Despite growing threats of phishing, ransomware, and more, many small businesses have no employee cybersecurity training program in place, according to a Tuesday report from Webroot.
In surveying 500 small- to medium-sized businesses (SMBs) in the US, Webroot found that 66% of businesses with fewer than 19 employees didn't have any kind of employee cybersecurity training in place. For companies with 20-99 employees, that number was 29%, and for those with 100-500 employees it was 13%.
These training programs that companies are passing up on have a strong efficacy rate. A separate Webroot report found that when employees underwent phishing simulations in combination with ongoing training, their click rate on these phishing links dropped by more than half—from 26% down to 12%.
SEE: Information security policy (Tech Pro Research)
Phishing, overall, was seen as the current greatest threat against SMBs. Some 24% of all respondents to the survey said this was the case. Still, another 24% of those surveyed said they didn't know their greatest threat, the report found. And employees at businesses with fewer than 19 workers were the least likely to know their top threat.
There are specific trends that pop up in phishing emails, Webroot CISO Gary Hayslip, explained in the report. Here are the top 11 email subject lines associated with phishing:
- Review or Quick Review
- Bank of <take your pick>; New Notification
- Charity Donation for You
- Action Required: Pay your seller account balance
- Unauthorize login attempt
- Your recent Chase payment notice to <name of employee>
- Important: (1) NEW message from <Bank Name>
- AMAZON : Your Order no #812-4623 might ARRIVED
- Wire Transfer
- Assist Urgently
Companies that have 20-99 employees ranked employee naiveté is their top threat, with phishing coming in at 22%. Despite the hype surrounding individual threats, 92% of all malware still comes by way of email, as noted in the 2018 Verizon Data Breach Investigations Report. As such, "SMBs should focus on training employees to securely manage their email," the Webroot report said.
When it comes down to it, most SMBs simply don't have the money or resources they need to handle security at an expert level, the report found. Some 41% of respondents said they have no dedicated resources for IT security, and only 12% said they had dedicated in-house security staff. Others admitted to using third parties to help manage security, the report said.
The financial risk is big, too. According to the report, a breach will cost an average SMB around $527,256.
The big takeaways for tech leaders:
- Phishing is still the top risk for SMBs, although many small businesses lack any formal security training for their employees. — Webroot, 2018
- SMBs don't have the proper resources to tackle security, as 41% have no dedicated resources for IT security. —Webroot, 2018
- A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
- Security warning: Your suppliers are now your weakest link (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Security alert: Watch out for password-stealing malware says FBI (ZDNet)
- 7 tips for SMBs to improve data security (TechRepublic)
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.