Negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK, according to a new study from Keeper Security and the Ponemon Institute, released Tuesday. Of the 1,000 IT professionals surveyed, 54% said careless workers were the root cause of cybersecurity incidents, followed by poor company password policies.
This is especially concerning due to the rise in ransomware attacks: More than 50% of SMBs surveyed had experienced such an attack in the past year, which often enters an organization via a phishing email aimed at tricking an employee into clicking a malicious link or download. Indeed, in the survey, 79% of those hit said the ransomware entered their system through a phishing or social engineering attack. Further, of those who experienced an attack, 53% were hit more than once in the year.
"The number one greatest cyber threat to a business is their very own employees," said Darren Guccione, CEO and cofounder of Keeper Security, Inc., in a press release. "Critical data is more accessible via mobile devices in our 24/7-connected, device-filled world."
Password protection was also an issue: Only 43% of IT professionals surveyed said they had a password policy in place, and 68% said they either do not strictly enforce their policy, or are unsure if one exists. Some 59% of respondents said they do not have visibility into their employees' password practices, such as the use of unique or strong passwords, and secure password sharing.
More than 50% of US companies' sensitive data can be accessed via an employee's smartphone or tablet, Guccione said in the release. "Poor password policies, the rise of mobile-targeted attacks and the influx of Internet of Things [IoT] devices in the workplace is a recipe for disaster," he added.
The risk of cyber breaches increased for companies of all sizes and industries compared to last year, the study found. More than 61% of SMBs had been breached in the last 12 months, compared to 55% in 2016. In an average breach, the amount of data stolen nearly doubled, from 5,079 records in 2016 to 9,350 in 2017. IoT devices also have SMBs worried, with 67% of IT professionals reporting that they were "very concerned" about the impact of these devices in their office. Some 56% said that they believe IoT and mobile devices are the most vulnerable endpoint in their organization's networks.
"We were alarmed to find that small and mid-sized businesses are becoming a huge target for hackers," said Larry Ponemon, chairman and founder of the Ponemon Institute, in the release. "As both frequency and size of data breaches increases, SMBs must face the reality that a material adverse financial impact on their business is a real possibility."
Attacks are becoming more costly, Ponemon said in the release, with the average cost due to damage or theft of IT assets and infrastructure now exceeding $1 million. "One cyber incident could very well put a small company out of business," he added.
To learn more about how to avoid ransomware attacks no matter what size your organization is, click here. And to learn more about how to best train and support your staff on cyber hygiene, click here.
Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.
- Negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK, with 54% of IT professionals reporting that careless workers were the root cause of cybersecurity incidents. -Keeper Security and the Ponemon Institute, 2017
- More than 50% of SMBs experienced a ransomware attack in the past year. -Keeper Security and the Ponemon Institute, 2017
- The average cost of a cyber breach due to damage or theft of IT assets and infrastructure now exceeds $1 million. -Keeper Security and the Ponemon Institute, 2017
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- Double trouble: This ransomware campaign could infect your PC with two types of file-locking malware (ZDNet)
- Security breaches: How small businesses can avoid a HIPAA lawsuit (TechRepublic)
- Ransomware: More and smarter scams coming soon (ZDNet)
- 10 ways to minimize fileless malware infections (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.