New Cisco report: SMB security posture catches up to enterprise counterparts
Introduction
Small-to-medium businesses (SMBs) have a lot of things to deal with. They have a huge number of responsibilities but not a lot of resources to do them with and even fewer people to perform them when compared to enterprises. One area in particular that wasn't really addressed in the past is cybersecurity, because companies that ran lean on staff usually couldn't afford to have a dedicated security person.
There can be a great deal of confusion about this issue in the public eye, as well as questions such as, "Why was this place attacked?" or "Don't they care who they're hurting?" The one that happens most often is, "They're too small a target to be worth anything."
What should you learn next?
Despite this, over the past few years, there has been a major shift in the way that SMBs handle cybersecurity. This is because one key element has changed the entire game: automated attacks don't care who you are or how small your company is.
As a result, SMBs have started to see the impact that ignoring this threat can cause and have begun to move towards a more secure posture simply because they can't afford not to. Cisco recently published a report detailing these findings, entitled "Big Security in a Small Business World". For the scope of this report, Cisco is referring to organizations between 250 and 500 people as SMBs.
Breaches
Attacks don't care whether you're big or small. Larger targets may invite numerically more attacks and more determined attackers, true, but attacks of opportunity still happen.
SMBs have shown that they are taking these threats seriously and for the most part are trying to be transparent with the public as a result, with 50% of SMBs polled saying that they’ve had to manage public scrutiny from a security breach, compared with 51% of enterprises. This means not only being subject to more intense examinations, but also being forthcoming about data breaches.
SMBs also have to deal with questions about how they handle customer data, as the conversation about data abuse becomes much more intense. According to the report, 74% of SMBs say that both customers and prospective customers have asked about data privacy and handling of personal information.
Backup and restore
Once an attack has happened, recovery time is a critical consideration: how fast can your organization get back to normal operations?
In the past, SMBs may not have prioritized backups because they feel like they'll never use them. After an attack, however, they are the most critical thing that can help your company survive. Time is always a factor, of course, and the amount of time it takes to recover from backups can really determine how effective they are.
According to the report, there isn't a lot of difference anymore in the time it takes for SMBs to recover data when compared to enterprises in both short (0-8 hours) and extended (longer than 8 hours) downtime scenarios. This is shown in the numbers, with 75% of SMBs having a short downtime due to a breach versus 68% of enterprises, while extended downtime comes in at 24% versus 31% respectively.
Personnel
We spoke earlier about SMBs lacking dedicated cybersecurity people in the past, but that is rapidly changing. According to the report, 60% of SMBs polled reported having more than 20 people dedicated to security, while enterprises polled were at around 79%.
Infrastructure
While enterprises obviously have more resources to devote to acquiring newer and more up-to-date hardware and software solutions, SMBs are rapidly closing that gap. 42% of SMBs consider their infrastructure to be “very up-to-date,” while 52% “regularly update” their infrastructure. Combined, this means that 94% of the SMBs polled are staying in a good place and maximizing the resources they can get instead of going after every single slight upgrade.
Threats
We mentioned before that automated attacks do not discriminate at all, and that’s shown to be true in the report, with the most likely threat to cause significant (more than 24 hours) of downtime.
While threats start to diverge after that, with DDoS attacks affecting enterprises more and phishing affecting SMBs more, attacks such as stolen credentials affect both sides to varying degrees. This shows that just because your scale changes, it doesn't necessarily mean that you're in the clear.
Proactive actions
Being proactive in threat management can mean the difference between shrugging off an attack and having to deal with a massive amount of fallout after a breach. SMBs have absolutely seen the benefit in this, with the report showing that 72% of SMBs polled having teams dedicated to threat hunting.
Test the plan
Keeping calm during a crisis can mean the difference between fast, effective action and panic. One of the most critical ways to do this is by running drills or testing disaster recovery plans regularly.
According to the report, around 45% of SMBs reported that they run exercises once every six months, compared with 49% for enterprises — showing that SMBs aren't very far behind their enterprise counterparts.
Leadership support
Without support from upper management, cybersecurity is always going to be an uphill battle. Fortunately, 87% of SMBs have executive leadership that considers security a high priority, according to the article. This allows for cybersecurity awareness training to be mandatory in 84% of those SMBs compared with 88% for enterprises — a huge boon to any program.
Regular updating
Regardless of the vendors that you use, patch management is essential. Unfortunately, with the number of potentially bad updates that get pushed out, update schedules can vary wildly. According to the article, 56% of SMBs patch daily or weekly compared to 58% for enterprises, while 37% update bi-weekly or monthly compared to 34% for enterprises. This still shows, however, that the lion's share of SMBs are able to mitigate discovered issues quite quickly.
Conclusion: Crunching the numbers
It can be difficult to show at a glance how effective any program can be without some form of deliverable to show upper management. SMBs have this in the bag, with 86% of those polled having definitive metrics to show the effectiveness of their security programs that were established by the executive team. Whether that is due to the tools themselves generating these deliverables themselves or having created custom guidelines themselves, this isn't that far off from the enterprise polled value of 90%.
What should you learn next?
SMBs have been steadily closing the gap when it comes to cybersecurity and becoming less vulnerable than they used to be. They are now able to show this definitively and able to recover from an event if/when an attack does make its way through. Being able to make the most of what you have is critical for SMBs, and with the right support and the right people, it absolutely is possible.