SMBs exhibit false confidence when it comes to cyber threats

Whether it is underestimating cyber threats or overestimating employees' ability to cope with an attack, almost all SMBs exhibit more confidence than they should do

A survey of 600 SMBs worldwide (200 each in the UK, USA and Australia) has shown that, globally, fewer than 30 per cent consider themselves completely ready to manage IT security - and are underestimating the threat of certain types of attack.

Globally, 56 per cent of organisations told cyber security firm Webroot that they would be susceptible to new forms of malware this year; 48 per cent mentioned mobile attacks, 47 per cent said phishing and 43 per cent said DDoS. However, ransomware was the threat that SMBs were least concerned about: only 42 per cent of respondents thought that they would be susceptible, despite the recent WannaCry and NotPetya infections.

Ransomware is likely being underestimated: Webroot's threat research shows that more than 60 per cent of companies have already been affected by it, especially the financial and retail sectors. In the UK specifically, where the NHS was hit by WannaCry, its importance was very slightly higher, at 50 per cent; although it was still the second-lowest area of concern (only ahead of phishing, at 48 per cent).

US SMBs were by far the most confident respondents to Webroot's question, with no threats coming above 50 per cent - and ransomware at only 31 per cent. This was false confidence, however: only 20 per cent said that they felt fully prepared to handle IT security.

Respondents in the UK were similarly overconfident (or underprepared). 90 per cent said that their staff are capable of addressing external attacks - but 92 per cent also felt that they could improve security by outsourcing IT solutions; 82 per cent said that it was likely that they would use an external cyber security provider this year; and only 28 per cent consider themselves ready to address all IT threats.

Adam Nash is the EMEA regional manager of Webroot, and said about the survey result, "The lack of concern about ransomware is leaving a gaping hole in the security of global businesses... This, combined with the UK's false sense of security when it comes to businesses' ability to manage external threats, is worrying. Small- to medium-sized businesses can no longer afford to put security on the back burner and need to start engaging with the issues and trends affecting the industry."

It wasn't only in threat handling that US respondents were the most confident: they also felt that they had the least to lose from a data breach, estimating the total cost (where customer records or critical business data were lost) to be about £440,000. UK SMBs estimated that they would lose £740,000; but it was Australian businesses that placed the highest value on their data, saying that a breach would cost them about £1.2 million.