This article was written by Maxime Trotter, VP of Sales & Marketing for Devolutions as part of the Information Security Insight Jam 2021.
While the pandemic forced many SMBs to scale back their operations, hackers shifted into a higher gear. Cyber-attacks against SMBs — and especially on their remote workers — increased throughout 2020 and 2021.
What’s more, the consequences of a breach have never been more severe. Global cyber-crime collectively costs victims $16.4 billion each day, and in 2021 the average cost of a data breach in SMBs climbed to $2.98 million per incident. This is a staggering price tag that many companies cannot afford, which is why 60% of SMBs go out of business within six months of getting hacked.
To help SMBs grasp the scope and dynamics of the current cyberthreat landscape, universal password and access management solutions company Devolutions surveyed decision-makers in SMBs worldwide across five core topics:
- Cyber-attacks and Threats in SMBs
- Password Management in SMBs
- Use of Privileged Access Management in SMBs
- Cybersecurity Training & Management in SMBs
- Cybersecurity Investment in SMBs
Respondents of the Devolutions State of Cybersecurity in SMBs in 2021-2022 Survey hailed from a wide cross-section of sectors including IT services, finance, insurance, healthcare, manufacturing, government, and others.
The Cyberthreat Landscape: It’s Scary Out There
SMBs that survived the financial carnage caused by the pandemic cannot, unfortunately, look forward to a smooth, stress-free road ahead — because the cyberthreat landscape is scarier than ever. The survey found that:
- 81% of SMBs believe that their company is likely to be targeted by hackers now or in the near future.
- 72% of SMBs are more concerned about cybersecurity now compared to a year ago.
- The top 3 cyber threats that SMBs are most concerned about are ransomware, phishing, and malware.
- 52% of SMBs have experienced a cyber-attack in the last year, and 10% have experienced 11 or more cyber-attacks.
- 32% of SMBs have experienced privileged access violations in the past year, and 4% have experienced 11 or more violations.
SMB Cybersecurity Defenses Have Plenty of Holes
Given the elevated concern and risk, one might assume that all SMBs are making it a top priority to strengthen their cybersecurity profile — especially since the cost of a single data breach can be catastrophic. However, this is not the case. The survey revealed that:
- 87% of SMBs do not have a fully deployed privileged access management (PAM) solution in place.
- 69% of SMBs do not have a password management policy that covers all of the essentials, which are minimum password length, sufficient password complexity, minimum password history, minimum password age, and multi-factor authentication (MFA).
- 61% of SMBs are not monitoring the full roster of privileged accounts in their organization.
- 20% of SMBs are using insecure methods to store passwords such as spreadsheets, documents, and writing passwords down on paper.
- 19% of SMBs do not have ANY of the following defense tools, architecture, or policies in place: principle of least privilege (PoLP), segregation of duties (SoD), shared password vaults, Zero Trust, account brokering, and defense-in-depth.
Cybersecurity Investments: More Money, Fewer Problems
When it comes to cybersecurity investments, generally speaking, more money does not lead to more problems — it reduces them. InfoSec experts recommend allocating between 7-10% of an IT budget to cybersecurity. However, the survey revealed that most SMBs are not reaching this target:
- 26% of SMBs allocate less than 5% of their IT budget to cybersecurity.
- 22% of SMBs allocate 6-10% of their IT budget to cybersecurity.
- 30% of SMBs do not even know how much of their IT budget is allocated to cybersecurity — which certainly suggests that they are falling below (or likely well-below) effective spending levels.
Finally, Some Good News
While the situation is certainly worrisome, there are a few positive developments as well. The survey found that:
- 92% of SMBs have a process in place to revoke account access for ex-employees.
- 74% of SMBs are providing their workforce with cybersecurity training.
- 71% of SMBs are using a password manager to store passwords.
Ideally, these numbers would be — and frankly, should be — 100% across the board. But we will take a “glass-half-full” view and applaud SMBs that have taken some meaningful steps to steps to strengthen their cybersecurity. Preventing a breach is far simpler, safer, and cheaper than reacting to one.
A “Wait-and-See” Approach is a Bad Idea
It is in nobody’s best interest — except for hackers, that is — to gloss over the fact that the cyberthreat landscape is more dangerous now than ever before, and most SMBs are woefully under-equipped and unprepared to deal with the inevitable onslaught. Indeed, it is not a question of if SMBs will get attacked, but how frequently and how severe (and of course, there are numerous SMBs that have already been attacked or are being attacked right now but have no idea).
SMBs literally cannot afford to take a “wait-and-see” approach. They must be proactive if they want to stay at least a step ahead of the bad guys. To achieve this critical objective, the survey report provides 15 recommendations with accompanying steps, best practices, and other practical advice. All the recommendations are specifically designed for SMBs that typically do not have the cybersecurity staff, resources, or budgets of larger organizations and enterprises.
The Devolutions State of Cybersecurity in SMBs in 2021-2022 Survey report is available as a free and instant download from the Devolutions’ website.
- The Best SIEM Tools and Vendors to Know About in 2022 - December 17, 2021
- SMBs are Unprepared to Deal with Worsening Cyberthreats Landscape - December 6, 2021
- 32 Experts Share Predictions for Information Security in 2022 - December 6, 2021