Techaisle study shows the Complex Reality of SMBs and Cybersecurity

SMB buyers are acutely aware of the threat cyber attacks pose to their businesses. The Techaisle SMB and Midmarket Security Adoption Trends survey of 2,035 IT and business decision-makers from SMB and upper midmarket firms found that nearly 30% of SMBs (1-999 employees) consider cyber attacks to be among the top three issues facing their business, with an additional 26% stating that it is the most pressing/critical IT issue facing their firms. However, less than half of the respondents were more optimistic, choosing one of three responses: “it is a critical issue, but we have established best practices to control cyber attacks,” “it is one of many different issues, and we are satisfied with our status,” or “cyber attacks are not a significant issue.”

Drilling down, we see that small businesses (1-99 employees) are less inclined to see cyber threats as a top-one IT issue or a top-three business issue; this likely arises from the fact that SMBs have less mature IT operations (meaning that many factors that are controlled in larger firms could represent top IT issues) and that they face a wide array of daily business challenges. The data showing that small businesses are likelier to have established best practices to control cyber attacks probably isn’t grounded in market reality: small businesses that handle security internally lack the resources needed to deploy optimal defenses.

However, those relying on a capable third party may reasonably claim to use best practices. Most worrying from this data, though, are the top two bars, indicating that 22% see cybersecurity as “one of many issues, and we are satisfied with our status,” with another 12% claiming that “cyber-attacks are not a significant issue.” There are small businesses – for example, individuals billing larger businesses for hourly labor – for whom cyber attacks wouldn’t represent a critical issue. However, the data shows that one-third of small businesses are unconcerned about cybersecurity. In contrast, independent studies show that most small businesses fail within six months of being breached. Techaisle thinks these businesses likely struggle to find financial justification for investments in meaningful cyber defense and instead persuade themselves that this is not a real business problem for them. Techaisle suspects that many of these firms are tuned into vulnerabilities associated with digital business practices and might be persuadable concerning the value of cybersecurity if issues and remedies were clearly and convincingly presented to them.

Core midmarket (100-999 employees) and upper midmarket (1000-4999 employees) businesses take a more proactive view of these issues. Approximately two-thirds of respondents in each group view cyber attacks as either their most critical IT issue or a top-three business issue, with the core midmarket group evenly split between these positions and the upper midmarket more likely to identify cyber as a top IT concern. More than 80% of these organizations are focused on establishing effective cyber defenses and should be viewed as prime candidates for effective solutions.

Should SMBs worry about cyber attacks?

The data above begs a related question: Is the lack of concern demonstrated by small businesses rooted in reality – is it the case that one-third of respondents don’t have much to fear from cyber-attacks?

The answer is likely somewhat complex. Data collected in the Techaisle survey found that less than half (46%) of small businesses experienced a cyber attack within the past year. The same data illustrates why core midmarket and upper midmarket firms have heightened sensitivity to this issue, with 68% and 88%, respectively) having experienced one or more attacks in the last twelve months.

The “glass half empty” side of this same debate, though, might note that the odds of a small business finding themselves under cyber attack amount to a coin flip, adding the possibility that some attacks may happen but not be found by the breached business and that a breach may be a fatal event for the business. A third perspective is found in some related data on ransomware, which has a direct, negative financial impact on firms of any size: more than one-third of small businesses report that they experienced one or more ransomware incidents in 2022.

Cyber resilience solutions

One way of forestalling or responding rapidly to a cyber attack is to establish a cyber resilience capability, integrating security and data management within a single solution so that the organization has a unified view of threats and assets. Techaisle research finds that nearly 30% of small businesses and roughly half of core midmarket and upper midmarket firms have implemented a solution of this type, with approximately 40% planning to roll out this kind of solution over the next year. This high level of awareness and investment intention signals an opportunity for suppliers who can provide insight and response capabilities as a direct offering or through MSSPs.

Guidance for Vendors

Selling sophisticated products to SMB customers is a significant challenge for IT vendors. These products must be integrated into complex solutions to deliver real customer benefits. These solutions require a wide range of supporting services – both technical services, such as integration, and business services that focus on helping customers integrate solutions within their business processes to capture real value from the solution. Vendors control only a small part of these solutions – they rely on business partners or SMB customers to assemble the products and services needed to create solutions that yield compelling business outcomes. Unlike in the enterprise market, where each customer has enough potential economic value to justify extensive direct attention, SMB suppliers need to manage the market programmatically, defining solutions and go-to-market (GTM) strategies that can meet many customer needs without requiring unsupportable levels of direct monetary and human resource investment.

This problem is especially acute with cybersecurity. Most customer environments will need defenses against many different types of threats, attackers, and threat vectors. Most SMBs will lack the internal resources to understand what is required to protect against vulnerabilities and how different “shields” can be connected without leaving (or even creating) exploitable gaps in defense posture. Even the channel members positioned as “trusted advisors” to SMB security clients struggle to keep pace with simultaneous growth in threats and threat actors, vulnerabilities tied to in-use technologies or common business practices, and the ever-changing security vendor community.

Techaisle contributes to the security vendor community’s ability to address these multifaceted demands by providing research that illuminates key SMB security market factors: drivers and spending, risks and challenges, and the technologies that SMBs are or will be allocating resources to address these risks and challenges. Techaisle utilizes its panel of over 2 million B2B responses and 300K channel partners to conduct its own primary and client’s custom research. The security research quoted above data draws its insights from a landmark survey of 2,035 security and IT business decision-makers, quota sampled to ensure deep representation of two SMB segments, small business (1-99 employees) and core midmarket (100-999 employees), as well as upper midmarket (1000-4999 employees) firms.