2022 ESET SMB Digital Security Sentiment ReportRead full report
Small and medium-sized businesses have good reason to be concerned about the loss of data and financial impacts
While tech advancements have enabled small and medium businesses (SMBs) to grow their business and allowed them to evolve their operational models, cybersecurity risks and threats can cancel any progress that has been made so far. Underlying these is another serious obstacle: SMBs lacking confidence in managing cybersecurity.
The lack of confidence manifests as a strong belief among SMBs that businesses of their sizes are more vulnerable to cyberattacks than are enterprises. They have good reason to be concerned about the loss of data, financial impacts, and a loss of customer confidence and trust.
The main concerns over the next 12 months are twofold. Firstly, there are human factors related to poor employee cyber-awareness and both IT admin capacity and maturity. Secondly, there are technical factors such as vulnerabilities in the partner ecosystem (supply chain), proliferation of apps used by employees, nation-state attacks, and the migration of services to the cloud. Simply, many organizations are overwhelmed by these demanding needs.
Help! Time hasn’t stood still for SMBs
While technology and services options mushroomed well before the COVID-19 pandemic, the amount of remote monitoring and management of services and bespoke SMB software that now await customers is fearsome. Particularly in the area of security, the overabundance of options and sometimes poor outcomes have eroded SMB confidence in key areas.
This has seen businesses split between keeping cybersecurity in-house or choosing to outsource. Knowledge is also lacking, particularly around access to third-party experts, response times, and threat forensics. And, despite a healthy number of solutions, arguments supporting the needed investments haven’t kept pace with changes to operational models, and security needs underlined by the migration to hybrid work models are becoming ever more relevant.
The 2022 ESET SMB Digital Security Sentiment Report highlights that many SMB budget holders are highly cognizant of top risk factors that significantly or moderately increase their risks of cyberattacks. Respondents cited that the top driver of risks in the next 12 months will be a lack of employee cyber-awareness (up to 84%), compounded by vulnerabilities in the partner/supplier ecosystem (79%), and migrating services to the cloud (77%).
Trapped between low confidence and a hard place
Looking more granularly, the top three (specific) cybersecurity challenges at surveyed SMBs are: keeping up with the latest digital security threats (54%), keeping pace with the latest approaches and technologies (50%), and lack of investment in cybersecurity (49%). Other concerns include a lack of skills, overworked teams, alert fatigue, and a lack of leadership support.
“Keeping up,” for some, means how to, practically speaking, face concerns about malware, web-based attacks, ransomware, third-party security issues, and critical or high-severity software vulnerabilities. More than half are concerned about Remote Desktop Protocol (RDP), distributed denial-of-service (DDoS) attacks, business email compromise (BEC), cloud computing issues, and supply chain attacks.
And, while few of these security threats are specific to their segment, 74% of SMBs believe that businesses of their sizes are more vulnerable to cyberattacks than are enterprises. In no uncertain terms, SMB concerns about loss of data, financial impacts, and loss of customer confidence and trust reflect their lack of capacity to simultaneously mitigate these challenges while maintaining momentum on core business competencies.
With less than a third of respondents VERY confident in any area of cybersecurity, including IT team cybersecurity knowledge (32%), the speed with which they can identify, isolate and respond to a threat (30%), access to third-party experts (29%), their reported sentiments beg the question of which businesses are confident enough to keep security in-house.
Always prepared for post-breach business
Luck rarely holds out forever, and our survey demonstrates that approximately two-thirds of respondents have experienced or acted on indications of security breaches. These typically take weeks to address, costing SMBs significantly. (On average, SMBs estimate the TOTAL COST to their organizations incurred by these breaches to be the equivalent of €219K.)
Following breaches, SMBs may invest in training, perform audits, or purchase new cybersecurity tools. Generally, this means taking steps to harden remote access tools, specifically to protect logins with multifactor authentication (50%), restrict their use to corporate VPNs only (50%), and keeping remote access tools up to date (49%).
With only 27% of respondents indicating that they have conducted cybersecurity audits in the past six months, and 33% in the past 12 months, the situation is worrisome. In organizations where cybersecurity audits have been conducted in the past two years, 52% used external IT security companies/Managed Service Providers (MSPs), while 40% conducted the audits themselves, and 8% did both.
We’re all in this together
While the approaches taken are still split, 85% of SMBs say that everyone in their supply chains has a responsibility to improve their cyber-resilience, but most also express concern that a lack of investment in cybersecurity may compromise others in their supply chains. Ultimately, effective cybersecurity is viewed as something that provides businesses with the confidence to grow and innovate.
Follow our series as we further explore the 2022 ESET SMB Digital Security Sentiment Report. From it, we can already be sure that SMBs do understand that both their businesses and global supply chains depend on continued improvement of their security. For more insight into how fellow SMBs see the security landscape around them, read our 2022 SMB Digital Security Sentiment Report.