Small and medium businesses have good reason to be concerned about data loss and financial impact
While advances in technology have enabled small and medium enterprises (SMEs) to expand their business and allowed them to evolve their operational models, cybersecurity risks and threats could undo any progress made so far. Underlying this is another serious obstacle: SMEs lack confidence in managing cybersecurity.
This lack of trust manifests as a strong belief among SMEs that businesses of their size are more vulnerable to cyberattacks than companies. They have good reason to be concerned about data loss, financial impact, and loss of customer trust and confidence.
The main concerns over the next 12 months are twofold. First, there is the human factor associated with poor employee cyber awareness and IT admin capacity and maturity. Second, there are technical factors such as vulnerabilities in partner ecosystems (supply chains), proliferation of applications used by employees, nation-state attacks and migration of services to the cloud. Simply put, many organizations are overwhelmed by these demands.
Help! Time doesn’t stand still for SMEs
Although technology and service options mushroomed long before the COVID-19 pandemic, the amount of monitoring and managing remote services and bespoke SMB software now awaiting customers is daunting. Especially in the area of security, the abundance of choices and sometimes poor results has eroded SME confidence in key areas.
This has left businesses torn between keeping cybersecurity in-house or choosing to outsource. Knowledge is also lacking, particularly around access to third-party experts, response times, and threat forensics. And, despite a number of sound solutions, the arguments in favor of the required investment are not keeping pace with changes in the operational model, and the security needs highlighted by the migration to a hybrid work model are becoming increasingly relevant.
ESET’s SME Digital Security Sentiment Report 2022 highlights that many SMB budget holders are acutely aware of the key risk factors that significantly or are increasing the risk of cyberattacks. Respondents mentioned that the main causes of risk in the next 12 months were employees’ lack of cyber awareness (up to 84%), coupled with vulnerabilities in the partner/supplier ecosystem (79%), and migration of services to the cloud (77%).
Stuck between low self-confidence and a hard place
Looking in more detail, the top three (specific) cybersecurity challenges in the surveyed SMBs were: keeping up with the latest digital security threats (54%), keeping up with the latest approaches and technologies (50%), and under-investment in cybersecurity (49%). Other concerns include a lack of skills, an overworked team, watchful burnout, and a lack of leadership support.
“Maintenance,” for some, means how to, practically speaking, deal with concerns about malware, web-based attacks, ransomware, third-party security issues, and critical or high-severity software vulnerabilities. More than half are concerned about Remote Desktop Protocol (RDP), distributed denial-of-service (DDoS) attacks, business email (BEC) compromises, cloud computing issues, and supply chain attacks.
And, while some of these security threats are specific to their segment, 74% of SMBs believe a business of their size is more vulnerable to cyberattacks than an enterprise. In uncertain terms, SMB’s concerns about data loss, financial impact, and loss of customer trust and confidence reflect their lack of capacity to simultaneously mitigate these challenges while maintaining momentum on core business competencies.
With less than a third of respondents VERY confident in any cybersecurity area, including IT team cybersecurity knowledge (32%), the speed with which they can identify, isolate and respond to threats (30%), access to third party experts (29%) , their sentiment report raises questions about which businesses have enough confidence to maintain internal security.
Always ready for post-breach business
Luck rarely lasts forever, and our survey shows that around two-thirds of respondents have experienced or acted on indications of a security breach. These typically take weeks to address, putting a significant burden on SMEs. (On average, SMEs estimate the TOTAL COST to their organization incurred by this violation is equivalent to €219K.)
Following a breach, SMEs can invest in training, conduct audits or buy new cybersecurity tools. In general, this meant taking steps to strengthen remote access tools, particularly protecting logins with multi-factor authentication (50%), limiting their use to corporate VPNs only (50%), and updating remote access tools (49%).
With only 27% of respondents stating that they had conducted a cybersecurity audit in the last six months, and 33% in the last 12 months, the situation is worrying. In organizations where a cybersecurity audit has been conducted in the past two years, 52% use an external IT security firm/Managed Service Provider (MSP), while 40% conduct their own audit, and 8% do both.
We’re all in this together
While the approach taken remains divided, 85% of SMBs said that everyone in their supply chain has a responsibility to improve their cyber resilience, but most also expressed concern that the lack of investment in cyber security could put others in their supply chain at risk. Ultimately, effective cybersecurity is seen as something that gives businesses the confidence to grow and innovate.
Join our series as we learn more about the ESET SME Digital Security Sentiment Report 2022. From here, we can be confident that SMBs really understand that their business and global supply chain depend on continuous security enhancements. For more insight into how fellow SMBs see the security landscape around them, read our 2022 SME Digital Security Sentiment Report.