The most informative cyber security blog on the internet!
Cybersecurity is an important investment for all businesses and organizations, regardless of size. As someone at a small or mid-size business, you may think that small businesses are less-tempting targets for cybercriminals — but the opposite is actually true. For example, Barracuda reports that companies with fewer than 100 employees are 350% more likely to suffer social engineering attacks than their enterprise counterparts.
Since SMBs make appealing targets for cybercriminals (especially since they make up 99.9% of all businesses in the U.S.), it’s crucial to stay abreast of the latest industry data. This can be hard, though, when you’re trying to run or operate a smaller business. This is why we want to help by sharing some of the latest data in one short(ish) article.
Devolutions released its third consecutive State of Cybersecurity in SMBs 2022-2023 report. This year’s latest research, which was released Oct. 11, highlights that 60% of small and mid-size businesses experienced one or more cyberattacks over the last year:
We’ve picked the five most relevant data points from Devolutions’ SMB research that we think will be of interest to our readers. Be sure to check out the Devolutions website to read the full report.
Let’s hash it out.
81% of Devolutions’ survey respondents view ransomware as their businesses’ biggest security threat. This is followed by phishing (69%) and other types of malware (38%). In some aspects, it’s no surprise because ransomware is a major threat because it often results in the encryption or destruction of victims’ data (even when the victims pay the demanded ransom). In some cases, ransomware attacks are multi-pronged because attackers also attack victims’ data backups to cause additional damage or demand a second ransom payment.
However, I honestly figured #1 and #2 would have been reversed, particularly considering that many ransomware attacks often involve the use of phishing, as do other cybersecurity concerns. But, hey, everyone is different and has different security priorities and concerns.
A disturbing statistic from Devolution’s report that really stuck out to me is that 32% of small and mid-size businesses dedicate less than one-twentieth (1/20) of their IT budget to IT security. Now, consider that Connectwise reports that 69% of their survey respondents admit they’re concerned one bad cyber attack could permanently force them to close their doors. Knowing this concern and being aware that nearly one-third of organizations dedicate only 5% of their overall IT budgets to security sends the message that companies aren’t putting in much of an effort to prevent such an attack from happening.
What really drives home the dismal nature of that number is when you consider that CompTIA reports the average small business only devotes $5,000-$249,000 of their overall budget to IT each year to begin with (the “sweet spot” for SMBs ranges between $10,000 and $49,000). This means that only 5% of already potentially limited budgets is what companies are using to fund their IT security initiatives. Yikes.
Let’s take a closer look at this for a little more perspective. Imagine that your company invests $45,000 in your IT budget each year. This means that if you’re one of the 32% of SMBs that dedicate only 5% of your IT budget to IT security, then it means you’re spending just $2,250 a year to secure your organization against cyber attacks and threats. That means your cybersecurity is worth just $6.25 per day to your business — or the equivalent of a large pumpkin spice latte at a specific major coffee shop chain.
It truly is astonishing that some businesses treat IT security as the ugly, redheaded stepchild. Considering that all it takes is one cybersecurity “oops” for everything to go wrong, IT security should be ranked as one of the essential elements of your IT environment. It doesn’t matter how many new and shiny devices you have… if you don’t bother dedicating the time, money, and resources needed to keep those devices and network secure, then they won’t do you any good.
But there is some good news here: Devolutions recommends SMBs allocate between 6% and 15% of the IT budget to IT security (which includes cybersecurity). We’re happy to relay that the majority of SMB respondents (68%) fall within this range. But in a perfect world, we’d definitely prefer to see higher average IT security spending.
Now, let’s see what organizations are doing in terms of increasing or decreasing their IT security budgets. 49% report that they’re spending more this year on IT security than they did last year. Awesome. But this stat is tempered when you consider that 51% indicate that their budgets either decreased (6%) or remained unchanged (45%) from the previous year.
However, there is a bit of good news here. 94% of survey respondents indicate that they either plan to spend the same amount (48%) or increase their spending (46%) in the next 12 months. Of course, we’d prefer to see the higher number in the “we-want-to-increase-our-spending-on-IT-security” budget category, but I guess we’ll take the wins where we can.
There’s also one very important consideration to keep in mind when it comes to budgets and IT security spending: every organization is different and each one allocates different amounts to begin with. So, some companies may start out with a higher amount (closer to the $249,000 end of the range mentioned earlier) and need to increase it less each year while others may have a much smaller budget (like the $5,000 end of the range) and need more significant investments.
Passwords are the keys to the kingdoms of most small and mid-size organizations. These are the secrets that provide access to user accounts and give access to everything from banking and finance accounts to employees’ personal records data. Comparitech, citing LastPass data, shows that small business employees are the biggest offenders when it comes to demonstrating poor password security: “Those working for companies with 1-25 staff reuse passwords an average of 14 times.”
Yeah, definitely not good. So, it makes sense that one of the sections of the Devolutions report highlights 18 security projects that respondents wanted to take on in the next 12 months… more than one-third of which relate to password or account security:
Of course, using secure passwords (or implementing PKI-based client authentication) isn’t all you can or should be doing to secure access within your organization. Additional steps you can take include:
Our final data point from the Devolutions report focuses more on the employees themselves:
Not bringing new employees into the fold isn’t necessarily bad news. Yes, on the one hand, it could mean that they don’t want to fork out the funds to hire new people and skills. But on the other hand, it may mean that they already have the right people and skills in place, so they don’t need to hire anyone else. (Less likely, but definitely still a possibility.)
Unfortunately, the former is the most likely scenario. Another recent survey from Cobalt (The State of Pentesting 2022) shows that nearly all of their 602 respondents indicate that they’re affected by staffing and talent shortages. Regardless of the cause of the shortages (whether they don’t hire enough people or employees leave), labor shortages ultimately lead to many security issues for the organization and team members who remain.
We hope this article has been enlightening and given you greater insights into investing in cybersecurity as a small or mid-size business. Whether you have just a handful of employees or 100, every person, application, and device that exists within your IT environment represents a potential attack surface that cybercriminals can target.
Having strong IT and cybersecurity is not just crucial to preventing cyber attacks, but they’re also compliance requirements for notable standards like the EU’s General Data Protection Regulation (GDPR), the U.S.’s Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry’s Data Security Standards (PCI DSS).
Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *
Casey Crane is a regular contributor to (and managing editor of) Hashed Out. She has 15+ years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.
The SSL Store™ | 146 2nd Street North #201 St. Petersburg, FL 33701 US | 727.388.1333
© 2022 The SSL Store™. A Subsidiary of DigiCert, Inc. All Rights Reserved.