Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:15 PM
Connect Directly

SMB Security Catches Up to Large Companies, Data Shows

Small and midsize businesses face issues similar to those of large organizations and have updated security practices to respond with threat hunting, patch management, and dedicated personnel.

Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.

To better understand the state of SMB security and debunk common misconceptions, Cisco Security researchers polled nearly 500 SMBs (250–499 employees) and asked about the factors shaping their security posture. What they learned was that SMBs are doing better than expected.

"We see time and time again that SMBs are actually punching above their weight," says Wolfgang Goerlich, advisory CISO with Cisco Security. "They're doing better than we would've anticipated." One of the findings that surprised him was the amount of dedicated security staff. A common assumption is that SMBs have few, if any, cybersecurity resources and as a result, someone is often forced to juggle security along with other IT management responsibilities.

The data shows 60% of SMBs have at least 20 people dedicated to security, although it does not specify their level of involvement or whether those employees were outsourced via a managed security service provider. Nearly 80% of large organizations report the same amount. Only 40% of SMBs, and 22% of large companies, have fewer than 20 dedicated security staff.

"That is a huge shift in the past decade," Goerlich says of the staffing increase. Overall, he says, there are "more commonalities than we oftentimes think" when discussing SMB security. A few factors have driven these changes. For one, small businesses face similar levels of public scrutiny. Half of SMBs have managed this after a security breach, similar to 51% of larger businesses. Their customers are also applying pressure: 74% of SMBs say they receive customer inquiries about how they handle individuals' data, compared with 73% of larger organizations.

Goerlich attributes the rise in public scrutiny to two factors. One is the realization of supply chain and third-party risks, which are prompting customers to ask more questions. Even small suppliers selling tools are getting hit with inquiries more often. Another is the trickle-down effects of regulation and compliance requirements, which usually affect larger vendors first and then are passed down to smaller suppliers. Now, they're reaching the SMBs surveyed here.

"If you're a customer, your voice alone may not move the needle … but the voices of multiple customers move the needle in a significant direction," he says of the rise in inquiries. Requirements for today's SMBs are issues that enterprises were struggling with six years ago.

However, many of the threats they face are the same. Researchers ranked the incidents most likely to cause more than 24 hours of downtime and found ransomware and targeted attacks consistent across all organizations. SMBs are most likely to be taken down with ransomware, stolen credentials, phishing, spyware, and mobile malware; larger organizations saw threats like distributed denial-of-service and data breaches rank higher on their lists.

"Regardless of the type of organization you are, if you're on the Internet, you are a target," says Goerlich. The myth of "we're not big enough to be a target" is no longer a mindset SMBs have.

How Small Businesses Tackle Threats 
When hit with their most severe security incident, 75% of SMBs say their systems were down for less than eight hours — compared with 68% of larger businesses. Goerlich says investment in security tools can influence the amount of downtime: The more vendors an SMB used, the more downtime it reported from its most severe breach. This ranged from average of four hours using one vendor, to an average of 17 hours using more than 50 vendors, the researchers report.

Smaller organizations are investing more time and money into security, a trend that has led to a proliferation of tools. Goerlich calls it a "logical outcome" of where the industry has been and where it's going, but a more complex technological footprint impedes incident response time.

SMBs are fairly diligent about keeping their tech updated: 42% describe their infrastructure as "very up-to-date" and 52% say they're "updated regularly," compared with 54% and 41% of large organizations, respectively. More than half (56%) of SMBs patch disclosed software flaws daily or weekly, and 37% say they patch on a biweekly or monthly basis. Goerlich points out that SMBs often adopt software-as-a-service platforms to simplify their footprint, and these are easier to patch.

Small businesses are also invested in incident response (IR), with 45% testing their IR plan every six months and 36% once a year. Only 1% of SMBs never test their response plan. More than 70% of SMBs have employees dedicated to threat hunting, similar to the 76% of large organizations that report having a threat-hunting department.

Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees. The data shows even the smallest businesses are investing in security measures such as limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best security practices (34%).

"Training is a long-term strategy to ensure employees aren't acting careless," says The Manifest's Riley Panko, who points out that these incidents aren't always intentional. Cybercriminals may not target a specific SMB; instead, they'll spam several businesses and see which are careless enough to click a malicious link or leave information exposed. Smaller organizations that lack security measures are more likely to fall victim to these attacks, but they plan to continue improving: 64% are likely to devote more resources to security in 2020.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...