SMBs

What’s Next? Webroot’s 2019 Cybersecurity Predictions

At Webroot, we stay ahead of cybersecurity trends in order to keep our customers up-to-date and secure. As the end of the year approaches, our team of experts has gathered their top cybersecurity predictions for 2019. What threats and changes should you brace for?...

Cyber Monday: Big Savings, Big Risks

What business owners and MSPs should know about the year’s biggest online retail holiday It’s no secret that Black Friday and Cyber Monday are marked by an uptick in online shopping. Cyber Monday 2017 marked the single largest day of online sales to date, with...

Responding to Risk in an Evolving Threat Landscape

There’s a reason major industry players have been discussing cybersecurity more and more: the stakes are at an all-time high for virtually every business today. Cybersecurity is not a matter businesses can afford to push off or misunderstand—especially small and...

Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the...

Unsecure RDP Connections are a Widespread Security Failure

While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP)...

3 Cyber Threats IT Providers Should Protect Against

With cybercrime damages set to cost the world $6 trillion annually by 2021, a new bar has been set for cybersecurity teams across industries to defend their assets. This rings especially true for IT service providers, who are entrusted to keep their clients’ systems...

Reducing Risk with Ongoing Cybersecurity Awareness Training

Reading Time: ~3 min.

Threat researchers and other cybersecurity industry analysts spend much of their time trying to anticipate the next major malware strain or exploit with the potential to cause millions of dollars in damage, disrupt global commerce, or put individuals at physical risk by targeting critical infrastructure.

However, a new Webroot survey of principals at 500 small to medium-sized businesses (SMBs), suggests that phishing attacks and other forms of social engineering actually represent the most real and immediate threat to the health of their business.

Twenty-four percent of SMBs consider phishing scams as their most significant threat, the highest for any single method of attack, and ahead of ransomware at 19 percent.

Statistics released by the FBI this past summer in its 2017 Internet Crime Report reinforce the scope of the problem. Costing nearly $30 million in total losses last year, phishing and other social engineering attacks were the third leading crime by volume of complaints, behind only personal data breaches and non-payment/non-delivery of services. Verizon Wireless’s 2018 Data Breach Investigations Report, a thorough and well-researched annual study we cite often, blames 93 percent of successful breaches on phishing and pretexting, another social engineering tactic.

Cybersecurity Awareness Training as the Way Forward

So how are businesses responding? In short, not well.

24 percent of principals see phishing scams as the number one threat facing their business. Only 35 percent are doing something about it with cybersecurity awareness training.

One of the more insidious aspects of phishing as a method of attack is that even some otherwise strong email security gateways, network firewalls and endpoint security solutions are often unable to stop it. The tallest walls in the world won’t protect you when your users give away the keys to the castle. And that’s exactly what happens in a successful phishing scam.

Despite this, our survey found that 65 percent of SMBs reported having no employee training on cybersecurity best practices. So far in 2018, World Cup phishing scams, compromised MailChimp accounts, and opportunist GDPR hoaxers have all experienced some success, among many others.

So, can training change user behavior to stop handing over the keys to the castle? Yes! Cybersecurity awareness training, when it includes features like realistic phishing simulations and engaging, topical content, can elevate the security IQ of users, reducing user error and improving the organization’s security posture along the way.

The research and advisory firm Gartner maintains that applied examples of cybersecurity awareness training easily justify its costs. According to their data, untrained users click on 90 percent of the links within emails received from outside email addresses, causing 10,000 malware infections within a single year. By their calculations, these infections led to an overall loss of productivity of 15,000 hours per year. Assuming an average wage of $85/hr, lost productive costs reach $1,275,000 which does not necessarily account for other potential costs such as reputational damage, remediation cost, or fines associated with breaches.

One premium managed IT firm conducted its first wave of phishing simulation tests and found their failure rate to be approximately 18 percent. But after two to three rounds of training, they saw the rate drop to a much healthier 3 percent.1

And it’s not just phishing attacks users must be trained to identify. Only 20 percent of the SMBs in our survey enforced strong password management. Ransomware also remains a significant threat, and there are technological aspects to regulatory compliance that users are rarely fully trained on. Even the most basic educational courses on these threats would go a long way toward bolstering a user’s security IQ and the organizations cybersecurity posture.

