SMB buyers are acutely aware of the threat cyber attacks pose to their businesses. The Techaisle SMB and Midmarket Security Adoption Trends survey of 2,035 IT and business decision-makers from SMB and upper midmarket firms found that nearly 30% of SMBs (1-999 employees) consider cyber attacks to be among the top three issues facing their business, with an additional 26% stating that it is the most pressing/critical IT issue facing their firms. However, less than half of the respondents were more optimistic, choosing one of three responses: “it is a critical issue, but we have established best practices to control cyber attacks,” “it is one of many different issues, and we are satisfied with our status,” or “cyber attacks are not a significant issue.”
Drilling down, we see that small businesses (1-99 employees) are less inclined to see cyber threats as a top-one IT issue or a top-three business issue; this likely arises from the fact that SMBs have less mature IT operations (meaning that many factors that are controlled in larger firms could represent top IT issues) and that they face a wide array of daily business challenges. The data showing that small businesses are likelier to have established best practices to control cyber attacks probably isn’t grounded in market reality: small businesses that handle security internally lack the resources needed to deploy optimal defenses.
However, those relying on a capable third party may reasonably claim to use best practices. Most worrying from this data, though, are the top two bars, indicating that 22% see cybersecurity as “one of many issues, and we are satisfied with our status,” with another 12% claiming that “cyber-attacks are not a significant issue.” There are small businesses – for example, individuals billing larger businesses for hourly labor – for whom cyber attacks wouldn’t represent a critical issue. However, the data shows that one-third of small businesses are unconcerned about cybersecurity. In contrast, independent studies show that most small businesses fail within six months of being breached. Techaisle thinks these businesses likely struggle to find financial justification for investments in meaningful cyber defense and instead persuade themselves that this is not a real business problem for them. Techaisle suspects that many of these firms are tuned into vulnerabilities associated with digital business practices and might be persuadable concerning the value of cybersecurity if issues and remedies were clearly and convincingly presented to them.
Core midmarket (100-999 employees) and upper midmarket (1000-4999 employees) businesses take a more proactive view of these issues. Approximately two-thirds of respondents in each group view cyber attacks as either their most critical IT issue or a top-three business issue, with the core midmarket group evenly split between these positions and the upper midmarket more likely to identify cyber as a top IT concern. More than 80% of these organizations are focused on establishing effective cyber defenses and should be viewed as prime candidates for effective solutions.
Should SMBs worry about cyber attacks?
The data above begs a related question: Is the lack of concern demonstrated by small businesses rooted in reality – is it the case that one-third of respondents don’t have much to fear from cyber-attacks?