Balancing cloud threats and security measures challenging European SMBs and Midmarket firms

Techaisle’s Europe SMB and Midmarket security adoption trends survey shows that both small businesses and midmarket firms recognize that cloud poses a risk to their data: “cloud usage/services put us at a higher risk of a data breach” is the security-related statement that resonates most with small businesses, and it is one of the top three issues identified by midmarket respondents. However, 24% believe that they are better prepared than most to address cloud security issues. “Our security budget is sufficient to meet our needs” is the most commonly-advanced statement on IT security by small businesses but 52% of midmarket firms believe that their "budget is not sufficient to meet their security needs". Only 8% of European small businesses have formal security protocols in place to respond to a security incident as compared to 32% of midmarket firms.

There is no denying the threats that IT security frameworks address are becoming both more pernicious and a greater threat to the success of IT-dependent businesses – which is to say, nearly all businesses. Survey data also shows that in Europe, 52% of small businesses and 62% of midmarket firms experienced one or more security incidents in the last one year.

At least within the European SMBs and midmarket firms there seems to be adequate awareness of the quantity, variety and severity of threat sources but the unpreparedness is in part due to weak reporting of breaches when they occur, with only events too big to hide becoming the subjects of public discussion. Tougher disclosure legislation will make SMBs more aware of the extent of IT security issues – which in turn will likely boost investment in security solutions and reduce the number of respondents expressing comfort with their current state of readiness.

Despite the dichotomy of potential of security threats and overconfidence, SMBs are concerned about their threat landscape, both at the PC-level as well as with cloud.

Data clearly shows that small businesses and midmarket firms have very different perceptions of cyber-security risks, security approach and attitude, cloud and end-point security concerns and most effective security solutions to protect cloud data.

A review of cloud security threats and mitigation options available to European SMBs illustrates the fact that while cloud brings unique challenges, the measures used to address the expanded threat profile are consistent with those that would represent good practice in any infrastructure context. 37% of SMB survey respondents are concerned with data exposure during transfers to remote locations, 35% are concerned with the potential for cloud-based accounts to be hijacked, and 28% are worried about unauthorized access to or breaches of data repositories in the cloud, insecure interfaces used to access cloud-based systems, the potential for insiders within a cloud service provider to exfiltrate information, and denial of service (DDoS) attacks – all of which represent cloud-specific threats.

SMBs have very strong perception and understanding of technologies and practices that are considered most effective at protecting data in the cloud and addressing their cloud security concerns. These include data and network encryption, intrusion detection and prevention (IDP), the setting and enforcement of security policies, the creation of data boundaries that separate different information sets, use of access control technologies, and unified threat management. Unlike the threats, though, that are specific to cloud/hybrid IT infrastructure, these approaches do not arise uniquely from use of cloud: they can and should be applied within environments that are not cloud based as well. Any business that relies on a network and supports mobile users (necessitating access control) would do well to implement all of these measures.

Techaisle believes that there are different take-aways for suppliers focused on small and midmarket customers. In small business, there is a need to educate buyers about the gaps that exist between current preparedness and risks, and between small business readiness and the approaches that are common within larger organizations: small businesses need to understand where and how to invest in a wider range of security solutions, especially with respect to covering threats associated with mobility and cloud. There is also a need to respond to price-performance pressures.

Clearly, security itself is a complex solution area, and the marketing challenges faced by suppliers – which need to articulate solutions in terms that are appropriate to small and midmarket businesses, to BDMs and ITDMs, and via sources and channels that are relevant to the evaluation and purchase process – are complex in their own right. Security permeates all aspects of IT service delivery – and as a result, success in navigating the solution and marketing needs offers great upside for successful suppliers.