76% of SMBs Have Experienced a Data Breach in the Past Year

A recent survey conducted by the Ponemon Institute on behalf of Keeper Security has revealed 76% of small and medium sized businesses in the United States have experienced a data breach in the past 12 months.

The survey was conducted on 2,391 IT and IT security professionals in the United States, United Kingdom, and Western Europe for Keeper Security’s 2109 Global State of Cybersecurity report.

The survey revealed SMBs in the United States are more extensively targeted than in other countries. Globally, 66% of SMBs have experienced a data breach in the past year. The frequency of attacks has also increased. Since 2016, the number of cyberattacks on SMBs has risen by 20%. 69% of respondents said cyberattacks have become much more targeted.

The main methods used by cybercriminals to attack SMBs are phishing and social engineering, which were behind 57% of SMB cyberattacks in the past 12 months. 30% of attacks involved other forms of credential theft, and 33% of breaches were due to compromised or stolen devices. 70% of surveyed SMBs said they had experienced incidents in past 12 months in which employee passwords were either lost or stolen.

The root causes of most breaches differed from country to country. In Scandinavia, Austria, Germany, and Switzerland, phishing and social engineering attacks were the most common causes of data breaches, whereas in the United States, United Kingdom, Belgium, Netherlands, and Luxembourg breaches were most commonly due to employee negligence.

63% of respondents globally and 69% in the United States said a data breaches had resulted in the loss or theft of sensitive information, which is 50% higher than in 2016.

Many businesses have implemented an intrusion detection system to prevent and detect breaches, yet 69% of businesses reported that at least one attack had circumvented that system.

There has been a major rise in the use of mobile devices by SMBs and those devices are often used to access business-critical applications. 48% of respondents said they use mobile devices for that purpose and the same number said they do so even though it poses a security risk.

It is important for strong passwords to be set to reduce the potential for password guessing or brute force attacks. While many businesses had password policies in place, 54% said they had no visibility into the password practices of their employees.

There is also a lack of oversight of third parties with whom sensitive data is shared. 70% of respondents said they did not maintain a comprehensive record of the third parties with whom sensitive data was shared. Unless that information is recorded, it is impossible to conduct comprehensive assessments to determine whether business associates are implementing appropriate controls to keep confidential information secure.

45% of SMBs believed they cybersecurity defenses were ineffective at mitigating cyberattack and 39% said they had no incident response procedures in place to deal with data breaches when they occurred. Given the lack of incident response plans it is no surprise that only 26% of respondents said they had managed to decrease their response time to cyberattacks. 39% said their response times had increased.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.