We’ve dived head-first into Devolution’s latest report (State of Cybersecurity in SMBs 2022-2023) on cybersecurity for small and mid-size businesses so you don’t have to. Here’s are the five key highlights you need to know from this new study…
Cybersecurity is an important investment for all businesses and organizations, regardless of size. As someone at a small or mid-size business, you may think that small businesses are less-tempting targets for cybercriminals — but the opposite is actually true. For example, Barracuda reports that companies with fewer than 100 employees are 350% more likely to suffer social engineering attacks than their enterprise counterparts.
Since SMBs make appealing targets for cybercriminals (especially since they make up 99.9% of all businesses in the U.S.), it’s crucial to stay abreast of the latest industry data. This can be hard, though, when you’re trying to run or operate a smaller business. This is why we want to help by sharing some of the latest data in one short(ish) article.
Devolutions released its third consecutive State of Cybersecurity in SMBs 2022-2023 report. This year’s latest research, which was released Oct. 11, highlights that 60% of small and mid-size businesses experienced one or more cyberattacks over the last year:
- One-in-four (42%) indicate that they’ve faced upwards of five attacks in the last year
- Almost one-fifth (18%) experienced five or more attacks within the same period
We’ve picked the five most relevant data points from Devolutions’ SMB research that we think will be of interest to our readers. Be sure to check out the Devolutions website to read the full report.
Let’s hash it out.
Top Takeaway: SMBs Rank Ransomware as Their Biggest Cybersecurity Threat
81% of Devolutions’ survey respondents view ransomware as their businesses’ biggest security threat. This is followed by phishing (69%) and other types of malware (38%). In some aspects, it’s no surprise because ransomware is a major threat because it often results in the encryption or destruction of victims’ data (even when the victims pay the demanded ransom). In some cases, ransomware attacks are multi-pronged because attackers also attack victims’ data backups to cause additional damage or demand a second ransom payment.
However, I honestly figured #1 and #2 would have been reversed, particularly considering that many ransomware attacks often involve the use of phishing, as do other cybersecurity concerns. But, hey, everyone is different and has different security priorities and concerns.
Takeaway #2: Nearly One-Third of Businesses Earmark <5% of IT Budget to Security
A disturbing statistic from Devolution’s report that really stuck out to me is that 32% of small and mid-size businesses dedicate less than one-twentieth (1/20) of their IT budget to IT security. Now, consider that Connectwise reports that 69% of their survey respondents admit they’re concerned one bad cyber attack could permanently force them to close their doors. Knowing this concern and being aware that nearly one-third of organizations dedicate only 5% of their overall IT budgets to security sends the message that companies aren’t putting in much of an effort to prevent such an attack from happening.
What really drives home the dismal nature of that number is when you consider that CompTIA reports the average small business only devotes $5,000-$249,000 of their overall budget to IT each year to begin with (the “sweet spot” for SMBs ranges between $10,000 and $49,000). This means that only 5% of already potentially limited budgets is what companies are using to fund their IT security initiatives. Yikes.
Let’s take a closer look at this for a little more perspective. Imagine that your company invests $45,000 in your IT budget each year. This means that if you’re one of the 32% of SMBs that dedicate only 5% of your IT budget to IT security, then it means you’re spending just $2,250 a year to secure your organization against cyber attacks and threats. That means your cybersecurity is worth just $6.25 per day to your business — or the equivalent of a large pumpkin spice latte at a specific major coffee shop chain.
It truly is astonishing that some businesses treat IT security as the ugly, redheaded stepchild. Considering that all it takes is one cybersecurity “oops” for everything to go wrong, IT security should be ranked as one of the essential elements of your IT environment. It doesn’t matter how many new and shiny devices you have… if you don’t bother dedicating the time, money, and resources needed to keep those devices and network secure, then they won’t do you any good.
But there is some good news here: Devolutions recommends SMBs allocate between 6% and 15% of the IT budget to IT security (which includes cybersecurity). We’re happy to relay that the majority of SMB respondents (68%) fall within this range. But in a perfect world, we’d definitely prefer to see higher average IT security spending.
