Despite growing threats of phishing, ransomware, and more, many small businesses have no employee cybersecurity training program in place, according to a Tuesday report from Webroot.

In surveying 500 small- to medium-sized businesses (SMBs) in the US, Webroot found that 66% of businesses with fewer than 19 employees didn’t have any kind of employee cybersecurity training in place. For companies with 20-99 employees, that number was 29%, and for those with 100-500 employees it was 13%.

These training programs that companies are passing up on have a strong efficacy rate. A separate Webroot report found that when employees underwent phishing simulations in combination with ongoing training, their click rate on these phishing links dropped by more than half—from 26% down to 12%.

Phishing, overall, was seen as the current greatest threat against SMBs. Some 24% of all respondents to the survey said this was the case. Still, another 24% of those surveyed said they didn’t know their greatest threat, the report found. And employees at businesses with fewer than 19 workers were the least likely to know their top threat.

There are specific trends that pop up in phishing emails, Webroot CISO Gary Hayslip, explained in the report. Here are the top 11 email subject lines associated with phishing:

  1. Review or Quick Review
  2. Bank of <take your pick>; New Notification
  3. Charity Donation for You
  4. FYI
  5. Action Required: Pay your seller account balance
  6. Unauthorize login attempt
  7. Your recent Chase payment notice to <name of employee>
  8. Important: (1) NEW message from <Bank Name>
  9. AMAZON : Your Order no #812-4623 might ARRIVED
  10. Wire Transfer
  11. Assist Urgently

Companies that have 20-99 employees ranked employee naiveté is their top threat, with phishing coming in at 22%. Despite the hype surrounding individual threats, 92% of all malware still comes by way of email, as noted in the 2018 Verizon Data Breach Investigations Report. As such, “SMBs should focus on training employees to securely manage their email,” the Webroot report said.

When it comes down to it, most SMBs simply don’t have the money or resources they need to handle security at an expert level, the report found. Some 41% of respondents said they have no dedicated resources for IT security, and only 12% said they had dedicated in-house security staff. Others admitted to using third parties to help manage security, the report said.

The financial risk is big, too. According to the report, a breach will cost an average SMB around $527,256.