SMBs Are Taking Cybersecurity More Seriously

Uploaded on 2023-02-08 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Amongst a backdrop of mounting cybersecurity threats, small and medium-sized businesses (SMBs) have woken up to the risk that ransomware and malware pose for their organisation. Many are taking additional measures to protect themselves against attacks, according to a new survey by Datto, a Kaseya company.

In its annual State of Ransomware Report, nearly 3,000 IT professionals in SMBs across eight countries weighed in on the steps they are taking to protect themselves, from investing in more security products to utilising multiple security frameworks.

The key finding is that SMBs globally are actively investing in cyber protection. While on average, a fifth of the IT budget is dedicated to security, around 4 in 10 businesses (42%) are seeing their security budget increase and allocating additional resources.

The majority have implemented basic defences - anti-virus and email protection - and are now expanding their security strategy to other areas.

For example, nearly half (47%) of SMBs plan to invest in network security in the next 12 months, and 45% percent are looking to add cloud security. Further down the shopping list are security solutions for collaboration tools, endpoint security and Business Continuity and Disaster Recovery (BCDR).

While installing the right tools is important, SMBs also increasingly understand the need to proactively monitor their security posture. Nearly two thirds (62%) run vulnerability assessments at least twice a year, with more than a third (37%) scheduling them three or more times a year.

The CIS framework is the most used cybersecurity framework, with 34% of respondents utilising it. This is followed by CMMC (30%), COBIT (27%), and NIST (22%).

Investment In Cyber Insurance

Cyber insurance is a key consideration for SMBs as it can offset the repercussions of breaches. However, in the face of stricter regulations and growing threat volumes, cyber insurance is becoming harder to obtain, with some insurers stipulating that businesses need to have certain security controls in place in order to qualify. 

In the survey, over two thirds (69%) of respondents said they have cyber insurance in place, and 34% of those without insurance are likely to get it within a year. Fear of being hit by ransomware seems to be one of the drivers, as 42% of SMBs with cyber insurance believe it’s extremely likely that a ransomware attack will happen to them. Seven in 10 respondents admitted that a successful attack would seriously impact their organisation, with some saying it could be a fatal blow.

Overall, the survey found that organisations with cyber insurance tend to be more actively engaged in cybersecurity. They have more IT support, more frameworks (CSFs) and more security solutions. They’re also more likely to have experienced a security incident in the past.

Across the board, nearly a third of all respondents encountered computer viruses in the past year and 21% reported COVID-19 related scams or threats. As the main reason behind these security issues, 37% of SMBs cited phishing emails, followed by malicious websites and weak password and access management. However, around 42% feel they have had security issues due to lack of training and 24% said it was down to poor user practices and gullibility – indicating that there is room for improvement when it comes to building out their defence layers.

Lack Of Preparedness Is The Weak Spot

Despite the heightened awareness and increased investment in cyber protection, there is another area that could let SMBs down: planning for the worst-case scenario. Only 3 in 10 businesses have a best-in-class recovery plan in place. Around half (52%) rely on a standard plan and 16% admitted there is no formal recovery plan, leaving them wide open to complete data loss and major business interruption. Perhaps this explains why nearly half of respondents (47%) say their companies would find recovery from a cyberattack difficult – and 16% fear that their business would not recover at all.

In fact, downtime is an expensive problem that nearly half of survey respondents have encountered in the past year.

In 2022, the average cost of downtime was 126,000 USD, including lost revenue. An eyewatering figure, but many SMBs still don’t have the tools to minimise downtime, such as a unified BCDR solution, a managed security operations centre (SOC) or an incident response strategy.

Just under half (49%) of surveyed SMBs relied on manual backups to recover data during an incident, and one fifth were forced to reinstall and reconfigure all systems from scratch. With slow and cumbersome recovery processes, around 45% of businesses endured more than two days of downtime before their systems were back up and running.

It is clear that many SMBs will need additional help planning for, and dealing with, security incidents. The cybersecurity talent shortage is a contributing factor, as is lack of expertise.

A growing number outsource the job: Almost half (47%) of the IT professionals surveyed said their organisation relies on a managed service provider (MSP) or a managed security service provider (MSSP). With increasingly complex cyber threats, this percentage is likely to grow.

Chris Mckie is VP, Product Marketing Security & Networking Solutions at Datto

You Might Also Read: 

Cyber Security Tools For Your Small Business:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Human Error Is A Hacker's Dream
Creating Order Out Of WAF Management Chaos »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Secure Identity Alliance (SIA)

Secure Identity Alliance (SIA)

The Secure Identity Alliance is dedicated to supporting sustainable worldwide economic growth and prosperity through the development of trusted digital identities and the adoption of secure eServices.

Cyber Together

Cyber Together

Cyber Together is dedicated to advancing the cyber security industry by giving businesses access to Israel’s leaders, innovators and great minds in the field of cyber security.

Lockton

Lockton

Lockton is the world’s largest privately owned insurance brokerage firm. Commercial services include Cyber Risk insurance.

LEXFO

LEXFO

LEXFO specializes in the security of information systems, assisting clients in protecting information assets using an offensive and innovative approach.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

ANIS

ANIS

ANIS represents the interests of Romanian IT companies and supports the development of the software and services industry.

Proton Data Security

Proton Data Security

Proton Data Security is a certified small business specializing in the design, manufacturing and sales of data security products for permanent erasure of hard drives, tapes and optical media.

eLearnSecurity

eLearnSecurity

eLearnSecurity is an innovator in the IT Security training market providing quality online courses paired with highly practical virtual labs.

Agio

Agio

Agio is a hybrid managed IT and cybersecurity provider servicing the financial services, health care and payments industries.

Nexor

Nexor

Nexor are a UK-based cyber security company with 30 years' experience in secure information exchange.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

SecureLayer7

SecureLayer7

SecureLayer7 is an international provider of integrated business information security solutions with an innovative approach to IT security.

Raxis

Raxis

Raxis is a cybersecurity company that hacks into computer networks and physical structures to perform penetration tests, assessing corporate vulnerability to real-world threats.

Securious

Securious

If you need to improve your cyber security or achieve cyber security accreditations, Securious provide an independent service that will identify and address your issues quickly and efficiently.

SkillsDA

SkillsDA

SkillsDA is pureplay company in cyber security involved in capacity building towards National Security.

Barclay Simpson

Barclay Simpson

Barclay Simpson is proud to have a long history of delivering cyber security, technology and governance recruitment services.