For the third straight year, SMBs have reported a significant increase in targeted cybersecurity breaches with a high number of those involving loss of sensitive information about customers and employees.

That’s according to new Keeper Security/Ponemon Institute’s research, which surveyed nearly 2,400 IT and IT security practitioners. Attacks against U.S., U.K. and European businesses are growing in both frequency and sophistication, and nearly half of the respondents described their organization’s IT security as ineffective, with 39% reporting they have no incident response plan in place.

Keeper Security’s Michael Chester

Michael Chester, Keeper’s senior director of business development, tells Channel Partners that 35% of SMBs globally said lack of in-house expertise prevents their organization from having effective security. These SMBs are under attack, and more and more of them rely on MSSPs to advise them on IT security strategy and support IT security functions, he said.

“On average, 32% of a company’s IT security operations are supported by MSSPs, up from 29% in last year’s study,” he said. “Seventy percent of respondents say their MSSP monitors or manages firewalls or intrusion prevention systems (IPS). Since 2017, more SMBs have been engaging MSSPs to monitor or manage multifunctioning firewalls; 39% reported doing so this year, up from 28% in 2017.”

However, fewer respondents report using MSSPs to monitor or manage intrusion detection systems security gateways for messaging or web traffic, Chester said. Notably, 69% also said they have experienced an attack in the past year that got past their intrusion detection system, he said.

“MSSPs have the opportunity to address two key business challenges with an effective password management offering,” he said. “First and foremost … the inclusion of password management in an MSSP’s portfolio offers security benefits. Weak password security is the Trojan horse that can harm MSSPs and their clients’ organizations. Further, MSSPs can differentiate their service offering in a highly competitive market. After all, 54% of managed services providers cite marketing and sales as their primary pain points. “

Overall, attacks are increasing dramatically, as 76% of U.S. companies were attacked within the last 12 months, up from 55% in 2016. Globally, 66% of respondents reported attacks in the same time frame, according to the research.

Attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%) and credential theft (30%) among the most common attacks waged against SMBs globally.

Globally, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the past year. That number is 69% in the United States, up from 50% in 2016.

SMBs globally are adopting emerging technologies like mobile devices, IoT and biometrics despite a lack of confidence in their ability to protect their sensitive information, according to the research. Nearly half access more than 50% of their business-critical applications from mobile devices, yet doing so diminishes their organization’s security.

In addition, 80% of respondents think it’s likely that a security incident related to unsecured IoT devices could be catastrophic, yet only 21% monitor the risk of IoT devices…

…in the workplace. The study also suggests biometrics may becoming mainstream as three-quarters of SMBs currently use biometrics to identify and authenticate, or have plans to do so soon.

SMBs aren’t addressing insider threats posed by poor password practices by employees and vendors, Chester said.

“Seventy percent of respondents report that their employees’ passwords have been lost or stolen in the past year, and 63% experienced a data breach caused by negligence on the part of an employee or contractor,” he said. “Companies know that password security is a problem … but they’re not taking the simple and relatively inexpensive steps needed to address it. Over half of respondents admit they have no visibility into employees’ password practices, 50% have no policy pertaining to employee password use and fewer than a third require the use of a password manager.”

The top three challenges reported by respondents were insufficient personnel (77%), insufficient budget (55%) and no understanding of how to protect against cyberattacks (45%), according to the research.

“Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their cross hairs,” said Larry Ponemon, Ponemon’s chairman and founder. “The [research] demonstrates cyberattacks are a global phenomenon — and so is the lack of awareness and preparedness by businesses globally. Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority.”