Content, Networking, Small business

Top SMB Security Concerns: Email Phishing Leapfrogs Ransomware

Credit: Getty Images

We’re only human: That's what email phishing scammers count on, that our curiosity or lack of security awareness will get the best of us and we’ll click on things we shouldn’t whether we’re at home or on the job.

The thing is, phishing is the top threat to small- to medium-sized businesses (SMBs), some -- but not enough -- of which send employees to awareness training classes to learn the do’s and don’ts of email security. A big part of that education is grasping the main email subject lines scammers use to tempt you into serving up your credentials or opening a door into your company’s network infrastructure. While the former is bad, the latter can have far-reaching and destructive consequences to a lot of people.

So, here are, according to Gary Hayslip, chief information security officer at Webroot, the top 10 email subject lines designed to lure you into the snare: (The idea behind the list, which is part of a larger Webroot report, is to get people to think before they click).

  • Review or Quick Review
  • Bank of ; New Notification
  • Charity Donation for You
  • FYI
  • Action Required: Pay your seller account balance
  • Unauthorize login attempt
  • Your recent Chase payment notice to
  • Important: (1) NEW message from
  • AMAZON : Your Order no #812-4623 might ARRIVED
  • Wire Transfer
  • Assist Urgently

The list is good but let’s remember that knowing and doing aren’t synonymous. The problem, said Aaron Sherrill, a 451 Research senior analyst offered up by Webroot, is too many businesses are “cobbling together homegrown (and often ineffective) awareness solutions wasting a lot of time and resources in the process.”

For SMBs, one potential remedy for the email phishing scourge is to partner with a managed service provider (MSP) who can help ease cybersecurity challenges with expertise and management, said Hayslip. "Phishing is a tried-and-true tactic for bad actors,” he said. “Employees are likely to click on things they shouldn't, despite what businesses try to do to prevent it.”

The results of Webroot’s new study, “The 2018 Webroot SMB Pulse Report,” based on the input of 500 SMBs, found that one third of the respondents outsource IT security in some capacity through an MSP. More than 40 percent don't have dedicated resources to address IT security and only 12 percent have in-house or dedicated IT security staff.

More to the point, the findings showed that for SMBs outsourcing security to an MSP may mean stretching their budgets a bit, it will hurt far less than the $525,000 on average it costs a U.S. business to deal with a data breach.

Here are some of the study's other key findings:

  • 24 percent of respondents overall view phishing as the number one cybersecurity threat to their organization.
  • Businesses with one to 19 employees continue to focus on ransomware, identified as a top threat by 20 percent of respondents.
  • 24 percent of respondents overall don't know their top threat. The smallest businesses (one to 19 employees) were found to be the least likely to know their top threat.
  • For companies with 20 to 99 employees, 28 percent of respondents believe employee naiveté is their top threat, while phishing dropped to 22 percent.
  • 66 percent of businesses with one to 19 employees surveyed don't have any kind of employee cybersecurity training.
  • 29 percent of companies with 20 to 99 employees and 13 percent of companies with 100 to 500 employees do not have a cybersecurity training program in place.

Does security awareness training help? According to a separate Webroot study, click rates on phishing simulation links dropped to 12 percent from 26 percent when customers used phishing simulations in combination with ongoing training.