Cyber Mindset Exposed: Keeper Unveils its 2019 SMB Cyber Threat Study

Over the past month, Keeper Security surveyed 500 senior decision makers at SMBs to uncover more about their mindsets around cyber threats (likely or not?) and common misperceptions (too new, too old, whose job is it anyways?). The findings underscore just how unprepared businesses are for cyber attacks.

Here are the top 6 things we learned:

#1 Cybersecurity is not on the to do list
60% of respondents say they do not have a cyber attack prevention plan
Only 9% of businesses rank cybersecurity as a top business priority
In fact, 18% rank cybersecurity as their lowest priority
Only 7% of CEOs, corporate chairs and owners say a cyber attack is very likely, and nearly half (43%) of them say a cyber attack is not at all likely (higher than any other management group surveyed)

#2 Leaders underestimate cyber risks and think they have better things to do
2 out of 3 respondents (66%) believe a cyber attack is unlikely (even though in reality 67% of SMBs experienced a cyber attack in the last year)
There are many competing concerns for business leaders – respondents rank recession (28%), damage to public reputation (19%) and a business model disruption (17%) as the most prominent threats to their businesses (cybersecurity was ranked last by over one out of five)
And 60% rank cybersecurity in the bottom half of priorities when compared with other business imperatives including sales, recruitment, quality of internal tools, marketing and contributing to social good

#3 The problem starts at the beginning
One out of four (25%) surveyed say they don’t even know where to start with cybersecurity
Asked what is most effective for breach prevention, top-ranking answers include: enforcing a company security policy (58%), utilizing a security vendor (52%) and ongoing employee education (48%)

#4 Misconceptions about vulnerabilities are real (read: I’m too small, too new, too unappealing to be targeted)
62% of respondents from companies between $1M and 500M in revenue believe experiencing a cyber attack is not likely; this goes up with respondents from companies under $1M (73%)
Newer businesses (operating for less than 5 years) believe they are much more vulnerable to a cyber attack, with 28% believing an attack is “very likely” compared with only 6% reported by companies operating for 10+ years. In addition, 70% of respondents from companies in business more than 10+ years believe a cyber attack is not very likely or not likely at all
Media/entertainment respondents feel most safe, with only 4% reporting an attack as “very likely” and nearly 8 in 10 (78%) not likely to happen to them (whereas respondents in financial services believe they are most vulnerable to an attack, with nearly half (47%) believing an attack is somewhat or very likely)

#5 There is a lot of confusion about whose job cybersecurity is
33% believe company leadership is responsible for cybersecurity
Few (9%) believe cybersecurity is the responsibility of individual employees
62% of CEOs, chairs and business owners believe they (company leadership) are responsible for their company’s cybersecurity
Only 14% of group/team heads think company leadership is responsible and instead believe it is the responsibility of a dedicated team (51%)
37% report having a dedicated IT or cybersecurity team

#6 Passwords policies and sentiment are improving
Nearly 7 in 10 respondents (69%) affiliate passwords with security or a first line of defense against an attack
75% of companies have policies in place that encourage or require employees to update their passwords regularly.
Among leaders surveyed, CEOs, Chairs and Owners were more likely to not know company password policies (13%)

Methodology
Fieldwork was undertaken between June 28 and July 5, 2019. All figures, unless otherwise stated, are from YouGov Plc. The survey was carried out online. The figures have been weighted and are representative of all senior decision makers at companies with 500 employees or less.