Finding after finding suggests that training on cybersecurity best practices produces results. When implemented as part of a layered cybersecurity strategy, cybersecurity awareness training improves SMB security by reducing the risks of end-user hacking and creating a workforce of cyber-savvy end users with the tools they need to defend themselves from threats.

All that remains to be seen is whether a business will act in time to protect against their next phishing attack and prevent a potentially catastrophic breach.

You can access the findings of our SMB Pulse Survey here.

1 Webroot. “Why Security Awareness Training is an Essential Part of Your Security Strategy” (November, 2018)

Top 3 Questions SMBs Should Ask Potential Service Providers

Reading Time: ~< 1 min.

It can be daunting to step into the often unfamiliar world of security, where you can at times be inundated with technical jargon (and where you face real consequences for making the wrong decision). Employing `

In a study performed by Ponemon Institute, 34% of respondents reported using a managed service provider (MSP) or managed security service provider (MSSP) to handle their cybersecurity, citing their lack of personnel, budget, and confidence with security technologies as driving factors. But how do you find a trustworthy partner to manage your IT matters?

Here are the top 3 questions any business should ask a potential security provider before signing a contract:

 

 

 

 

 

While these are not all of the questions you should consider asking a potential service provider, they can help get the conversation started and ensure you only work with service providers who meet your unique needsservice providers who meet your unique nee.

  1. Ponemon Institute. (2016, June). Retrieved from Ponemon Research: https://signup.keepersecurity.com/state-of-smb-cybersecurity-report/
  2. Ponemon Institute Cost of Data Breach Study: (2017 June) https://www.ibm.com/security/data-breach

Webroot’s 2015 SMB Threat Report: An Analysis

Reading Time: ~3 min.

Recently, Webroot published 2015 SMB Threat Report: Are organizations completely ready to stop cyberattacks?, which included the results from a survey of 700 SMB decision makers worldwide about their IT security, their readiness for security response, and use of MSP recourses in their environment.

Many SMBs are outsourcing cybersecurity to managed services providers (MSPs) to make up for the lack of time and in-house expertise. According to the report, 81% of respondents agreed such outsourcing would improve their bandwidth for addressing other tasks. With the majority of SMBs surveyed planning to increase their cybersecurity budget in 2016, VARs across a broad variety of industries are beginning to embrace this service-centric relationship with their clients. For customers, choosing to work with an MSP means they avoid installation and maintenance headaches. They also avoid diverting resources towards laborious IT security support tasks or ad hoc break/fix reseller charges.

smb1

Although SMBs appear more aware of cybersecurity-related risks to their organizations, many are still unsure or under-informed about their own readiness to handle such risks even with heavy investments of time into protecting the environments. Incredibly, even with 56% of respondents reporting over 17 hours spent on cybersecurity, 44% are still feeling they have less time to stay up-to-date on threats.

smb2

smb3

Just 37% of IT decision makers surveyed in the US, the UK, and Australia believe their organizations are completely ready to manage IT security and protect against threats. While I am not entirely surprised given the considerable cybersecurity challenges SMBs face, but it’s still an alarmingly low number.

On the flip side, when asked how confident IT decision makers would be that someone on their staff could deal with a cyberattack, a surprising 84% responded confidently. Given the other responses to this survey, this was unexpected and indicates a discrepancy and possible misperception of IT resources, knowledge, and capability to thoroughly address a cyberattack.

smb4

Webroot’s SMB Threat Report makes it clear that the future of security is in need of some change with IT decision makers are stretched thin. In the near future, we should expect a continued movement towards “outsourced IT,” particularly on the cybersecurity front. According to the survey, 81% of respondents believe outsourcing IT solutions would increase their bandwidth to address other areas of their business. In order to reap the full array of benefits, though, IT decision makers must be proactive about identifying MSPs that offer “intelligent cybersecurity” solutions.

Our definition of intelligent? Solutions that are easy to install, can be managed remotely, and provide real-time protection against modern threats. While these are all important qualifications, we expect SMBs to place an increased premium on the “real-time” component.