Survey: SMBs Don’t Recognize Good Security

How can small businesses step up their security game?

Every business is at risk for a cyberattack. Every single business, whether it is a multinational conglomerate with hundreds of thousands of employees or the family-owned food truck in front of your office building, is at risk just by being connected to the internet.

AWS Builder Community Hub

Yet, businesses remain woefully unprepared. According to a new study by Continuum, even though 1 in 4 respondents admitted to being hit with a cyberattack in the past six months, half of SMBs feel helpless to defend themselves from new forms of cyberattack.

Some of the unpreparedness may be due to a lack of concern about cybersecurity. The report found that very small companies don’t worry about security as much as even their slightly larger competitors do. That makes sense. If you are a very small shop, you are going to focus your time and budget on taking care of business operations. Of the seven people in-house, chances are no one is your security guy.

And that’s one of the reasons why SMBs are insecure about their security stance. Many of them, according to the report, “.. lack the in-depth tools and in-house expertise to harden their systems and networks against potential threats.”

But let’s be honest: The cybersecurity woes of SMBs aren’t breaking news. The ambivalence and the lack of staff and tools are issues that have been discussed for more than a decade. What caught my attention with this study was this: SMBs, even the smallest who may not worry as much, do know that security is important, but they don’t recognize “good” security.

“It is this lack of education and understanding that has led to lower levels of advanced protection within SMBs, which in turn leads to attacks on these businesses becoming more commonplace,” the report stated.

Lack of Incident Response

I have a friend who works with a volunteer organization. Her volunteers think they know all of the steps to put the event together, but they end up making a lot of mistakes along the way. When they apologize, my friend tells them, “You don’t know what you don’t know,” and shows them the correct method.

Cybersecurity is a lot like that. You know not to click on the links on a phishing email. Or someone from the MSSP you hired tells you that you have the right system in place. You know enough of the basics to get you through, which is probably why nearly 3 in 4 of survey respondents said their cybersecurity protections are very good or excellent, and that their organization puts more emphasis on response rather than prevention.

Except you don’t know what you don’t know. And in this case, what they don’t know, the study found, is SMB security often stops short of incident response planning, cybersecurity insurance and having in-house cybersecurity experts. They aren’t prepared for the incident aftermath.

I asked Brian Downey, senior product manager for Security at Continuum, why SMB security stops short with incident response planning. Downey blamed it on the lack of access to cybersecurity expertise to help prepare for an attack.

“The skills shortage has made it difficult enough for cybersecurity companies to hire skilled experts, so for a small business, it’s almost impossible to hire the level of professional they’d need to put incident response plans in place,” Downey said. “Instead, they rely on tools to build their protection, which often aren’t enough, which means attackers can and do break through. When that happens—we’ve seen that particularly with ransomware—SMBs are often left with little choice but to take the hit, which can be a death sentence for their business.”

Still Need Better Prevention

If the response plan isn’t there, SMBs need to step up their preventive measures to be more proactive rather than reactive in their approach. Downey offered the following tips in how to approach the cybersecurity conversation with your service provider:

  • Talk to your IT service provider about the prevention measures that may already be in place. “It’s possible that their provider is already enacting these measures, but without regular conversations on their cybersecurity implementations, a small business could be blind to their level of protection,” Downey said.
  • Don’t hesitate to ask a lot of questions about what the preventive coverage includes. The questions should cover issues such as phishing tests, response plans and recovery options to ensure their businesses are protected in the event of an attack.
  • Be ready to hold your provider to a high standard and look elsewhere if a competitor answers their questions better. “We found that 9 in 10 SMBs would consider hiring a new provider for the right cybersecurity offering,” Downey stated. “After all, the future of their business is at stake.”

Sue Poremba

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 269 posts and counting.See all posts by sue-poremba