The cybersecurity failures that reached public consciousness befell household names like Yahoo, Microsoft, Facebook, Target and JPMorgan Chase. But safeguarding data is an equally large problem, if not more so, for small and medium-sized businesses (SMBs): a major breach could put them out of business.
Cyberattacks directed at SMBs have surged in recent years, according to a new research report by password management company LastPass and research firm InnovateMR.
Why? For one thing, the report said, criminals have identified SMBs as relatively easy targets because of resource constraints and in some cases lax cybersecurity policies. Also, the bad actors are increasingly attacking SMBs to infiltrate larger organizations farther up their supply chains.
The survey included 633 U.S.-based leaders at small businesses (10-499 employees) and midsized ones (500-2,999 employees). The report also divided the participants into three groups: executives, IT leaders and non-IT business leaders.
A substantial majority of respondents said they are becoming more proactive on cybersecurity, by building awareness of and investment in security measures, for example.
In fact, 82% of those surveyed said cybersecurity budgets are increasing this year. But, while these quantitative investments are promising, “leaders should spend more time making qualitative investments to improve cybersecurity, including policy, education, and culture,” the report advised.
However, there was evidence of a disconnect among the groups. The executives and IT leaders overwhelmingly indicated a belief that employees understand security expectations, by margins of 92% and 93%, respectively. However, notably fewer (78%) of non-IT leaders felt the same. Based on those numbers, LastPass opined that “executives and IT leaders are overly optimistic.”
The report recommended that leaders across an organization consult together to determine the true level of understanding among employees and the best route to achieve organization-wide cybersecurity policy compliance.
Noting that only three in 10 leaders believe their company faces a very high risk of experiencing a cybersecurity issue, Alex Cox, director of threat intelligence for LastPass, stressed in a blog post that leaders must have “an understanding of their crown jewels, who is coming after them, and their most likely threats.”
Meanwhile, some additional survey findings were disturbing despite applying to a minority of respondents. For instance, about one in five business leaders, and one in 10 IT security leaders, admitted to circumventing security policies. Also, one in four younger workers is likely to violate policies, and 36% of Gen Z professionals admitted to writing down passwords.
Cox urged SMBs to implement “a balanced approach of stronger incentives for compliance and stricter consequences for violations.”
But at the same time, Cox added, leaders should implement simplified processes for temporary cybersecurity policy exceptions, as needed for completing important work. This can “help employees get work done without taking dishonest measures,” he wrote.