SMBs

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Reducing Risk with Ongoing Cybersecurity Awareness Training

Threat researchers and other cybersecurity industry analysts spend much of their time trying to anticipate the next major malware strain or exploit with the potential to cause millions of dollars in damage, disrupt global commerce, or put individuals at physical risk by targeting critical infrastructure.

However, a new Webroot survey of principals at 500 small to medium-sized businesses (SMBs), suggests that phishing attacks and other forms of social engineering actually represent the most real and immediate threat to the health of their business.

Twenty-four percent of SMBs consider phishing scams as their most significant threat, the highest for any single method of attack, and ahead of ransomware at 19 percent.

Statistics released by the FBI this past summer in its 2017 Internet Crime Report reinforce the scope of the problem. Costing nearly $30 million in total losses last year, phishing and other social engineering attacks were the third leading crime by volume of complaints, behind only personal data breaches and non-payment/non-delivery of services. Verizon Wireless’s 2018 Data Breach Investigations Report, a thorough and well-researched annual study we cite often, blames 93 percent of successful breaches on phishing and pretexting, another social engineering tactic.

Cybersecurity Awareness Training as the Way Forward

So how are businesses responding? In short, not well.

24 percent of principals see phishing scams as the number one threat facing their business. Only 35 percent are doing something about it with cybersecurity awareness training.

One of the more insidious aspects of phishing as a method of attack is that even some otherwise strong email security gateways, network firewalls and endpoint security solutions are often unable to stop it. The tallest walls in the world won’t protect you when your users give away the keys to the castle. And that’s exactly what happens in a successful phishing scam.

Despite this, our survey found that 65 percent of SMBs reported having no employee training on cybersecurity best practices. So far in 2018, World Cup phishing scams, compromised MailChimp accounts, and opportunist GDPR hoaxers have all experienced some success, among many others.

So, can training change user behavior to stop handing over the keys to the castle? Yes! Cybersecurity awareness training, when it includes features like realistic phishing simulations and engaging, topical content, can elevate the security IQ of users, reducing user error and improving the organization’s security posture along the way.

The research and advisory firm Gartner maintains that applied examples of cybersecurity awareness training easily justify its costs. According to their data, untrained users click on 90 percent of the links within emails received from outside email addresses, causing 10,000 malware infections within a single year. By their calculations, these infections led to an overall loss of productivity of 15,000 hours per year. Assuming an average wage of $85/hr, lost productive costs reach $1,275,000 which does not necessarily account for other potential costs such as reputational damage, remediation cost, or fines associated with breaches.

One premium managed IT firm conducted its first wave of phishing simulation tests and found their failure rate to be approximately 18 percent. But after two to three rounds of training, they saw the rate drop to a much healthier 3 percent.1

And it’s not just phishing attacks users must be trained to identify. Only 20 percent of the SMBs in our survey enforced strong password management. Ransomware also remains a significant threat, and there are technological aspects to regulatory compliance that users are rarely fully trained on. Even the most basic educational courses on these threats would go a long way toward bolstering a user’s security IQ and the organizations cybersecurity posture.

Finding after finding suggests that training on cybersecurity best practices produces results. When implemented as part of a layered cybersecurity strategy, cybersecurity awareness training improves SMB security by reducing the risks of end-user hacking and creating a workforce of cyber-savvy end users with the tools they need to defend themselves from threats.

All that remains to be seen is whether a business will act in time to protect against their next phishing attack and prevent a potentially catastrophic breach.

You can access the findings of our SMB Pulse Survey here.

1 Webroot. “Why Security Awareness Training is an Essential Part of Your Security Strategy” (November, 2018)

Top 3 Questions SMBs Should Ask Potential Service Providers

It can be daunting to step into the often unfamiliar world of security, where you can at times be inundated with technical jargon (and where you face real consequences for making the wrong decision). Employing `

In a study performed by Ponemon Institute, 34% of respondents reported using a managed service provider (MSP) or managed security service provider (MSSP) to handle their cybersecurity, citing their lack of personnel, budget, and confidence with security technologies as driving factors. But how do you find a trustworthy partner to manage your IT matters?

Here are the top 3 questions any business should ask a potential security provider before signing a contract:

 

 

 

 

 

While these are not all of the questions you should consider asking a potential service provider, they can help get the conversation started and ensure you only work with service providers who meet your unique needsservice providers who meet your unique nee.

  1. Ponemon Institute. (2016, June). Retrieved from Ponemon Research: https://signup.keepersecurity.com/state-of-smb-cybersecurity-report/
  2. Ponemon Institute Cost of Data Breach Study: (2017 June) https://www.ibm.com/security/data-breach

Webroot’s 2015 SMB Threat Report: An Analysis

Recently, Webroot published 2015 SMB Threat Report: Are organizations completely ready to stop cyberattacks?, which included the results from a survey of 700 SMB decision makers worldwide about their IT security, their readiness for security response, and use of MSP recourses in their environment.

Many SMBs are outsourcing cybersecurity to managed services providers (MSPs) to make up for the lack of time and in-house expertise. According to the report, 81% of respondents agreed such outsourcing would improve their bandwidth for addressing other tasks. With the majority of SMBs surveyed planning to increase their cybersecurity budget in 2016, VARs across a broad variety of industries are beginning to embrace this service-centric relationship with their clients. For customers, choosing to work with an MSP means they avoid installation and maintenance headaches. They also avoid diverting resources towards laborious IT security support tasks or ad hoc break/fix reseller charges.

smb1

Although SMBs appear more aware of cybersecurity-related risks to their organizations, many are still unsure or under-informed about their own readiness to handle such risks even with heavy investments of time into protecting the environments. Incredibly, even with 56% of respondents reporting over 17 hours spent on cybersecurity, 44% are still feeling they have less time to stay up-to-date on threats.

smb2

smb3

Just 37% of IT decision makers surveyed in the US, the UK, and Australia believe their organizations are completely ready to manage IT security and protect against threats. While I am not entirely surprised given the considerable cybersecurity challenges SMBs face, but it’s still an alarmingly low number.

On the flip side, when asked how confident IT decision makers would be that someone on their staff could deal with a cyberattack, a surprising 84% responded confidently. Given the other responses to this survey, this was unexpected and indicates a discrepancy and possible misperception of IT resources, knowledge, and capability to thoroughly address a cyberattack.

smb4

Webroot’s SMB Threat Report makes it clear that the future of security is in need of some change with IT decision makers are stretched thin. In the near future, we should expect a continued movement towards “outsourced IT,” particularly on the cybersecurity front. According to the survey, 81% of respondents believe outsourcing IT solutions would increase their bandwidth to address other areas of their business. In order to reap the full array of benefits, though, IT decision makers must be proactive about identifying MSPs that offer “intelligent cybersecurity” solutions.

Our definition of intelligent? Solutions that are easy to install, can be managed remotely, and provide real-time protection against modern threats. While these are all important qualifications, we expect SMBs to place an increased premium on the “real-time” component.