SMBs Know They’re At Risk, but Most Aren’t Embracing AI
Small and midsize businesses are becoming more popular targets for ransomware gangs and other bad actors and say they are aware of the threats they face, but they’re losing ground in pulling together the necessary tools to protect themselves, according to a report by cybersecurity giant CrowdStrike.
Of the 291 executives of companies with 250 or fewer employees surveyed, 93% said they were knowledgeable about cybersecurity risks and 83% said they have a plan in place. However, only 36% are investing in new tools, and 11% have AI-powered defenses in place, the vendor found in its State of SMB Security Survey released this week. In addition, only 42% offer regular employee security training, even though humans continue to be the weakest part of a company’s overall defenses.
“Most SMBs continue to rely heavily on outdated tools” like commodity firewalls (91%) and traditional antivirus solutions (70%), despite the well-publicized shift by threat groups over the past few years toward fileless malware, credential theft, and zero-day exploits, the study’s researchers wrote.
In addition, most SMBs have yet to use AI-powered tools despite a high adoption rate of the emerging technology among bad actors themselves, “highlighting a dangerous disconnect between the tools SMBs depend on and the evolving threats targeting them,” they wrote.
SMBs are Attractive Targets
The study comes as more bad actors turn their attention to SMBs. About 43% of all attacks in 2023 were against smaller businesses, according to Accenture, with the average cost ranging between $120,000 to $1.24 million.
The reasons vary. SMBs are attractive targets because they tend to have less robust defenses, limited IT resources and plenty of data that bad actors can seize and sell on the dark web, according to IT services provider Gibraltar Solutions. Automated tools make it easier for threat actors to target large numbers of SMBs, and many such companies don’t understand why they are attractive targets, creating a false sense of security that may keep them from investing enough in cybersecurity.
Like other vendors, CrowdStrike is expanding the solutions and service it offers to SMBs. In recent months, CrowdStrike has partnered with other companies, including SonicWall and Vectra AI, to expand what it offers SMBs.
Costs of Tools Influencing Decisions
CrowdStrike’s report revealed several trends, including that the size of a company can influence how sufficient its defenses are. About 47% of those with fewer than 50 employees said they have a security plan in place, and more than half spend less than 1% of their annual budget on security. Meanwhile, 90% of companies with 150 to 249 employees have formal security plans and 45% allocate more than 6% of their budget on security.
The cost of cybersecurity is also a worry.
“For many SMBs, the biggest barrier to stronger cybersecurity isn’t a lack of awareness — it’s a lack of resources,” the researchers wrote. “Cost is the most commonly cited obstacle to adopting advanced security tools, with 66% of SMBs naming it as their top concern.”
Only 7% said their cybersecurity budget was “definitely sufficient.”
Concerns about cost also drove most decisions regarding security. About 67% of SMBs made affordability a priority when selecting a solution, with the researchers writing that “this emphasis on affordability over effectiveness often results in false savings where lower-cost solutions fail to deliver real protection, leaving businesses exposed to expensive breaches.”
When they do go shopping for security tools, half of the SMBs surveyed said they were overwhelmed by the number of tools to choose from and almost 70% rely on third-party advice.
Ransomware is a Top Threat
As with their larger counterparts, ransomware is a top threat to SMBs and among their top concerns, with 45% of mid-size and larger SMBs calling it their greatest worry. That said, only 14% of SMBs with 50 or fewer employees identified ransomware as their number-one cyber concern, even those they are getting hit hardest. About 29% of those with fewer than 25 employees said they were hit by ransomware, while 19% of the larger SMBs were.
“These attacks often exploit the weaknesses common among smaller businesses: limited
in-house expertise, inadequate security controls, and reactive IT strategies,” the researchers wrote.
They pointed to the “dangerous gap between knowing the risks and being able to stop them,” noting that such assets as managed security services, integrated platforms that can grow as needed, and AI-powered tools already are helping smaller businesses build stronger defenses without overwhelming them. They also stressed the need for partnerships.
“Enterprises also have a stake in securing the SMBs they rely on,” they wrote. “Whether it’s a supplier, service provider, or channel partner, every third party represents a potential path into the broader ecosystem. Everyone benefits when enterprises help SMBs improve their security
posture through guidance, tooling, or shared intelligence. … Cybersecurity isn’t a solo effort.”