Takeaway #3: By and Large, Organizations Want to Increase Their IT Budget Spending
Now, let’s see what organizations are doing in terms of increasing or decreasing their IT security budgets. 49% report that they’re spending more this year on IT security than they did last year. Awesome. But this stat is tempered when you consider that 51% indicate that their budgets either decreased (6%) or remained unchanged (45%) from the previous year.
However, there is a bit of good news here. 94% of survey respondents indicate that they either plan to spend the same amount (48%) or increase their spending (46%) in the next 12 months. Of course, we’d prefer to see the higher number in the “we-want-to-increase-our-spending-on-IT-security” budget category, but I guess we’ll take the wins where we can.
There’s also one very important consideration to keep in mind when it comes to budgets and IT security spending: every organization is different and each one allocates different amounts to begin with. So, some companies may start out with a higher amount (closer to the $249,000 end of the range mentioned earlier) and need to increase it less each year while others may have a much smaller budget (like the $5,000 end of the range) and need more significant investments.
Takeaway #4: Organizations Are Starting to See the Light Regarding Password Security
Passwords are the keys to the kingdoms of most small and mid-size organizations. These are the secrets that provide access to user accounts and give access to everything from banking and finance accounts to employees’ personal records data. Comparitech, citing LastPass data, shows that small business employees are the biggest offenders when it comes to demonstrating poor password security: “Those working for companies with 1-25 staff reuse passwords an average of 14 times.”
Yeah, definitely not good. So, it makes sense that one of the sections of the Devolutions report highlights 18 security projects that respondents wanted to take on in the next 12 months… more than one-third of which relate to password or account security:
- Introducing privileged access management (PAM) solution
- Introducing or fully integrating two-factor authentication (2FA)
- Implementing automatic password rotation
- Expanding a password management tool for use by all employees (not just IT staff)
- Hardening Active Directory
- Implementing more granular and just-in-time access to resources
- Shifting to passwordless authentication
Of course, using secure passwords (or implementing PKI-based client authentication) isn’t all you can or should be doing to secure access within your organization. Additional steps you can take include:
- Maintaining current user profile and permissions lists
- Implement the principle of least privilege within your IT environment (i.e., only give access to those who need it to do their jobs)
- Requiring users to use secure, encrypted connections when connecting to websites
- Educating employees on the importance of account security and best practices
- Storing only salted and peppered password hashes in lieu of plaintext passwords
- Setting authentication rate limits
- Monitoring traffic to your network, services, and applications
- Blocking access to internal resources from IPs outside your company’s geographic region
Takeaway #5: 56% of SMBs Are Content to Maintain IT Security Staffing Status Quo
Our final data point from the Devolutions report focuses more on the employees themselves:
- 38% of the survey respondents indicated that their organizations brought new employees on board since the start of the global COVID-19 pandemic (i.e., early 2020) to address IT security needs and concerns.
- Another 6% say they’re working with external service providers to achieve the same.
- The remaining 56% of respondents indicate that they’ve not hired any new cyber or IT security-related employees since early 2020.
Not bringing new employees into the fold isn’t necessarily bad news. Yes, on the one hand, it could mean that they don’t want to fork out the funds to hire new people and skills. But on the other hand, it may mean that they already have the right people and skills in place, so they don’t need to hire anyone else. (Less likely, but definitely still a possibility.)
Unfortunately, the former is the most likely scenario. Another recent survey from Cobalt (The State of Pentesting 2022) shows that nearly all of their 602 respondents indicate that they’re affected by staffing and talent shortages. Regardless of the cause of the shortages (whether they don’t hire enough people or employees leave), labor shortages ultimately lead to many security issues for the organization and team members who remain.
Final Takeaway on Cybersecurity for Small and Mid-Size Businesses
We hope this article has been enlightening and given you greater insights into investing in cybersecurity as a small or mid-size business. Whether you have just a handful of employees or 100, every person, application, and device that exists within your IT environment represents a potential attack surface that cybercriminals can target.
Having strong IT and cybersecurity is not just crucial to preventing cyber attacks, but they’re also compliance requirements for notable standards like the EU’s General Data Protection Regulation (GDPR), the U.S.’s Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry’s Data Security Standards (PCI DSS).