cyber-attacks on SMBs. 69% of the companies in the United States that responded lost some sort of sensitive personal information belonging to employees or customers. That’s a 50% increase since the first Ponemon survey was conducted in 2016.

New technologies appear to be one of the major factors driving these attacks. Relatively recent developments such as Internet of Things (IoT) devices, biometrics and the use of personal mobile devices for work have been quickly and broadly adapted by SMBs. But security technologies and practices tend to lag behind in these areas. Companies appear to be aware of this, yet feel they cannot do anything about it. 49% of respondents felt that the use of mobile devices with business-critical applications weakened the organisation’s security posture, even though 48% reported doing this exact thing at their companies. 

  • 80% felt that unsecured IoT devices could lead to a catastrophic security incident, yet only 21% of these companies are actively monitoring these devices.
  • 75% of the respondents have implemented biometrics into their security profile or intend to do so soon. While biometrics is intended to be an enhanced layer of security against threat actors, the recent incident with Suprema’s Biostar 2 shows that vulnerabilities around the system can turn all of that authentication data into another massive liability.

Trouble in the UK
The United Kingdom was just about on par with the global rate of SMB cyber-attacks, but experienced a significant regional increase. Confidence also slipped somewhat, with 4% fewer of these companies reporting that they felt their security was “very effective.” Interestingly, web-based attacks (49%) slightly outpaced phishing (48%) in this region. General malware attacks (42%) also made notable gains.

Unique conditions elsewhere in Europe
Possibly due to the influence of the General Data Protection Regulation (GDPR), various regions of Europe reported greater confidence in their security posture and contended with fewer cyber-attacks in the past year.

The DACH region (Austria, Germany and Switzerland) has the best IoT security posture at present, though the overall numbers are still concerningly low. DACH led all other parts of the world with 27% of their SMBs conducting IoT security training for employees and vendors, and 25% actively monitoring the IoT devices used in the workplace for data breaches. 
However, these companies also expressed the least concern about employee passwords with only 58% responding that it was a significant endpoint security issue for them.

The Benelux Union (Belgium, Luxembourg and Netherlands) had one of the lower rates of cyber-attacks targeting SMBs at 56%. This region had a high rate security emphasis on strong passwords (68%), and led the respondents in implementation of biometrics (51%).

Scandinavia struggled more than these other regions, with 64% of SMBs experiencing cyber-attacks and 71% of these reporting that malware or exploits managed to get through their security. This region was more likely than others to identify mobile devices as a risk to critical infrastructure (56%), however. Scandinavia was also the only region that had a majority focus on protecting intellectual property, whereas other regions prioritised protecting customer data.

SMB Security Challenges
These annual investigative reports make clear that if there is a vulnerable target out there, there will be a hacker interested in it no matter how small it might seem to be. 

While SMBs do not face the same risk profile that the enterprise-scale large organisations have to deal with (such as special attention from state-sponsored “advanced persistent threat” groups), they clearly face enough cyber attacks that a prevention and response plan is vital.

Bloomberg:          CPO Magazine:      Ponemon

You Might Also Read:

Most Organisations Lack Cyber Resilience:

Only 31% Of Employees Get Annual Cyber Security Training:

 

 

 

 

« Reduce Business Disruption - Make Cyber Security A Priority
Less Than Half Of Employees Get Regular Cyber Security Training »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation is Europe's leading centre for research & education in cybersecurity, cybercrime and digital forensics.

Riverbed Technology

Riverbed Technology

The Riverbed Network and Application Performance Platform enables organizations to visualize, optimize, accelerate and remediate the performance of any network for any application.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Atea

Atea

Atea is the market leader in IT infrastructure for businesses and public-sector organizations in Europe’s Nordic and Baltic regions.

Solana Networks

Solana Networks

Solana Networks is a specialist in IT networking and security.

Pixalate

Pixalate

Pixalate is an omni-channel fraud intelligence company that works with brands and platforms to prevent invalid traffic and improve ad inventory quality.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

Dice

Dice

Dice is a leading recruitment platform, helping technology professionals manage their careers and employers connect with highly skilled tech talent in specialist areas including cybersecurity.

Axiomtek

Axiomtek

Axiomtek is a leading design and manufacturing company in the industrial computer and embedded field.

CICRA Consultancies

CICRA Consultancies

Cicra Consultancies is a company that specializes in cyber security. Our major activities are guided by three main principles: Prevent, Investigate, Prosecute.

Mitiga

Mitiga

Mitiga uniquily combines the top cybersecurity minds in Incident Readiness and Response with a cloud-based platform for cloud and hybrid environments.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

Astrill VPN

Astrill VPN

Astrill VPN is a Seychelles based Virtual Private Network(VPN) Company.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

Epic Machines

Epic Machines

Epic Machines is a Value Added Reseller and Managed Security Services provider offering Security Transformation using Cloud-native solutions to commercial and government markets.

Levio

Levio

Levio is a digital native business and technology consulting firm. As a true partner from start to finish, our goal is a long-lasting transformation that’s right for your business model.