Blog

SMBs’ Lax Patching Strategies

In its Q3 Cyberthreat Index for Business Survey, AppRiver found that just 38 percent of small- to mid-size business (SMB) respondents applied security patches immediately. Thirty-two percent of participants answered that it took them a week’s time to implement a security fix, while the remainder of SMBs revealed it took them more than eight days. Five percent admitted they did not even know the length of their average patching cycle. 

Zix | AppRiver Vice President of Marketing Geoff Bibby said these findings suggest small- to medium-sized businesses don’t have a realistic grasp of the threats confronting them. 

"Nearly two decades of constant fear-based messages have taken their toll on smaller SMBs. Fatalism and a false sense of security are signs that they need more straightforward education and awareness," he is quoted as saying in the press release. "The threats are very real and the stakes are incredibly high, but there are simple ways to make startups and early-stage companies much harder targets.

Supporting Bibby’s view is the fact that many SMBs haven’t taken steps to improve their security. Indeed, close to a third (32 percent) of survey respondents said that they had “not done much” to improve the strength of their security defenses since 2018. Thirty-seven percent were so bold as to say that they felt they were safer than they were a year before and that digital criminals had not done anything to improve their tactics over the previous year.

Underestimating the Cost of an SMB Security Incident

It’s also important to point out that many SMBs think that a successful digital attack comes with a low price tag. In the survey, 51 percent of SMB executives and IT decision makers said that a successful attack or data breach would cost their business less than $25,000. Decision makers working for legal, media and marketing, nonprofit and retail organizations, among others, put forth this estimate despite being told to account for all the possible damages of a data breach including but not limited to the cost of retrieving stolen data, upgrading the network, losing business controlling for damage and compensating breached customers.

Some survey respondents were even more optimistic. Thirty-five percent of participants stated that a security incident would produce less than $10,000 in damages.

These estimates are a far cry from what security incidents actually cost SMBs. In May 2018, for instance, Kaspersky Lab revealed that the average incident cost SMBs approximately $120,000. The figure marked an increase of $32,000 in the span of just one year.

That’s not to say that organizations aren’t concerned, however. For the first time in 2019, AppRiver’s Index score surpassed the 60-point mark on a 100-point scale among SMB decisionmakers.  

SMBs should specifically consider strengthening the security of their email, a common vector for digital attacks. They can do this by investing in a solution that analyzes incoming email messages based upon their URLs, campaign patterns and other indicators. This solution should work in real-time while allowing legitimate correspondence to get through.

DOWNLOAD THE FULL Q3 Cyberthreat for Index Business Survey.