Majority of SMB Leaders Say They Would Pay Ransom to have Stolen Data Returned
More than half (55 percent) of executives at small-to-medium-sized businesses (SMBs) said they would pay hackers in order to recover their stolen data in ransomware attacks, according to the second quarterly AppRiver Cyberthreat Index for Business Survey. That number jumps to 74 percent among larger SMBs that employ 150-250 employees, with nearly 4 in 10 (39 percent) going as far as saying they “definitely would pay ransom at almost any price” to prevent their data from being leaked or lost.
On the flip side, 45 percent of SMB leaders refuse to give in to cybercriminals, regardless of the ransom amount. Legal services and nonprofit SMBs are least willing to pay ransom in exchange for hacked data, with 67 and 60 percent respectively saying they will not engage with cybercriminals regardless of the ransom amount or value of the stolen data.
Social media viewed as a threat
Eighty-four percent of all SMB executives and IT decision makers surveyed say the use of social media apps and websites at the workplace or on a business device concerns them as a potential source of cyberthreats. According to these respondents, Facebook by far poses the most significant liability, with 77 percent saying they are most concerned about Facebook as a security risk at the work place. Telecom SMBs in particular are cautious about their employees’ use of Facebook in the workplace or on a business device, with 83 percent of all telecom SMB leaders saying they are most concerned about the social media platform as a potential security threat.
In contrast, only about one fifth of these SMB leaders say they are concerned about the risks introduced by Twitter (21 percent) or YouTube (20 percent), followed by Instagram (19 percent), WhatsApp (18 percent), Snapchat (15 percent), LinkedIn (13 percent) and Pinterest (3 percent).
David Wagner, CEO of Zix Corp, the parent company of AppRiver, presented the Q2 data this morning during the 2019 Centers of Academic Excellence in Cybersecurity Executive Leadership Forum in Pensacola Beach, Fla. The event was created in cooperation with the NSA/DHS Centers of Academic Excellence in Cybersecurity Program and hosted by the Center for Cybersecurity at the University of West Florida.
“Cybersecurity is no longer just a technology issue; it amounts to an off-balance sheet liability being carried by every company that isn’t adequately protected. Ransom scenarios, whether initiated through social media apps or any attack vector, have the potential to disrupt or destroy a business overnight,” Wagner said. “The Q2 AppRiver Cyberthreat Index for Business Survey shows clearly that too many companies are willing to take a significant financial hit to possibly recover their data. Our challenge as cybersecurity leaders is to help them understand how to properly invest fewer dollars on the front end and avoid the problem to start with.”
Compromised data management
Dispersed files and varying security levels may be another reason why businesses are constantly at risk of cyberattacks. Nearly half (48 percent) of AppRiver Index respondents say their confidential business data is scattered across multiple locations, including laptops, smartphones, tablets, as well as on network drives. Financial services and insurance, healthcare and pharmaceutical, and government SMBs appear to be the sectors that take secure data storage most seriously, with 67 percent, 63 percent and 62 percent respectively saying their business data is located on their secured network and nowhere else. 24 percent of all transportation SMBs and 23 percent of retail SMBs say their confidential data is not on a secured network at all, or they do not know where their most vital data is stored.
While 81 percent of all small-to-medium-sized business decision makers say they use cloud-based solutions to store their confidential data, 44 percent of respondents are concerned about the cloud’s security, and another 19 percent say they don’t believe it offers convenience as a benefit. SMBs in the legal sector, and in the transportation and logistics sector in particular appear skeptical, where over half of decision makers in each say they don’t trust the cloud as a secure storage option. Conversely, leaders in technology, telecom, marketing and financial services sectors report higher confidence in the cloud’s security and convenience.
“The quarterly AppRiver Cyberthreat Index for Business Survey provides the opportunity to analyze trends over time. The fact that the Q2 Index registered slightly lower than in Q1, currently at 58.1 on a 100-point scale, demonstrates an ongoing complacency toward cybersecurity risks,” said Troy Gill, a senior security analyst at AppRiver. “Significant attacks in 2018 such as the Marriott breach of 500 million identities have yet to affect most consumers and businesses, luring respondents into an unrealistic feeling of safety.”
"The Q2 AppRiver Cyberthreat Index for Business Survey provides deep insights into the attitudes and concerns of decision-makers at small- and medium-sized businesses. This is the lifeblood of the American business community, as census data shows that firms with fewer than 100 workers represent 98.2 percent of all businesses,” said Dr. Eman El-Sheikh, Director of the University of West Florida Center for Cybersecurity. “The high willingness to pay ransom demonstrates the importance of business data to these organizations, however, the growing apathy of threat fatigue could prove to be dangerous. The time is now to institute cyber readiness training, tools and policies.”
The AppRiver Q2 Cyberthreat Index for Business surveyed 1,035 cybersecurity decision makers in SMBs (fewer than 250 employees) in April 2019, covering diverse industry sectors and company sizes. The national study had a strong SMB leadership involvement with 80 percent of those surveyed holding titles of CEO, president, owner, CTO or head of IT.