Cybersecurity firm AppRiver released its Q4 Cyberthreat Index for Business Survey, highlighting the threats facing small- and medium-sized businesses (SMBs) as we transition into 2020.

The survey features the opinions of more than 1,000 cybersecurity officials working at SMBs throughout the United States. According to the survey, 93% of all executives think nation-states outside of the country are intent on attacking security digitally or waging “an invasion fought in cyberspace using businesses such as theirs as entry points.”

AppRiver’s survey found that the figure rose to a whopping 97% when it came to larger SMBs and two-thirds of respondents said the threats would become even greater in 2020. Executives involved in government, healthcare, pharmaceutical, technology, telecom, transportation and logistics were the most likely to be concerned about cyberattacks from foreign powers.

To manage this threat, more than 60% of respondents said they planned to increase cybersecurity budgets in 2020.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)

“It seems unusual that small and midsize companies are concerned about foreign powers, but with elections coming up in 2020, they have legitimate reasons to worry about becoming vulnerable entry points for outside entities,” said Troy Gill, senior cybersecurity analyst at AppRiver.

“The silver lining is that they are actively planning to improve their security with new technology and better training for employees, which together, are a powerful combination.”

The survey found that nearly 90% of all executives at businesses with less than 150 employees said cyberthreats were “top-of-mind concerns for their business.” The figure rose to 93% for companies with up to 250 employees.

One of the most alarming aspects of the report was the burgeoning prevalence of cyberthreats for even small businesses. More than 75% of executives at small companies and 80% of those are medium-sized businesses told AppRiver researchers that cyberthreats were now having a noticeable effect on their industry, the highest figures recorded this year.

“In 2019, we saw cyberattacks on our government trickle down from large agencies to smaller local municipalities and schools,” said Dave Wagner, CEO of Zix, which owns AppRiver.

“That follows the pattern we’ve seen in business, where attacks have expanded from big corporations to small- and medium-sized businesses. While these attacks can originate from anywhere, the survey data shows that SMBs believe foreign actors and even nation-states may be targeting them as a first step toward access to larger companies or government agencies,” he added in a statement.

Businesses were surprisingly frank in the survey about their ability to withstand an attack. More than 70% of respondents told AppRiver said a cyberattack would damage their business and another 22% said their company would not even be able to survive one attack. That number jumps to 30% for businesses with up to 250 employees.

The companies most fearful of not being able to survive an attack by cybercriminals were in industries including education, financial services, insurance, technology, and telecoms.

The survey also mentions that the holiday season is particularly worrisome for security officials because most employees are shopping from their work devices or computers, opening businesses up to a bevy of cyberthreats coming from fake advertisements or dubious deals.

More than 80% of respondents from businesses of all sizes said they knew many of their employees would shop online at work. That number spiked to 90% for large businesses.

“The latest survey results show that as businesses become more dependent on technology—with more planning the adoption of A.I.—and as global borders become blurred in cyberspace, increased cyberthreats are expected to become a fact of life for all businesses, regardless of size or industry,” AppRiver researchers concluded in the survey.

“It is possible that as a small business grows, it could become a more likely target for bad actors. It is also possible that small businesses with cloud-based services with built-in security and fewer employees have fewer vulnerable attack entry points. However, as this year’s growing attacks on local municipalities, schools and small hospitals have shown, smaller organizations can no longer count on flying below the radar and being ignored by cybercriminals.”