Small and medium-sized business (SMB) leaders report that they are
investing more time, attention, and budget on cybersecurity, but human
factors are getting in the way - including lack of awareness, training
and inconsistent policy adherence. Together with policy and technology
gaps, these factors continue to create significant security and business
risks, according to a survey of more than 600 business and IT security
managers conducted by LastPass and survey research firm InnovateMR.
Cyber-attacks targeting smaller organizations have increased
significantly in recent years, as cyber criminals view these
organizations as relatively easy targets-and a potential path to large
profits via ransomware, phishing and supply chain attacks. To gauge
attitudes and behaviors around these trends, LastPass partnered with
research firm InnovateMR to survey business and IT security leaders at
companies with fewer than 3,000 employees regarding their password
management and cybersecurity practices. Key findings from the survey
include:
-
Both executive and IT leaders perceive low risks. Only three in
10 leaders believe their company faces a very high risk (8+ out of 10)
of having a cybersecurity issue. Phishing attacks, cloud vulnerabilities
and data loss from ransomware or malware are seen as top threats in the
next 12 months.
-
Executives and IT leaders are overly optimistic. Executives (92%)
and IT leaders (93%) believe employees "understand the security
expectations" for their jobs, while non-IT leaders are decidedly less
confident that employees understand (only 78%). IT leaders also tend to
believe adherence to policies is higher than their general business,
non-IT security peers.
-
Policies are still being broken. Roughly one in five business
leaders admits to circumventing security policies, as do one in 10 IT
security leaders. Younger workers (one in four) are more likely to break
policies - and Gen Z professionals are twice as likely as other
generations to physically write down passwords (36% v 16%).
-
Budgets are increasing. 90% of IT leaders and 80% of non-IT
leaders say their organizations increased attention paid to
cybersecurity in the past year. 82% also said their firms have increased
cybersecurity budgets year over year.
-
Password management is key. 73% of IT security leaders say
password management is critically important to cybersecurity strategy,
with nearly half (47%) reporting recent breaches due to compromised
passwords. And 81% of leaders report using a password manager at work -
either company provided or a personal one of their choice.
"It's clear there's an ‘Instagram vs. reality' type of disconnect when
it comes to cybersecurity at small and midsize companies," said Alex
Cox, director of threat intelligence at LastPass. "Awareness is
increasing, investments are being made, and leaders are feeling
confident-but, behind the curtain, culture and policy gaps still leave
these organizations vulnerable to attack. We encourage both business and
IT security leaders to step up their focus on accountability with
better education and policy enforcement around password management and
other proven practices."
Survey results were released today in a report titled, "SMB
Cybersecurity Disconnect: Uncovering the Risks, Challenges and Human
Factors to Close the Gap for Small and Midsize Businesses." Other
noteworthy findings reflected in the report include differences in
cybersecurity practices between job functions, as well as leaders' top
reported cybersecurity needs for the next five years. For more
information and to download a copy of the research report, click here.