Q3 Cyberthreat Index for Business

New Research from AppRiver Reveals SMBs Severely Underestimate the Damaging Consequences of Successful Cyberattacks

AppRiver’s Q3 Cyberthreat Index for Business Survey Reveals a Troublesome Gap Between SMBs’ Threat Risk Perceptions and Reality

Gulf Breeze, FL – September 18, 2019 – AppRiver, a Zix (NASDAQ: ZIXI) company and leading channel-first provider of security, productivity and compliance solutions, today announced the findings of its Q3 Cyberthreat Index for Business Survey, revealing the extent to which small-to-medium-sized businesses (SMBs) underestimate the impact of today’s cybersecurity threats. The survey polled 1,083 cybersecurity decision-makers in U.S. SMBs (fewer than 250 employees), covering a diverse range of industry sectors.

The findings expose a common misconception among SMBs surrounding the financial impact a cyberattack can have on their business. According to the survey, two out of three smaller SMBs (67 percent) with 1 to 49 employees believe they will sustain total damages under $25,000 in the event of a successful cyberattack. Over half of these SMBs (55 percent) went as far as to say they would sustain less than $10,000 in damages. In reality, the average cost of a data breach for SMBs in North America is estimated to be $149,000.

Respondents were reminded to consider total estimated damages, including costs of data retrieval, system repairs and upgrades, lost businesses, potential ransom payment, PR and damage control, potential lawsuits, and compensation to customers.

Despite the prevalence of cybersecurity incidents within SMBs (72 percent reported phishing attempts on their business in the last three months) the survey demonstrates that the majority of SMBs are slow to address known vulnerabilities.

Only 38 percent of all survey respondents claim that they apply patches immediately once available – a finding that is consistent among all industries surveyed, including those that handle highly sensitive data, such as healthcare/pharmaceuticals (36 percent), government (36 percent), legal (38 percent) and retail (34 percent).

Beyond patch management, the survey findings indicate that some SMBs are failing to continually improve their cybersecurity readiness overall. Roughly one-third (32 percent) of respondents at smaller SMBs say they “have not done much” to improve their cyber preparedness since 2018. Nevertheless, among these respondents, 37 percent still believe they are in better shape now than last year, and that they believe cybercriminals have done even less to improve their tactics during this period.

“Nearly two decades of constant fear-based messages have taken their toll on smaller SMBs,” said Geoff Bibby, vice president of marketing for Zix. “Fatalism and a false sense of security are signs that they need more straightforward education and awareness. The threats are very real and the stakes are incredibly high, but there are simple ways to make startups and early stage companies much harder targets.”

The quarterly AppRiver Cyberthreat Index for Business Survey measures SMB decision-maker attitudes and experiences across a variety of cybersecurity-related dimensions, culminating in a score that can be analyzed for change over time.

For the first time since the survey's inception in Q1 2019, the Q3 Index score tipped over the 60-point mark, registering at 60.5 on a 100-point scale and indicating a trend of higher alert among SMBs as compared to Q1 and Q2 of 2019.

“In the wake of major cybersecurity crises this year – from American Medical Collection Agency breach to the continual hits we’ve seen on local governments in places like Maryland, Florida, and most recently, Texas – it’s not surprising that most small businesses and the public at large are increasingly concerned,” said Troy Gill, manager of security research at AppRiver. “The challenge is in helping them translate that concern into positive action rather than passive acceptance.”

About AppRiver
AppRiver, a Zix company, is a channel-first provider of cloud-enabled security and productivity services, with a 4,500-strong reseller community that protects 60,000 companies worldwide against a growing list of dangerous online threats. Among the world’s top Office 365 and Secure Hosted Exchange providers, the company’s brand is built on highly effective security services backed by 24/7 white-glove Phenomenal Care® customer service. AppRiver is headquartered in Gulf Breeze, Florida and maintains offices in Georgia, Texas, New York, Canada, Switzerland, and the U.K. For more information, please visit www.appriver.com.

