General security

New Cisco report: SMB security posture catches up to enterprise counterparts

Kurt Ellzey
July 22, 2020 by
Kurt Ellzey


Small-to-medium businesses (SMBs) have a lot of things to deal with. They have a huge number of responsibilities but not a lot of resources to do them with and even fewer people to perform them when compared to enterprises. One area in particular that wasn't really addressed in the past is cybersecurity, because companies that ran lean on staff usually couldn't afford to have a dedicated security person. 

There can be a great deal of confusion about this issue in the public eye, as well as questions such as, "Why was this place attacked?" or "Don't they care who they're hurting?" The one that happens most often is, "They're too small a target to be worth anything." 

Despite this, over the past few years, there has been a major shift in the way that SMBs handle cybersecurity. This is because one key element has changed the entire game: automated attacks don't care who you are or how small your company is. 

As a result, SMBs have started to see the impact that ignoring this threat can cause and have begun to move towards a more secure posture simply because they can't afford not to. Cisco recently published a report detailing these findings, entitled "Big Security in a Small Business World". For the scope of this report, Cisco is referring to organizations between 250 and 500 people as SMBs.


Attacks don't care whether you're big or small. Larger targets may invite numerically more attacks and more determined attackers, true, but attacks of opportunity still happen. 

SMBs have shown that they are taking these threats seriously and for the most part are trying to be transparent with the public as a result, with 50% of SMBs polled saying that they’ve had to manage public scrutiny from a security breach, compared with 51% of enterprises. This means not only being subject to more intense examinations, but also being forthcoming about data breaches. 

SMBs also have to deal with questions about how they handle customer data, as the conversation about data abuse becomes much more intense. According to the report, 74% of SMBs say that both customers and prospective customers have asked about data privacy and handling of personal information.

Backup and restore

Once an attack has happened, recovery time is a critical consideration: how fast can your organization get back to normal operations? 

In the past, SMBs may not have prioritized backups because they feel like they'll never use them. After an attack, however, they are the most critical thing that can help your company survive. Time is always a factor, of course, and the amount of time it takes to recover from backups can really determine how effective they are. 

According to the report, there isn't a lot of difference anymore in the time it takes for SMBs to recover data when compared to enterprises in both short (0-8 hours) and extended (longer than 8 hours) downtime scenarios. This is shown in the numbers, with 75% of SMBs having a short downtime due to a breach versus 68% of enterprises, while extended downtime comes in at 24% versus 31% respectively.


We spoke earlier about SMBs lacking dedicated cybersecurity people in the past, but that is rapidly changing. According to the report, 60% of SMBs polled reported having more than 20 people dedicated to security, while enterprises polled were at around 79%. 


While enterprises obviously have more resources to devote to acquiring newer and more up-to-date hardware and software solutions, SMBs are rapidly closing that gap. 42% of SMBs consider their infrastructure to be “very up-to-date,” while 52% “regularly update” their infrastructure. Combined, this means that 94% of the SMBs polled are staying in a good place and maximizing the resources they can get instead of going after every single slight upgrade.


We mentioned before that automated attacks do not discriminate at all, and that’s shown to be true in the report, with the most likely threat to cause significant (more than 24 hours) of downtime. 

While threats start to diverge after that, with DDoS attacks affecting enterprises more and phishing affecting SMBs more, attacks such as stolen credentials affect both sides to varying degrees. This shows that just because your scale changes, it doesn't necessarily mean that you're in the clear.

Proactive actions

Being proactive in threat management can mean the difference between shrugging off an attack and having to deal with a massive amount of fallout after a breach. SMBs have absolutely seen the benefit in this, with the report showing that 72% of SMBs polled having teams dedicated to threat hunting.

Test the plan

Keeping calm during a crisis can mean the difference between fast, effective action and panic. One of the most critical ways to do this is by running drills or testing disaster recovery plans regularly. 

According to the report, around 45% of SMBs reported that they run exercises once every six months, compared with 49% for enterprises — showing that SMBs aren't very far behind their enterprise counterparts.

Leadership support

Without support from upper management, cybersecurity is always going to be an uphill battle. Fortunately, 87% of SMBs have executive leadership that considers security a high priority, according to the article. This allows for cybersecurity awareness training to be mandatory in 84% of those SMBs compared with 88% for enterprises — a huge boon to any program.

Regular updating

Regardless of the vendors that you use, patch management is essential. Unfortunately, with the number of potentially bad updates that get pushed out, update schedules can vary wildly. According to the article, 56% of SMBs patch daily or weekly compared to 58% for enterprises, while 37% update bi-weekly or monthly compared to 34% for enterprises. This still shows, however, that the lion's share of SMBs are able to mitigate discovered issues quite quickly.

Conclusion: Crunching the numbers

It can be difficult to show at a glance how effective any program can be without some form of deliverable to show upper management. SMBs have this in the bag, with 86% of those polled having definitive metrics to show the effectiveness of their security programs that were established by the executive team. Whether that is due to the tools themselves generating these deliverables themselves or having created custom guidelines themselves, this isn't that far off from the enterprise polled value of 90%.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

SMBs have been steadily closing the gap when it comes to cybersecurity and becoming less vulnerable than they used to be. They are now able to show this definitively and able to recover from an event if/when an attack does make its way through. Being able to make the most of what you have is critical for SMBs, and with the right support and the right people, it absolutely is possible. 

Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.