Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.
To better understand the state of SMB security and debunk common misconceptions, Cisco Security researchers polled nearly 500 SMBs (250–499 employees) and asked about the factors shaping their security posture. What they learned was that SMBs are doing better than expected.
"We see time and time again that SMBs are actually punching above their weight," says Wolfgang Goerlich, advisory CISO with Cisco Security. "They're doing better than we would've anticipated." One of the findings that surprised him was the amount of dedicated security staff. A common assumption is that SMBs have few, if any, cybersecurity resources and as a result, someone is often forced to juggle security along with other IT management responsibilities.
The data shows 60% of SMBs have at least 20 people dedicated to security, although it does not specify their level of involvement or whether those employees were outsourced via a managed security service provider. Nearly 80% of large organizations report the same amount. Only 40% of SMBs, and 22% of large companies, have fewer than 20 dedicated security staff.
"That is a huge shift in the past decade," Goerlich says of the staffing increase. Overall, he says, there are "more commonalities than we oftentimes think" when discussing SMB security. A few factors have driven these changes. For one, small businesses face similar levels of public scrutiny. Half of SMBs have managed this after a security breach, similar to 51% of larger businesses. Their customers are also applying pressure: 74% of SMBs say they receive customer inquiries about how they handle individuals' data, compared with 73% of larger organizations.
Goerlich attributes the rise in public scrutiny to two factors. One is the realization of supply chain and third-party risks, which are prompting customers to ask more questions. Even small suppliers selling tools are getting hit with inquiries more often. Another is the trickle-down effects of regulation and compliance requirements, which usually affect larger vendors first and then are passed down to smaller suppliers. Now, they're reaching the SMBs surveyed here.
"If you're a customer, your voice alone may not move the needle … but the voices of multiple customers move the needle in a significant direction," he says of the rise in inquiries. Requirements for today's SMBs are issues that enterprises were struggling with six years ago.
However, many of the threats they face are the same. Researchers ranked the incidents most likely to cause more than 24 hours of downtime and found ransomware and targeted attacks consistent across all organizations. SMBs are most likely to be taken down with ransomware, stolen credentials, phishing, spyware, and mobile malware; larger organizations saw threats like distributed denial-of-service and data breaches rank higher on their lists.
"Regardless of the type of organization you are, if you're on the Internet, you are a target," says Goerlich. The myth of "we're not big enough to be a target" is no longer a mindset SMBs have.
How Small Businesses Tackle Threats
When hit with their most severe security incident, 75% of SMBs say their systems were down for less than eight hours — compared with 68% of larger businesses. Goerlich says investment in security tools can influence the amount of downtime: The more vendors an SMB used, the more downtime it reported from its most severe breach. This ranged from average of four hours using one vendor, to an average of 17 hours using more than 50 vendors, the researchers report.
Smaller organizations are investing more time and money into security, a trend that has led to a proliferation of tools. Goerlich calls it a "logical outcome" of where the industry has been and where it's going, but a more complex technological footprint impedes incident response time.
SMBs are fairly diligent about keeping their tech updated: 42% describe their infrastructure as "very up-to-date" and 52% say they're "updated regularly," compared with 54% and 41% of large organizations, respectively. More than half (56%) of SMBs patch disclosed software flaws daily or weekly, and 37% say they patch on a biweekly or monthly basis. Goerlich points out that SMBs often adopt software-as-a-service platforms to simplify their footprint, and these are easier to patch.
Small businesses are also invested in incident response (IR), with 45% testing their IR plan every six months and 36% once a year. Only 1% of SMBs never test their response plan. More than 70% of SMBs have employees dedicated to threat hunting, similar to the 76% of large organizations that report having a threat-hunting department.
Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees. The data shows even the smallest businesses are investing in security measures such as limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best security practices (34%).
"Training is a long-term strategy to ensure employees aren't acting careless," says The Manifest's Riley Panko, who points out that these incidents aren't always intentional. Cybercriminals may not target a specific SMB; instead, they'll spam several businesses and see which are careless enough to click a malicious link or leave information exposed. Smaller organizations that lack security measures are more likely to fall victim to these attacks, but they plan to continue improving: 64% are likely to devote more resources to security in 2020.