Fully 48 percent of SMBs have no response plan for a cyber security incident, according to a recent ConnectWise study of more than 1,000 SMB risk assessments.
And 43 percent of SMBs have no recovery plan for a cyber security incident.
More than two thirds (69 percent) of SMBs haven't identified and documented cyber security threats, and 66 percent haven't identified and documented cyber security vulnerabilities.
Over half (57 percent) of SMBs haven't informed and trained all their users on cyber security, and 48 percent haven't analyzed cyber security attack targets and methods.
"These results highlight how unprepared many small business owners still are for cyber security attacks," ConnectWise CISO John Ford said in a statement. "Partly due to the intense media focus on massive security breaches like Equifax and Marriott, many SMBs continue to operate under the belief that security breaches only impact large enterprises."
"The fact that almost 70 percent of SMBs haven't identified and documented cyber security threats is a serious concern, as sensitive company, employee and customer data would be susceptible to any type of cyber-attack whether it is ransomware, malware, taking down the company's site via a DDoS attack, or any other type of malicious activity taking place in this day and age," Ford added.
A separate Keeper Security survey of more than 500 senior level decision makers at SMBs found that 60 percent of respondent said they don't have a cyber attack prevention plan, and just nine percent rank cyber security as a top business priority – strikingly, 18 percent rank cyber security as their lowest priority.
Two thirds (66 percent) of respondents say their company is unlikely be hit by a cyber-attack – but a recent Ponemon Institute study found that 67 percent of businesses were attacked in the past year alone.
Twenty-five percent say they don't even know where to start with cyber security, and just 37 percent have a dedicated IT or cyber security team.
Still, there are some improvements with regard to password management – 69 percent of respondents link passwords to security or a first line of defense against attacks, and 75 percent have policies in place to encourage or require employees to update their passwords on a regular basis.
"Businesses face a vulnerability crisis when it comes to cybercriminals, and this reality won't get better until cyber security gets higher billing on their to-do list," Keeper CEO and co-founder Darren Guccione said in a statement.
"Our Cyberthreat Study findings show that many companies don't know where to start with cyber security prevention and even more don't think they will fall victim to an attack, but it's time they dramatically change their perspectives and put a plan in place," Guccione added.