Cybersecurity technology provider CrowdStrike, an industry leader in endpoint protection, recently published a report on its State of SMB Cybersecurity Survey. The report explores pressing concerns and evolving trends in the cybersecurity postures of small- to medium-sized businesses. Organizations of all types can gain insight to inform their ongoing security efforts from the findings of the survey.
According to the survey, 94% of SMBs responded that they were aware of cybersecurity threats, and 83% reported having a cybersecurity plan in place. These statistics seem promising, but nonetheless, many SMB security strategies fall short in many areas. Only 42% of SMBs provide their employees with regular security training, and 36% of SMBs are actively investing in new tools.
The AI Opportunity Gap
Artificial intelligence remains on the rise in cybercriminal playbooks, and security experts are likewise looking to leverage AI tools to defend against threats. A mere 11% of SMB respondents are using AI-powered security tools, meaning the vast majority are underprepared for AI-enhanced attacks. Bad actors have been adopting AI quickly over the past several years to increase the efficiency and success of their attacks. Automating certain security processes has the potential to reduce security costs and complexity.
Although the report “shows that small-to-medium businesses lag behind in adoption of new technologies, these businesses have a variety of scalable, approachable security solutions with AI assistance available,” says Darren Guccione, CEO and Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. “While AI-based tools open worlds of possibilities, organizations of all sizes must proceed with caution.” Scalable, AI-powered security remains largely untapped by SMBs for a number of reasons, including technical, operational, and regulatory challenges.
Budget Constraints and Misaligned Priorities
Unfortunately, threat awareness does not necessarily translate to an effective security strategy. In spite of the high percentage of organizations acknowledging the risks, many fall short in their security efforts due to constrained resources and insufficient prioritization of security. Two-thirds of SMBs say that the cost prevents them from upgrading their security tools, and only 6.5% believe that their budget is fully sufficient for their needs.
Smaller organizations are particularly at risk: half of organizations with fewer than 50 employees spend less than 1% of their budget on cybersecurity measures. This highlights a concerning disparity in the security capabilities of different-sized organizations. The smallest businesses are the ones likely to suffer the most from inadequate security strategies, as smaller budgets leave less room for investing in advanced and adaptable security measures.
Complexity Overload and the Role of Third Parties
The extreme complexity of the market and interconnected supply chains can make a daunting task of effectively securing an organization against threats. Half of SMBs in the survey responded that they feel overwhelmed by the number of security solutions available. “These organizations should begin with a thorough cybersecurity risk assessment, which can inform their search for relevant support,” according to Guccione.
Nearly 70% of SMBs depend on managed service providers or external advisors to help them handle their cybersecurity strategies. These management services are appealing to smaller organizations that may not be able to afford to maintain in-house security or IT teams large enough to appropriately handle the work of navigating the broad market and complex operations. Massive tool sprawl is contributing to the stalling of effective adoption and integration of security solutions.
Ransomware’s Outsized Impact on the Smallest SMBs
Ransomware is a concern that all organizations should seek to protect against, but the smallest organizations, those with fewer than 25 employees, report the highest proportion of all ransomware incidents (29%). Smaller organizations often think that they won’t be considered big enough to be victims of ransomware, but attackers tend to target these businesses because they are likely to have fewer defenses in place and less resilience to recover from security events.
These businesses may also be aware of the risk, but still lack the resources and priorities to implement sufficient measures against ransomware. This applies not only to ransomware, but to security at large: less than half (47%) of micro-businesses have security plans in place, compared to 90% of larger SMBs. Ransomware actors are broadly aware of this disparity as well, and use it to their advantage when choosing targets for their attacks.
What SMBs Need Now
In today’s threat landscape, organizations are generally cognizant of the fact that there are cyber risks that they must prepare for and defend against. However, SMBs are often not equipped to develop, implement, and maintain effective security strategies. In order to protect against the most pressing risks for SMBs in modern environments, it is vital to lower the barriers for them to implement effective security strategies.
SMBs need simple, affordable, and AI-ready solutions to help them implement tools now that will continue being effective down the line. They require consolidated toolsets with strong default protections to reduce the amount of resources needed to initially invest in implementation. It is also crucial for SMBs to have access to effective security education and support from trusted partners in their adoption of effective security.
A Call to Secure the Underserved
The readiness gap in cybersecurity is not an issue that only affects SMBs: helping smaller organizations to achieve cyber resilience is crucial to secure many other businesses from third-party and supply chain risks. Industry leaders should, like CrowdStrike, commit to delivering security that SMBs can use without being priced out or overwhelmed by complexity. Adaptable and scalable technology is a necessary part of any security strategy that hopes to support SMBs as they grow.
