Small and midsize businesses are increasingly grappling with a rise in cyberattacks and growing exposure to security threats. However, many SMBs still assume they’re too small to be attractive targets for bad actors - an assumption that leaves them unprepared for an attack.
That’s what cyber insurance company
Coalition Insurance uncovered in a survey of cybersecurity decision-makers of 1,000 SMBs around the world. The problem is that the assumption is wrong and it is putting SMBs at risk at a time when threat groups are increasingly targeting them.
Among the key findings of the survey, titled
Small Business Cybersecurity Study, was that while 79% of small businesses experienced at least one cyber incident in the last five years, 64% didn't believe they were at risk because they’re not an attractive target.
“There are several potential reasons why they may not believe this to be the case, but the reason we hear most often is that they aren’t big enough to be a lucrative score for a threat actor,”
Joe Toomey, head of security engineering at San Francisco-based Coalition, told MSSP Alert. “In our observations, this is categorically false. Although one small business may not be shiny enough prey, automation has made it possible to exploit many small businesses with the same vulnerabilities simultaneously, so it’s seen as a path of least resistance.”
In addition, small businesses are more likely to have limited resources to defend themselves, Toomey said, a reason why many turn to MSSPs and MSPs to run or add to their cybersecurity operations. He noted that SMBs are victims of cyberattacks almost four times that of larger organizations, and businesses with less than $25 million in revenue account for 64% of cyber-insurance claims that came into Coalition last year.
A Problem of Perception
This false sense of security among SMBs has been an
ongoing issue in the cybersecurity world. In a study by MetLife and the U.S. Chamber of Commerce last year, 60% of SMBs considered
cyberthreats are a top business concern, though many are still not aware of the risks or can resolve the problem. As was found by Coalition, they also assumed their small size made them unattractive targets.
“Why would a hacker target a small, local doctor’s office when they could just as easily infiltrate the network of a major hospital?” Dana Larson, senior product marketing manager for cybersecurity vendor CrowdStrike,
wrote in a blog post earlier this year. “The answer today is that in fact, it has become much, much harder to take down large, notable targets. As large companies and enterprise organizations doubled down on security tools and systems in recent years, strengthening their defenses against attacks, hackers have set their sights elsewhere — namely, the SMB market.”
Concern, but Not a Priority
Threat awareness is there. In Coalition’s survey released this week, 87% of SMBs were somewhat concerned about their exposure to cyber threats coming in the next 12 months, most likely because cyberattacks are becoming more prevalent, which is affecting consumers and making them assess their own cyber-health and that of their businesses, Toomey
wrote in a blog post.
In addition, 83% said they believe their risk has grown over the past year alone.
“However, awareness and concern that the risk is increasing do not necessarily mean that cyber is a priority or that cyber risk is being proactively considered,” he wrote.
A Disconnect
That can be seen in the numbers. About 59% spend less than 10 hours per week on cybersecurity activities, and 74% allocate less than 10% of their budget to cybersecurity, Toomey told MSSP Alert, adding that “when you compare that to the 79% of businesses that have experienced a cyberattack in the last five years, it’s clear that there's a disconnect between awareness and investment.”
He pointed to multifactor authentication, noting that a report by the Cyber Readiness Institute found that MFA can block more than 99.9% of account compromise attacks, yet
only 54%of SMBs say they’re using it.
Another disconnect is seen in what SMBs believe an incident would cost them. About 95% of them said the cost would fall somewhere between less than $500,000 and $3.5 million. However, IBM in its Cost of a Data Breach report said the
average cost of a breach is $4.88 million.
For MSSPs, an Opportunity
MSSPs and MSPs can be a cybersecurity backstop for SMBs, Toomey said. Many small businesses recognize the significance of cyberthreats, but often don’t know where to begin. Managed security services providers are at the forefront of delivering cybersecurity solutions to SMBs and larger businesses, and can be
allies for cyber insurance providers in
stemming the growing numbers of cyberthreats.
“Outsourcing to an MSP or MSSP can be beneficial for small businesses with limited IT resources, expertise, and budgets, particularly given the wide range of managed services available, which businesses can choose based on their size, industry, and the sensitivity of the data they store,” he said.
Given that role, MSSPs and MSPs can better address the needs of SMBs by expanding their portfolios with such services as compliance alignment, risk mitigation, and proactive threat, particularly quick patching of vulnerable systems, Toomey said.
“They can also deepen the extent to which security concerns influence the vendors they resell, such as moving away from vendors with a bad history of vulnerabilities exploited in the wild,” he said. “Specifically, for MSPs, adding the second ‘S’ is a crucial step to ensuring users have the right tools and support for small businesses.”
MSPs should work with specialized cybersecurity experts to create a robust security culture within their clients’ organizations, incorporate real-time interception tools, enhance managed detection and response capabilities, and align with industry standards, he added.
