It’s untrue to say that small and medium-sized businesses (SMBs) take cybersecurity less seriously than large enterprises.

Cisco recently compared the security strategies of SMBs (250-499 employees) and larger companies, based on its 2020 CISO Benchmark survey.

“We found that, regardless of company size, what matters is gaining a foothold in security,” says Wolfgang Goerlich, CISO Advisor with Cisco. “For example, through executive buy-in, focusing on security personnel, and enhancing capabilities with the right technologies.”

The report, Big Security in a Small Business World, busts several misconceptions about SMB cybersecurity approaches. Here are a few of them.

Myth: SMB leadership doesn’t take security and data privacy seriously.

There is clear evidence of executive buy-in, no matter the company size. For example, 87% of SMBs and 90% of large enterprises say that executive leadership considers security a high priority.

“There has been a clear sea change in the last few years,” says Goerlich. “This has been led by the breaches that we’ve all seen and the impacts that we’ve all felt. Now, security is a C-level and an executive-level conversation. There has been a doubling-down on the need to prioritize cybersecurity.”

Myth: Larger businesses suffer less downtime and recover faster from attacks.

Here again, the differences are slight. Unfortunately, all organizations suffer levels of downtime following a cyberattack: 24% of SMBs and 31% of large enterprises report more than eight hours of downtime after a severe attack.

Yet, the good news for SMBs is they’ve made strides in rebounding: Two years ago, 40% suffered more than eight hours of downtime.

Myth: SMBs lack personnel dedicated to security.

The total number of employees doesn’t affect the size of cybersecurity teams. In fact, 60% of SMBs said they have more than 20 dedicated security professionals — whether that’s on staff or with an outsourced managed services provider.

That said, attracting and retaining trained personnel is among their top challenges.

“SMBs have to really double-down on how they find and progress talent,” Goerlich says. That might mean investing more time in finding the right people, and working creatively with their HR departments to develop skills among existing staff, he added.

Myth: Large businesses have more updated infrastructures.

SMBs invest just as strongly in upgrades as larger enterprises: 94% say they do so regularly or constantly.

“Most SMBs accept that they’ll need to work with and secure legacy systems for a long time,” Goerlich says. “Especially as we are leave a period of economic prosperity and move into a period of belt tightening, there are opportunities to prioritize and re-focus spend. The goal should be to protect the mission of the business or organization.”

Myth: SMBs don’t proactively perform threat hunting.

It may be surprising to see that 72% of SMBs say they have personnel who are dedicated to threat hunting, compared with 76% of large enterprises that do.

“For a long time, threat hunting was seen as being a very technical, complicated skillset — likely out of reach for most organizations,” Goerlich says. “However, many security technologies now support and integrate threat intelligence, which gets strong research and tools into the hands of professionals on the front lines who can act on it.”

The Bottom Line

“SMBs have and are taking opportunities within their budgets to improve cybersecurity,” Goerlich says. “Their next step should be a tools and vendor rationalization program, which would not only reduce complexity, but would also make their budgets even more efficient and effective.”

Read the full myth-busters report at here.