The state of cybersecurity at small organizations

ESG recently completed a research survey of 400 cybersecurity and IT professionals working at small organizations (i.e. 50 to 499 employees) in North America. As you can imagine, these firms tend to have a small staff responsible for cybersecurity and IT, reporting to business management rather than CIOs or CISOs. (Note: I am an employee of ESG.)

How are these firms doing with cybersecurity? Not so good. 

Two-thirds of the organizations surveyed experienced at least one cybersecurity incident (i.e. system compromise, malware incident, DDoS, targeted phishing attack, data breach, etc.) over the past two years.

Nearly half (46%) of survey respondents said security incidents resulted in lost productivity, 37% said disruption of business applications or IT system availability, and 37% said disruption of a business process or processes (note: multiple responses were accepted).

So, small organizations are being targeted and compromised, and security incidents tend to result in a measurable financial impact.

The biggest contributors to cybersecurity incidents at SMBs

ESG also asked survey respondents to identify the issues that represented the biggest contributors to these security incidents. The data reveals that:

• 35% of respondents believe the biggest contributor to security incidents is human error. This makes sense, as small cybersecurity/IT teams tend to be made up of IT generalists not cybersecurity specialists. This results in things such as misconfigurations, ad hoc processes, and haphazard controls. 
• 28% of respondents believe the biggest contributor to security incidents is a general lack of understanding about cyber risk. This is a big one, as too many small organizations believe they can’t possibly be a target so they under invest or ignore basic security preparation and hygiene. The “it won’t happen here” attitude can be the kiss of death. Small business executives must realize that it can and does happen everywhere.
• 27% of respondents believe the biggest contributor to security incidents is new IT initiatives, such as cloud and mobile computing or SaaS adoption that have been implemented without the proper security controls. This could be the result of a lack of knowledge or perhaps business people signed onto SaaS without alerting the security/IT team. Either way, there is an absence of thorough oversight around IT and cybersecurity policies.
• 24% of respondents believe the biggest contributor to security incidents is a lack of adequate cybersecurity training for non-technical employees. Small businesses don’t believe they are targets, so they don’t invest in cybersecurity awareness training. That’s a real problem for these organizations and everyone who does business with them.
• 20% of respondents believe the biggest contributor to security incidents is that those tasked with cybersecurity can’t keep up with their workload. When it comes to cybersecurity, many small businesses are understaffed and lack advanced skills. These firms should seek out help from managed security service providers (MSSPs) as soon as possible. 

In my humble opinion, it’s time SMB executives realize that small businesses represent an easy mark for cyber adversaries. Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners. Hopefully, this ESG research will help small businesses wake up to the dangers they face every second of every day.

I’ll be blogging more about SMB cybersecurity in the weeks to come. Stay tuned.