Large enterprises have access to many annual surveys, trends, and guidance on protecting their organizations from cyber threats. These insights are great for the Fortune 500 crowd, but what about everyone else?
Recently, SilverSky surveyed our customers, and we’re sharing some of our findings to serve as both a sounding board and a guidepost for non-G2000 organizations. As we work exclusively with small- and medium-sized organizations (SMB), SilverSky has a different perspective of the market than you’ll get from most other sources. In other words, if you work in a credit union, a healthcare office, or a specialty retailer and you are concerned with compliance, ransomware attacks, or simply managing your networks and productivity applications, then this article is for you!
Of our more than 120 respondents, roughly 60 percent represent IT functions and approximately 40 percent perform business functions. Inline with SilverSky’s current customer base, the financial services sector is the largest industry represented. However, all other key verticals participated, including healthcare, manufacturing, and retail. We also had the opportunity to sit down with a smaller group of customers to gather additional context that cannot be thoroughly gleaned from a written survey.
So what did we find? Rather than go through every detail, we’ll hit a few key trends and observations.
SMB Cybersecurity Trends 2020
SMB Cybersecurity Trends Finding #1: Treading water in the yin-yang of cyber. While there are many benefits that businesses and consumers derived from government and industry regulations, the effort required to comply is becoming an increasing burden, particularly for smaller organizations as they face accelerated change in this arena. Some of the luxuries enjoyed by large enterprises, like a dedicated Chief Compliance Officer or a standing incident response team, are simply another hat that security and compliance professionals in smaller organizations must wear. While this may sound benign, it presents a real risk—more time spent on compliance means less to spend on proactive security. SilverSky’s financial services clients value our FFIEC accreditation for this reason, just as healthcare organizations value our ability to help them achieve compliance with HIPPA and other regulations. Small organizations cannot cost-justify hiring full-time specialists to support their security and compliance efforts, so having the right partner is critical to their success.
SMB Cybersecurity Trends Finding #2: Minding the gap. Security and compliance professionals credited their leadership teams for understanding, supporting, and resourcing their cybersecurity efforts—only 3 percent of our survey respondents didn’t share this view. But when asked about exposures and having the skills and resources, the picture is quite different. Almost a quarter—23 percent—acknowledged their businesses lacked compliance understanding and had exposures, and 17 percent indicated their organizations lacked the skills and resources needed for compliance and to maintain their security plans. Customer discussions confirmed the obvious here. First, non-enterprise organizations are either too small to justify staffing dedicated security expertise or struggle even more than large ones to hire and retain security and compliance talent. Second, with a skill and capacity gap, often spending time on compliance efforts comes at the expense of security. Bad guys are well aware that smaller prey may be much easier to breach, and they aren’t bashful about opportunistically targeting their victims. We all know a small business owner who’s been hit with a ransomware attack, and more public breaches such as the recent attack on the City of New Orleans, are becoming so commonplace that they are no longer front-page news.
SMB Cybersecurity Trends Finding #3: Stayin’ alive. Email still has its groove, both as a primary communication medium in the workplace and as the primary threat vector for outside attacks. Two-thirds of those surveyed indicated email vulnerabilities were the main concern that keeps them up at night. To help them sleep at night, 87 percent currently use email protection technology to combat this threat. While the ‘looseness’ of the email protocol makes it an easy target for even unsophisticated hackers, as organizations transition to cloud-based office productivity tools like Google’s G Suite and Microsoft’s Office 365, there are additional worries. Apps aimed to make it easy for teammates to share and collaborate—think Microsoft OneDrive and Teams—are also relatively easy for bad actors to use for nefarious purposes. In many cases the move to cloud-based productivity applications is inevitable, but you don’t have to do so in an exposed or risky manner. Smart, risk-aware organizations are considering security as a primary need in their transition to cloud-based productivity.
SMB Cybersecurity Trends Finding #4: Desire single provider. Given the complexity of cybersecurity and regulatory compliance, large enterprises often address specific threats with ‘best of breed’ technology, and either has a large internal staff or ongoing relationships with system integrators to tie everything together. Our survey respondents had a simpler need— a single provider for all of their primary security and compliance support needs. There are a few reasons for this, and in general, they are pretty obvious. First, to provide threat protection against multiple vectors requires coordination across different devices and systems. Having a single partner like SilverSky, instead of dealing with numerous specialists, means that the partner, and not the company’s staff, provides most of the coordination along with monitoring, detection, and so on. Second, it’s more cost-effective from procurement and ongoing vendor management perspectives to have fewer partners addressing these critical services. Lastly, it’s trust. A partner who is in it for the long term can complement what’s often a short-handed in-house cyber team. They can help your organization continuously improve as the threat landscape evolves and yield a much more attractive risk-reward profile than a more transactional approach to partnering.
In closing, while SMBs can learn from the guidance and trends tailored to large enterprises, they have to be pragmatic and filter what does and doesn’t apply to them. Small businesses are scrappy by nature and have a different cost-risk-compliance equation than their enterprise peers. Our customers, and organizations like them, need high-quality support, sophisticated technology, and expert compliance guidance to help them stay ahead of the curve.
Could your security team use expert help? Are you concerned about compliance audits, ransomware attacks, or other cyber threats? Contact SilverSky to learn about our managed security services offerings.