Six in 10 SMBs Give Themselves a Thumbs-down for Cyberthreat Preparedness


Thought Leadership

Six in 10 SMBs Give Themselves a Thumbs-down for Cyberthreat Preparedness


A recent national survey of leaders and IT decision makers in small-to-medium sized businesses (SMBs) offers a rather grim outlook: a majority of them do not have confidence in their own business’s cyberthreat preparedness.

When asked to rate their company’s readiness – defined as being prepared to face and respond to cyberthreats they believe to be targeting businesses such as their own – only 4 in 10 (41 percent) SMBs give themselves a positive rating. The new survey, designed and conducted independently on behalf of AppRiver with consultation and support from the University of West Florida Center for Cybersecurity, highlights the interesting phenomenon that larger SMBs with more cybersecurity resources are not always more confident in their cyberthreat preparedness.




According to the AppRiver Cyberthreat Index for Business Survey Q1 2019, while 46 percent of SMBs with 1 to 49 employees give themselves a positive rating in cyberthreat preparedness, the same can be said of only 37 percent of SMBs with 150 to 250 employees. Such lack of confidence in their own preparedness is concerning, particularly when 64 percent of all surveyed SMBs – and 77 percent of large SMBs with 150 to 250 employees – believe cybersecurity attacks on businesses such as theirs are “prevalent.” A total of 45 percent of all SMBs – and 56 percent of large SMBs – went as far as saying cyberattacks are “imminent.”

Examining the survey data at the industry level, nearly all key sectors are more prone to a negative self-report in cyberthreat preparedness. Among 14 key industries surveyed, the legal services industry is the only sector that produced a bare majority (56 percent) of SMB leaders rating themselves positively in cyberthreat preparedness. About 1 in 3 in the technology sector (37 percent) give themselves a positive rating; 1 in 4 in the telecom sector (27 percent) rate themselves the same. Among those who work in the government sector, only 15 percent say they are prepared and feel in-control to face realistic level of cyberthreats.

At the market level, Salt Lake City is the only key market surveyed that produced a majority of SMBs (55 percent) that self-report positive cyberthreat preparedness. Washington, D.C. – with a higher concentration of government sector SMBs and organizations – produced the lowest positive self reports among key markets, with 29 percent saying they are prepared to face and respond to cyberthreats.

Other key markets failed to produce a majority of positive self-reports in cyber preparedness:

Boston: 34 percent   Houston: 35 percent Miami: 39 percent Atlanta: 40 percent Raleigh: 41 percent New York City: 42 percent Los Angeles: 44 percent

These numbers may be deflating, but according Troy Gill, AppRiver’s senior security analyst, perhaps they are not grim enough. Gill noted that when 45 percent of all SMBs believe they are vulnerable to “imminent” cyberattacks, they are underestimating the real threats they face, when experienced analysts witness SMBs of all sizes targeted on a daily basis. What’s more, these real, daily threats that easily can cripple a small business are not any less sophisticated than cyberthreats faced by more resourceful enterprises, with malwares such as Emotet and TrickBot, and ransomware such Gandcrab and Business Email Compromise directly targeting SMBs of all sizes daily.

At the recent RSA Conference in San Francisco, a simple question was asked during "The Fine Art of Creating a Transformational Cybersecurity Strategy" presentation by Jinan Budge, principal analyst at Forrester Research, and Andrew Rose, Chief Security Office of Vocalink, a Mastercard Co.: “Who here feels your organization has a great security strategy?” Troy Gill, who attended the presentation, noted THREE hands went up in a room of several hundred corporate CSOs and IT decision makers.

“It speaks volumes to the overall cybersecurity preparedness – or more accurately, under-preparedness – across businesses of all shapes and sizes,” Gill said. “To that end, a lack of understanding of the real threats some SMBs face may be the biggest threat of all.”  


The AppRiver Cyberthreat Index for Business Survey is one of the most comprehensive cybersecurity attitudinal surveys of the U.S. business community, generating participation in Q1 2019 from 1,059 small-to-medium sized business leaders and IT decision makers, among which 48 percent hold CEO, president, owner, head of IT, or equivalent titles. To see more findings from the survey or learn about its methodology, Please visit