Small to medium enterprises (SMEs) are failing to prepare adequately to address cyber security threats – despite the growing risks.
Despite the WannaCry and Petya global cyber attacks, only 42% of SME IT decision makers polled in the UK, US and Australia are concerned about ransomware.
In fact, ransomware ranked lowest among concerns, with new of malware infections topping the list, followed by mobile and phishing attacks, according to a survey commissioned by security firm Webroot.
However, Webroot’s threat research from June 2017, which is based on data from a variety of businesses, reveals that more than 60% of companies have already been affected by ransomware, with the financial and retail sectors being hit the hardest.
In the UK, the research highlighted a false sense of security among IT decision makers. Even though 72% of UK respondents admit their businesses are not prepared to address external threats, 87% are confident their staff would be able fully address or eliminate an issue.
According to the survey report, when a business suffers a cyberattack, the consequences are felt both internally and externally.
Almost 58% of UK respondents, compared with 65% globally, believe it would be more difficult to restore the company’s public image than to restore employee trust and morale.
Underscoring the need for proactive security solutions, respondents estimate a cyber attack on their business where customer records or critical business data were lost would cost an average of £737,677 in the UK compared with an overall average of £773,483.
SMEs typically face the same threats as bigger organisations, but lack the same level of expertise and other security resources.
Addressing the growing threat, nearly all respondents plan to increase their annual IT security budget in 2017 compared to 2016, according to the report.
SME with 100 to 500 employees currently manage IT security in various ways, the survey revealed. In the UK, 22% of SMEs have in-house employees who handle IT security along with other responsibilities, compared with the average of 20%.
A third of UK SMEs use a mix of in-house and outsourced IT security support, compared with an average of 37%, while 25% have a dedicated in-house IT security professional or team, compared with 23% on average.
In the UK, 92% of respondents believe outsourcing IT solutions would protect their organisation against threats and increase their bandwidth to address other areas of their business, compared with an average of 90%.
Using a third party cyber security provider
Among businesses that do not currently outsource IT security, 82% of UK SMEs will likely use a third-party cyber security provider in 2017, compared with an average of 80%, which represents a big opportunity for managed security service providers (MSSPs), the report said.
The lack of planned investment in cyber defences is surprising in the face of increased attacks, the costs associated with those attacks, and the fact strong cyber security has the potential to give SMEs an opportunity to stand out from competitors, with as many as one in 20 claiming to have gained an advantage over a competitor because of stronger cyber security credentials.