SMB vs Enterprise Cybersecurity Strategies: Where Risk Management Fits In

That SMBs and enterprises approach and prioritize IT security and risk management differently is to be expected. It’s the details that make studies that tackle data security and risk management in hybrid environments--where priorities can differ significantly from platform to platform--interesting and potentially actionable.

Netwrix’s 2017 IT Risks Report, includes a dedicated section on cybersecurity risks in large enterprises and SMBs, compiled from interviews with 723 IT pros from organizations worldwide, two-thirds of which are SMBs. Here’s a summary of the full study.

In the meantime, here are the SMB/enterprise results:

SMBs double up: Among SMBs, 73 percent do not have a separate information security function. In large organizations it’s only 33 percent. Furthermore, with SMBs, 80 percent of IT operations teams are partly responsible for security. In large enterprises, only 56 percent of IT operations hold security responsibilities.

Startling result: 79 percent of large organizations and 88 percent of SMBs do not even use any software for information security governance or risk management.

Enterprises want data: 65 percent of large organizations prioritize security of data, claiming to have complete visibility into user activity and IT changes in databases. On the other hand, 60 percent of SMBs primarily focus on endpoint protection.

Startling result: While the majority of enterprises have deeper visibility into what is happening with their structured data (65%), SMBs seem to be more adept at perimeter defense.

BYOD is for the big guys: While all organizations are challenged by BYOD and shadow IT, only large enterprises see it as critical to the overall security of their IT infrastructures (34% for BYOD and 41% for shadow IT). For SMBs, visibility into on-premises systems (49%), cloud systems (36%) and corporate mobile devices (34%) are more critical for security.

Startling result: Organizations seems to struggle to manage unstructured data stored in a remote data center as much as they are challenged by BYOD and shadow IT.

Budget, training barriers: Both SMBs and large organizations pointed to a lack of budget and insufficiently trained staff as main obstacles to better security.

Startling result: Large enterprises also identified the complexity of their IT infrastructures as a security inhibitor, while SMBs complained about lack of time.

Businesses of all sizes plan to invest in protection against data breaches (34% of SMBs and 50% of large organizations), intellectual property theft (31% of SMBs and 41% of large organizations) and fraud (31% of SMBs and 41% of large organizations).

Startling result: Only 25 percent of SMBs and the same percentage of large enterprises say they are well prepared to beat cyber risks.

Netwrix offered some suggestions for how SMBs can elevate themselves to enterprise level security:

  • Focus on what’s important, not just the perimeter: SMBs should determine what assets or systems are critical to their business and focus on monitoring user activity there.
  • Shift from reactive to proactive: Have a clear understanding of your data, its importance to the company, who has access to what files, and if they need it or if you can limit their privileges and therefore lower risk of data exposure.
  • Hire a dedicated security pro: With most SMBs, the IT team is responsible for nearly everything computer-related. Security can easily get lost in the shuffle. A dedicated security person is a good answer.

“We were interested to see to what degree large organizations and small and medium businesses are exposed to cyber risks, whether or not the risks they face are different, and what they do to strengthen the security of their critical assets against IT threats in the future,” wrote Ryan Brooks, product evangelist at Netwrix, in a blog post.

Netwrix makes a visibility platform for data security and risk mitigation in hybrid environments.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.