SMBs Fear Phishing, Fall Short on Cyber Training
In surveying 500 small to medium-sized businesses (SMBs) across the US, Webroot discovered that many businesses fail to recognize the many cybersecurity threats their businesses face, in large part because they lack in-house security expertise. According to The 2018 Webroot SMB Pulse Report, phishing scams ranked the number-one threat to SMBs.
The report also found that while 24% of respondents viewed phishing as the number-one threat to their organization, 20% of smaller businesses – those with up to 19 employees – believed they should be focused on defending against ransomware.
Overall, 24% of SMBs were unable to identify their top threat, with the smallest organizations being the least likely to state their greatest risk. Of those companies classified as medium-sized (20-99 employees), 28% fear human error as their greatest threat. However, SMBs do realize that implementing awareness training programs would potentially help mitigate risks from cyber threats.
“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it,” said Gary Hayslip, chief information security officer, Webroot, in a press release.
“But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”
Despite their fears of falling victim to a phishing scam or a ransomware attack, SMBs aren’t providing comprehensive, ongoing security awareness training for their employees, according to the report. The majority (66%) of participating businesses with up to 19 employees offer no cybersecurity training to employees.
As businesses grow in size, the numbers tend to get a little bit better, with only 29% of companies in the medium-sized and 13% of large companies (those with 100 to 500 employees) failing to provide a cybersecurity training in the workplace.
“Phishing attacks are one of the most common security challenges companies face in keeping their information secure. It’s easy and it’s effective. Cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click,” said Aaron Sherrill, senior analyst at 451 Research.
“Yet 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions, wasting a lot of time and resources in the process. Small to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time consuming, cumbersome or costly.”
Source: Information Security Magazine