It’s untrue to say that small and medium-sized businesses (SMBs) take cybersecurity less seriously than large enterprises.
Cisco recently compared the security strategies of SMBs (250-499 employees) and larger companies, based on its 2020 CISO Benchmark survey.
“We found that, regardless of company size, what matters is gaining a foothold to mature security,” says Wolfgang Goerlich, an Advisory CISO with Cisco. “For example, through executive buy-in, focusing on security personnel, and enhancing capabilities with the right technologies.”
The report, Big Security in a Small Business World, busts several misconceptions about SMB cybersecurity approaches. Here are a few of them.
Myth: SMB leadership doesn’t take security and data privacy seriously.
There is clear evidence of executive buy-in, no matter the company size. For example, 87% of SMBs and 90% of large enterprises say that executive leadership considers security a high priority.
“There has been a clear sea change in the last few years,” says Goerlich. “This has been led by the breaches that we’ve all seen and the impacts that we’ve all felt. Now, security is a C-level and an executive-level conversation. There has been a doubling-down on the need to prioritize cybersecurity.”
Myth: Larger businesses suffer less downtime and recover faster from attacks.
Here again, the differences are slight. Unfortunately, all organizations suffer levels of downtime following a cyberattack: 24% of SMBs and 31% of large enterprises report more than eight hours of downtime after a severe attack.
Yet, the good news for SMBs is they’ve made strides in rebounding: Two years ago, 40% suffered more than eight hours of downtime.
Myth: SMBs face different threats than large enterprises
Ransomware is the No. 1 threat for all sizes of businesses, and episodes can cause more than 24 hours of downtime. SMBs are also a target for malware and stolen credentials.
“Savvy SMBs prioritize their spend based on the threats they see and therefore are more effective in their security strategy,” Goerlich says.
Myth: Large businesses have more updated infrastructures.
SMBs invest just as strongly in upgrades as larger enterprises: 94% say they do so regularly or constantly.
“Most SMBs accept that they’ll need to work with and secure legacy systems for a long time,” Goerlich says. “Especially as we leave a period of economic prosperity and move into a period of belt tightening, there are opportunities to prioritize and re-focus spend. The goal should be protecting the mission of the business or organization.”
Myth: SMBs don’t proactively perform threat hunting.
It may be surprising to see that 72% of SMBs say they have personnel who perform threat hunting, compared with 76% of large enterprises.
“For a long time, threat hunting was seen as a very technical, complicated skillset — likely out of reach for most organizations,” Goerlich says. “However, there has been a democratization of threat hunting. Many security technologies now support and integrate threat intelligence, which gets strong research and tools into the hands of professionals on the front lines who can act on it.”
The Bottom Line
“SMBs have and are taking opportunities within their budgets to improve cybersecurity,” Goerlich says.
For example, there is evidence that simplifying security works; the Cisco CISO study found that the more vendors the responders used, the longer their reported downtime from their most severe breach. This ranged from an average of four hours for SMBs using one vendor, to an average of more than 17 hours when using 50 vendors+. What’s more, SMBs using 10 or fewer security vendors suffered nearly three-times less downtime following an incident.
“The next step for SMBs should be a tools and vendor rationalization program,” Goerlich says. “This not only reduces complexity, but could also make their budgets even more efficient and effective.”