Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/4/2020
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

SMB Security Catches Up to Large Companies, Data Shows

Small and midsize businesses face issues similar to those of large organizations and have updated security practices to respond with threat hunting, patch management, and dedicated personnel.

Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.

To better understand the state of SMB security and debunk common misconceptions, Cisco Security researchers polled nearly 500 SMBs (250–499 employees) and asked about the factors shaping their security posture. What they learned was that SMBs are doing better than expected.

"We see time and time again that SMBs are actually punching above their weight," says Wolfgang Goerlich, advisory CISO with Cisco Security. "They're doing better than we would've anticipated." One of the findings that surprised him was the amount of dedicated security staff. A common assumption is that SMBs have few, if any, cybersecurity resources and as a result, someone is often forced to juggle security along with other IT management responsibilities.

The data shows 60% of SMBs have at least 20 people dedicated to security, although it does not specify their level of involvement or whether those employees were outsourced via a managed security service provider. Nearly 80% of large organizations report the same amount. Only 40% of SMBs, and 22% of large companies, have fewer than 20 dedicated security staff.

"That is a huge shift in the past decade," Goerlich says of the staffing increase. Overall, he says, there are "more commonalities than we oftentimes think" when discussing SMB security. A few factors have driven these changes. For one, small businesses face similar levels of public scrutiny. Half of SMBs have managed this after a security breach, similar to 51% of larger businesses. Their customers are also applying pressure: 74% of SMBs say they receive customer inquiries about how they handle individuals' data, compared with 73% of larger organizations.

Goerlich attributes the rise in public scrutiny to two factors. One is the realization of supply chain and third-party risks, which are prompting customers to ask more questions. Even small suppliers selling tools are getting hit with inquiries more often. Another is the trickle-down effects of regulation and compliance requirements, which usually affect larger vendors first and then are passed down to smaller suppliers. Now, they're reaching the SMBs surveyed here.

"If you're a customer, your voice alone may not move the needle … but the voices of multiple customers move the needle in a significant direction," he says of the rise in inquiries. Requirements for today's SMBs are issues that enterprises were struggling with six years ago.

However, many of the threats they face are the same. Researchers ranked the incidents most likely to cause more than 24 hours of downtime and found ransomware and targeted attacks consistent across all organizations. SMBs are most likely to be taken down with ransomware, stolen credentials, phishing, spyware, and mobile malware; larger organizations saw threats like distributed denial-of-service and data breaches rank higher on their lists.

"Regardless of the type of organization you are, if you're on the Internet, you are a target," says Goerlich. The myth of "we're not big enough to be a target" is no longer a mindset SMBs have.

How Small Businesses Tackle Threats 
When hit with their most severe security incident, 75% of SMBs say their systems were down for less than eight hours — compared with 68% of larger businesses. Goerlich says investment in security tools can influence the amount of downtime: The more vendors an SMB used, the more downtime it reported from its most severe breach. This ranged from average of four hours using one vendor, to an average of 17 hours using more than 50 vendors, the researchers report.

Smaller organizations are investing more time and money into security, a trend that has led to a proliferation of tools. Goerlich calls it a "logical outcome" of where the industry has been and where it's going, but a more complex technological footprint impedes incident response time.

SMBs are fairly diligent about keeping their tech updated: 42% describe their infrastructure as "very up-to-date" and 52% say they're "updated regularly," compared with 54% and 41% of large organizations, respectively. More than half (56%) of SMBs patch disclosed software flaws daily or weekly, and 37% say they patch on a biweekly or monthly basis. Goerlich points out that SMBs often adopt software-as-a-service platforms to simplify their footprint, and these are easier to patch.

Small businesses are also invested in incident response (IR), with 45% testing their IR plan every six months and 36% once a year. Only 1% of SMBs never test their response plan. More than 70% of SMBs have employees dedicated to threat hunting, similar to the 76% of large organizations that report having a threat-hunting department.

Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees. The data shows even the smallest businesses are investing in security measures such as limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best security practices (34%).

"Training is a long-term strategy to ensure employees aren't acting careless," says The Manifest's Riley Panko, who points out that these incidents aren't always intentional. Cybercriminals may not target a specific SMB; instead, they'll spam several businesses and see which are careless enough to click a malicious link or leave information exposed. Smaller organizations that lack security measures are more likely to fall victim to these attacks, but they plan to continue improving: 64% are likely to devote more resources to security in 2020.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...