About Zix Corporation

Zix Corporation (Zix) is a leader in email security. Trusted by the nation’s most influential institutions in healthcare, finance and government, Zix delivers a superior experience and easy-to-use solutions for email encryption and data loss prevention, advanced threat protection, unified information archiving and mobile security. Focusing on the protection of business communication, Zix enables its customers to better secure data and meet compliance needs. Zix is publicly traded on the Nasdaq Global Market under the symbol ZIXI. For more information, visit www.zixcorp.com

The AppRiver Cyberthreat Index for Business was developed by independent firms Idea Loft and Equation Research, in consultation with the University of West Florida Center for Cybersecurity, using survey data collected online in January and April 2019.


The survey has a + / – 3% margin of error. The national sample of respondents comprises 2,094 C-level executives and IT professionals in small-to-medium-sized businesses and organizations (SMBs), among which, 197 respondents are in the Retail vertical. 61% of these businesses report they have compliance requirements for how they store and manage their customers’ data.


Company sizes

1-9 employees            54%

10-49 employees                    17%

50-99 employees                    14%

100-199 employees                12%

200-250 employees                3%


Job titles

CEO/President/Owner                                                70%

CTO/Head of IT                                                           18%

CFO/COO                                                                     8%

Head of Data Mgmt/Compliance Officer                    4%


Product relevance

Email hosting                                                              77%

Email encryption and security                                    54%

Email archiving and continuity                                    63%

Web security and continuity                                       78%

Business software, e.g., Office 365 or similar            88%

Data privacy and compliance                                     68%

Tech support and business continuity                        68%


The AppRiver Cyberthreat Index for Business was developed by independent firms Idea Loft and Equation Research, in consultation with University of West Florida Center for Cybersecurity, using survey data collected online in January of 2019.


A majority (58 percent) of executives at small-to-medium-sized businesses (SMBs) are more concerned about suffering a major data breach than a flood, a fire, a transit strike or even a physical break-in of their office, according to the inaugural . The figure jumps to 66 percent when measuring large SMBs (150-250 employees) that now fear a data breach would be more detrimental than traditional disasters for businesses.


“In today’s digital age, businesses rely on their intellectual property and use automated business processes more than ever before – bringing cybersecurity to the forefront,” said Dave Wagner, CEO of Zix Corporation, parent company of AppRiver. “The AppRiver Cyberthreat Index for Business Survey findings punctuate this evolution and highlight how businesses need to better prepare for cyberthreats.”


Nearly half of SMBs (48 percent) said a major data breach would likely shut down their business permanently. The percentage increased significantly with 71 percent of financial services and insurance SMBs reporting that a major breach would be fatal to their business. Healthcare and business consulting SMBs followed at 62 percent and 60 percent, respectively.


The survey further revealed that SMBs are more concerned about attacks from disgruntled ex-employees than highly publicized threats from nation-states, or even cyberattacks from competitors, rogue hacktivist groups or lone-wolf hackers.


While SMBs are concerned about cybercriminals, not all of them are on high enough alert. The hospitality industry is a prime example. Despite the 2018 Marriott breach of 500 million customer records, only 28 percent of hospitality-sector respondents believe their business is vulnerable to imminent threats of cybersecurity attacks, compared to 62 percent of respondents who work in technology and 47 percent in the financial sector. Similarly, only 50 percent of hospitality respondents believe a successful cyberattack would cast short- and long-term business losses, compared to 72 percent each in the financial and healthcare sectors and 71 percent in the technology sector.


“Today, 6 in 10 U.S. SMBs go out of business within six months of a successful cyberattack,” said Troy Gill, a senior security analyst at AppRiver. “However, I often see a sizable gap between perceptions and reality among many SMB leaders, which is again evident in the inaugural index. They don’t know what they don’t know; the lack of preparedness becomes a dangerous weapon for cybercriminals.”


University of West Florida Center for Cybersecurity Director Dr. Eman El-Sheikh said this research sheds new light on serious issues confronting SMBs.


"The establishment of the AppRiver Cyberthreat Index for Business addresses a critical need to understand organizations' cyber vulnerability and readiness,” she said. “The Index provides a benchmark for small- and medium-sized businesses and leaders to measure our collective cyber resiliency and emphasizes the importance of cybersecurity workforce development.”


The AppRiver Cyberthreat Index for Business surveyed 1,059 cybersecurity decision-makers in SMBs (less than 250 employees) in early 2019, covering diverse industry sectors and company sizes. The national study had a strong SMB leadership involvement with 80 percent of those surveyed holding titles of CEO, president, owner, CTO or head of IT*.