Webroot Report: Phishing the Top Cybersecurity Threat to SMBs

Risk Reduction Possible with Ongoing User Awareness Training

BROOMFIELD - September 18, 2018

Webroot, the Smarter Cybersecurity® company, announced the results of a new report: “The 2018 Webroot SMB Pulse Report.” Webroot found that across 500 small- to medium-sized businesses (SMBs) in the U.S., phishing scams were the top cybersecurity threat. While many businesses still don’t fully recognize the broad spectrum of threats they face due to the lack of in-house security expertise, they see an opportunity for user awareness training to reduce the risk from cyber threats.

Explore the Webroot SMB Pulse Report

Key Report Findings:

  • Phishing scams were identified as the top cybersecurity threat, but many SMBs are still unaware of the spectrum of threats their businesses face.
    • 24 percent of respondents overall view phishing as the number one cybersecurity threat to their organization.
    • After phishing, businesses with one to 19 employees reported they continue to focus on last year’s top threat—ransomware­­—identified as a top threat by 20 percent of respondents in this group.
    • 24 percent of respondents overall don’t know their top threat. The smallest businesses (one to 19 employees) were found to be the least likely to know their top threat.
    • For companies with 20 to 99 employees, 28% of respondents believe employee naiveté is their top threat, while phishing dropped to 22 percent.
    • Webroot’s Take: be it ransomware, phishing, cryptomining software or other threats, nearly 93 percent of all malware is delivered via email, according to the 2018 Verizon Data Breach Investigations Report. SMBs should focus on training employees to securely manage their email.
  • Many SMBS aren’t providing their employees with ongoing cybersecurity training, a key strategy to prevent sophisticated phishing attacks.
    • 66 percent of businesses with one to 19 employees surveyed don’t have any kind of employee cybersecurity training. The stats are better for larger companies, but still not ideal. 29 percent of companies with 20 to 99 employees and 13 percent of companies with 100 to 500 employees do not have a cybersecurity training program in place.
    • Webroot’s Take: A Webroot efficacy report found that click rates on phishing simulation links dropped by more than half when customers used phishing simulations in combination with ongoing training, from 26 percent to 12 percent. Continual education is key.
  • Small businesses often don’t have the resources or expertise to handle IT security needs.
    • 41 percent of respondents don’t have dedicated resources to address IT security; only 12 percent have in-house or dedicated IT security staff. The rest of the organizations fell somewhere in between with a mix of in-house and outsourced security support.
    • One-third of businesses surveyed outsource IT security in some capacity through a third-party managed service provider (MSP), helping alleviate the burden.
    • Webroot’s Take: While it may seem costly to outsource security, Webroot research found a data breach would cost a U.S. business an average of $527,256. Trusting an MSP to provide preemptive, preventive security services is significantly less costly.

Beware of These Top Phishing Subject Lines:

  • Since phishing is the top threat to SMBs, it’s no surprise that identifying and preventing these scams is top of mind for those in the security trenches. According to Gary Hayslip, chief information security officer at Webroot, here are the top phishing subject lines to be on the lookout for this year. Notice, some even have spelling errors.
    • Review or Quick Review
    • Bank of ; New Notification
    • Charity Donation for You
    • FYI
    • Action Required: Pay your seller account balance
    • Unauthorize login attempt
    • Your recent Chase payment notice to
    • Important: (1) NEW message from
    • AMAZON : Your Order no #812-4623 might ARRIVED
    • Wire Transfer
    • Assist Urgently

Key Quotes:

Gary Hayslip, Chief Information Security Officer, Webroot

“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it. But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”

Aaron Sherrill, Senior Analyst at 451 Research

“Phishing attacks are one of the most common security challenges companies face in keeping their information secure.  It’s easy and it’s effective—cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click. Yet, 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions wasting a lot of time and resources in the process. Small- to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time-consuming, cumbersome or costly.”

Additional Resources:


The 2018 Webroot SMB Pulse Report is based on research administered by Bredin, a research firm specializing in small and midsized businesses. The survey was conducted online from April 17-24, 2018, and polled 500 principals of U.S. companies with up to 500 employees. It has a margin of error of +/-4%.

About Webroot

Webroot was the first to harness the cloud and artificial intelligence to protect businesses and individuals against cyber threats. We provide the number one security solution for managed service providers and small businesses, who rely on Webroot for endpoint protection, network protection, and security awareness training. Webroot BrightCloud® Threat Intelligence Services are used by market leading companies like Cisco, F5 Networks, Citrix, Aruba, Palo Alto Networks, A10 Networks, and more. Leveraging the power of machine learning to protect millions of businesses and individuals, Webroot secures the connected world. Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at webroot.com.

About Us

Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world.