Survey: Human Factors Create Significant Cybersecurity Risks for Small and Medium-Sized Businesses, Despite Increased Technology Investment

Survey Finds Disconnect Between Executive and IT Security Leader Optimism and Risky Employee Behavior

BOSTON–(BUSINESS WIRE)–Small and medium-sized business (SMB) leaders report that they are investing more time, attention, and budget on cybersecurity, but human factors are getting in the way – including lack of awareness, training and inconsistent policy adherence. Together with policy and technology gaps, these factors continue to create significant security and business risks, according to a survey of more than 600 business and IT security managers conducted by LastPass and survey research firm InnovateMR.

Cyber-attacks targeting smaller organizations have increased significantly in recent years, as cyber criminals view these organizations as relatively easy targets—and a potential path to large profits via ransomware, phishing and supply chain attacks. To gauge attitudes and behaviors around these trends, LastPass partnered with research firm InnovateMR to survey business and IT security leaders at companies with fewer than 3,000 employees regarding their password management and cybersecurity practices. Key findings from the survey include:

Both executive and IT leaders perceive low risks. Only three in 10 leaders believe their company faces a very high risk (8+ out of 10) of having a cybersecurity issue. Phishing attacks, cloud vulnerabilities and data loss from ransomware or malware are seen as top threats in the next 12 months.

Executives and IT leaders are overly optimistic. Executives (92%) and IT leaders (93%) believe employees “understand the security expectations” for their jobs, while non-IT leaders are decidedly less confident that employees understand (only 78%). IT leaders also tend to believe adherence to policies is higher than their general business, non-IT security peers.

Policies are still being broken. Roughly one in five business leaders admits to circumventing security policies, as do one in 10 IT security leaders. Younger workers (one in four) are more likely to break policies – and Gen Z professionals are twice as likely as other generations to physically write down passwords (36% v 16%).

Budgets are increasing. 90% of IT leaders and 80% of non-IT leaders say their organizations increased attention paid to cybersecurity in the past year. 82% also said their firms have increased cybersecurity budgets year over year.

Password management is key. 73% of IT security leaders say password management is critically important to cybersecurity strategy, with nearly half (47%) reporting recent breaches due to compromised passwords. And 81% of leaders report using a password manager at work – either company provided or a personal one of their choice.

“It’s clear there’s an ‘Instagram vs. reality’ type of disconnect when it comes to cybersecurity at small and midsize companies,” said Alex Cox, director of threat intelligence at LastPass. “Awareness is increasing, investments are being made, and leaders are feeling confident—but, behind the curtain, culture and policy gaps still leave these organizations vulnerable to attack. We encourage both business and IT security leaders to step up their focus on accountability with better education and policy enforcement around password management and other proven practices.”

Survey results were released today in a report titled, “SMB Cybersecurity Disconnect: Uncovering the Risks, Challenges and Human Factors to Close the Gap for Small and Midsize Businesses.” Other noteworthy findings reflected in the report include differences in cybersecurity practices between job functions, as well as leaders’ top reported cybersecurity needs for the next five years. For more information and to download a copy of the research report, click here.

Additional Resources

LastPass Labs Blog: Strategies for SMB Leaders Facing the Cybersecurity Disconnect

Infographic: SMB Cybersecurity Disconnect

Research Methodology

LastPass commissioned research firm InnovateMR to conduct a survey in February and March 2024 exploring attitudes and behaviors around password management and cybersecurity within small businesses and mid-market companies. InnovateMR conducted an online survey of 633 U.S.-based business and IT security leaders in small and mid-market firms. For the purposes of the survey, a small business was defined as having 10-499 employees, and a mid-market company was defined as having 500-2,999 employees. InnovateMR is a leading sampling and research technology company that provides survey programming, international sampling, qualitative and quantitative insights, and customized consultation services.

About LastPass

LastPass is a leader in password and identity management solutions that helps 100,000 businesses and millions of consumers secure their credentials at work and at home. Since 2008, LastPass has made logins easier, more secure, and accessible across virtually any device. Today, LastPass innovates for a passwordless future by supporting next-generation security solutions that respond to human behavior, including biometric logins and beyond. Learn more via and follow us on Facebook, YouTube, LinkedIn, X and Instagram. LastPass is trademarked in the U.S. and other countries.