Debunking a myth – SMB is not lagging behind in terms of cybersecurity protection

Recent years have significantly affected the perception regarding cybersecurity – after years of a relative feeling of security from viruses such as ILOVEYOU, provided by innovations in operating systems and the access to high quality proactive antivirus protection, we must now face new cyberthreat variants. Following such breakthrough events as the global ransomware campaign, or the exposition of the Spectre/Meltdown vulnerability, the approach to security in IT has changed in many organisations.

However, we are all victims of the belief, that knowledge and skills possessed by an organisation, regarding cyberthreat security, is proportional to their scale. The larger the organisation, the better it handles the potential hacker attacks and other types of threats, and the better the implemented procedures are. It is universally believed that it is the SMB sector which is the most prone to such treats, as such enterprises are believed to be the least capable of securing a solid protection, or simply do not see the need that it is necessary. Is that belief true?

SMB is increasingly better at dealing with security protection

Much indicates, that it is no longer the case. Such conclusions may be driven after examining an interesting report, that has been published recently by Cisco. The report draws an interesting perspective, how cybersecurity is approached by small and medium-sized enterprises, that are the driving force of many countries. It seems, that the aforementioned news within the landscape of cyberthreats, with the ransomware campaigns in the lead, which did prove a serious threat to SMB as well, have contributed to the revision of the existing procedures, and, in some cases, to their preparation in general.

It is sufficient to verify, how easily hard data may debunk myths regarding SMB security. For example, it is not true that smaller organisations experience longer stoppages in providing services, related to IT issues. Quite the contrary – last year, 24% of small and medium-sized businesses experienced stoppages longer than 8 hours, related to cybersecurity being compromised, whereas larger organisations, the percentage amounted to 31%.

Outsourcing solves staff problems

Another myth debunked is related to the issue which the entire IT industry has been facing for decades, i.e. staff shortages. According to hard data, only 1% of small and medium-sized enterprises has absolutely no staff dedicated to IT security. What is even more surprising, among the 500 companies from the SMB sector (with the decisive criterion being the number of employees not surpassing 500), which took part in the research, 60% possessed a team of more than 20 people, dedicated to securing the company infrastructure. One must add, that we are also speaking of companies that take advantage of outsourcing.

Positive messages are coming from a report regarding testing of organisation security. As is known, regular checks of the incident response teams efficiency, as well as, of implemented security norms regarding its various aspects, are a key issue. Even the best procedures may turn out to be ineffective, if, until the moment of the incident, they remained on paper. At the same time, only 1% of SMBs have not tested their plans.  45% conduct such tests twice a year. As demonstrated, the aforementioned values vary much from those displayed by large organisations.

SMB is no longer afraid of security patches

Additionally, there is satisfactory data regarding the aspect of security that has been notoriously neglected in small companies for years, i.e. the efficient installation of security patches issued by producers. Previously, managers assumed that if something works, that it should not be changed. New threats changed this dangerous attitude, where, possibly, the popularisation of the Software-as-a-Service played its role. In result, even 56% of small and medium-sized enterprises patch own IT infrastructure, daily or weekly. In larger organisations, the the percentage was just a little higher, amounting to 58%.

However, in order so that the SMB sector IT department executive do not feel too much content with their work results, it must be demonstrated, that the report also includes myths that, at least partially, may seem justified. Despite their efforts, larger organisations are better at infrastructure modernisation – even 54% of them consider it to be up-to-date, whereas in smaller organisations, the percentage amounts to 42%. Additionally, a thesis was confirmed that SMB companies are victim of a kind of attacks that differs from large companies. Regardless, the belief regarding neglecting the issue of cybersecurity by small and medium-sized enterprises may be regarded as obsolete.