We’re halfway through National Cybersecurity Awareness Month in the U.S., but cyberattacks are a global and year-round problem for small and medium-sized businesses (SMBs). Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, commissioned by Keeper Security, found that cyberattacks against SMBs are becoming more frequent, complex, and destructive. It also uncovered that the biggest threat to an SMB’s cybersecurity posture isn’t external hackers but the firm’s own employees.
Cybercriminals are using stolen passwords to evade technical defenses
Nearly 70% of respondents in the Ponemon study reported having experienced a cyberattack within the last year that bypassed their intrusion detection systems, and 82% were targeted by attacks that weren’t caught by their anti-virus programs.
These numbers aren’t surprising in light of some of the report’s other findings, which indicate that cybercriminals are turning to social engineering tactics to get around technical security defenses:
- 63% of SMB globally have experienced a data breach within the past year were traced back to negligence on the part of an employee or a third-party contractor
- 47% of the attacks involved compromised employee passwords
- Social engineering schemes were among the most common cyberattacks SMBs saw in the past year: 57% of respondents who were attacked got victimized by phishing, 33% had devices compromised or stolen, and 30% experienced credential theft
U.S. SMBs are particularly vulnerable to insider threats, with twice as likely to be the victim of a negligent or malicious insider (77%) than an external hacker (40%), and phishing attacks in the U.S. have risen by 14% in the past three years.
Meanwhile, the Benelux region (Belgium, Netherlands, and Luxembourg) had the highest rate of phishing attacks, at 60%.
Cybercriminals look to steal passwords because using stolen login credentials is the easiest way to break into an enterprise network. Because the credentials are legitimate, no system alerts are triggered. Once inside, the cybercriminal has all the time in the world to get what they came for; it takes an average of 101 days for victimized companies to discover that they’ve been breached.
Better password security and management could prevent most breaches
The SMB leaders around the world interviewed for the Ponemon study understand that poor employee password habits are putting their companies at risk. Sixty-four percent agree that the use of strong passwords is essential to their organizations’ security defense. Yet their responses to other questions indicate that most SMBs aren’t doing anywhere near enough to secure employee passwords:
- Respondents’ top two pain points were employee passwords being stolen or compromised (70%) and weak passwords (61%)
- 54% admitted having no visibility into employee password practices
- Half have no policy on employee password use
- Of companies that do have a policy, only 32% strictly enforce it and require the use of a password manager
Nearly half of respondents (45%) stated that their security postures were ineffective at mitigating risks, vulnerabilities, and attacks. When asked what was standing in the way, the top three responses were insufficient personnel (77%), insufficient budget (55%), and no understanding of how to protect against cyberattacks (45%).
The good news for these SMBs is that securing employee passwords doesn’t require an enormous budget or a large in-house IT or security team. It just requires a robust password manager like Keeper Business. Keeper is affordable, easy to set up and manage, and offers enterprise-level protection that scales with your business. Keeper Business is the ideal solution for resource-strapped SMBs to prevent password-related cyberattacks.