As the year comes closer to ending, October marked 21 years of Cybersecurity Awareness Month, cyberattacks continue to be a challenge for businesses of all sizes, however, small and medium businesses (SMBs) face distinct challenges when it comes to cybersecurity.
Although SMBs face heightened cybersecurity threats, unlike large enterprises, they often lack the resources and expertise to implement extensive security measures or manage complex security solutions, making them prime targets for bad actors. Both the risks that SMBs face and their current level of security readiness are not widely understood.
To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specialising in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.
1. One in three SMBs have been victims of a cyberattack
With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks.
How can SMBs approach this?
Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.
● Use strong passwords and consider a password manager.
● Turn on multifactor authentication.
● Learn to recognize and report phishing.
● Make sure to keep your software updated
2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000
The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities
How can SMBs approach this?
SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimise them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimise the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organisations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.
3. 81% of SMBs believe AI increases the need for additional security controls
The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security.
How can SMBs approach this?
Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.
4. 94% consider cybersecurity critical to their business
Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing.
How can SMBs approach this?
For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.
5. Less than 30% of SMBs manage their security in-house
Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats.
How can SMBs approach this?
Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organisations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.
6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend
Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.
How can SMBs approach this?
Prioritising these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.
7. 68% of SMBs consider secure data access a challenge for remote workers
The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.
How can SMBs approach this?
Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.