Techaisle Blog

Small and midsized businesses find it challenging to defend their users, applications, and data against external threats. Data from Techaisle’s SMB and Midmarket security research reveals 63% of US SMBs report that they experienced one or more cyberattacks in the last year, contributing to an average of 3.6% of revenue loss attributable to security incidents. For 46% of SMBs, preventing cyber-attacks is one the most pressing and critical IT issues. Yet, 59% of SMBs are very confident that their firms could recover from a cybersecurity incident. Nevertheless, security issues cast a long shadow over SMB IT priorities, especially as firms embrace the benefits of hybrid work, hybrid IT, only to find that their environments become more complex and more challenging to manage and protect. SMBs respond by expanding security budgets – but they lack the staff and expertise to construct effective shields around their organizations. The channel, working with leading-edge products like those from Fortinet, Cisco, Dell Technologies, Palo Alto Networks, has an essential role to play in defending their clients’ SMB businesses against security threats.

The origins of the saying “it’s about the journey, not the destination” may be unclear. Ralph Waldo Emerson, theologian Lynn H. Hough, Canadian rapper Drake, or others may have said the phrase, but its applicability in an IT security context is clear. There is no endpoint at which security is ‘done’; security requires constant updating to stay current with expanding threat vectors.

This requirement for continuously improved IT security is both a challenge and an opportunity for security suppliers.

What is the opportunity?

Techaisle has pegged global SMB security spending in 2023 at $68 billion. However, high IT security spending levels and growth rates mask an underlying sense of confusion concerning safeguarding emerging cloud and hybrid IT environments – and a lack of resources to address this problem. Compounding – or perhaps, causing – the lack of clarity into cloud security issues and the relatively tepid adoption rates for cloud security solutions is that SMB IT operations are under-resourced. Without specialized staff, SMBs cannot keep pace with the constantly changing threat vectors and security options.

The lack of insight by small businesses becomes clear: only 5% have IT security staff. 44% of midmarket firms have an average of three full-time internal security staff, but the demands of a business of this size would exceed a single individual’s bandwidth. The percentages more than double for upper-midmarket firms. Simply put, SMBs lack the bench depth needed to dedicate IT resources to security. Everywhere within the SMB segment, there is a mismatch between available resources and the depth of the skills required to keep pace with security needs.

The lack of understanding of a threat associated with a widely-used platform on the one hand, and the lack of IT staff resources available to address security concerns on the other, produces a clear conclusion: SMBs need suppliers to step up to the delivery of secure IT environments.

In many cases, these suppliers will be the mainstream channel partners who supply the SMB’s technology and act as the IT management presence within the SMB’s business. In other cases, including in many midmarket environments, the source of security products and services will be specialized managed security providers who focus tightly on operating SOCs and protecting client environments. In some scenarios, firms will ‘land’ by entering a client account from one of these positions and then ‘expand’ to serve a broader range of IT supply needs – crowding out competitors who can’t address the risk and compliance issues that are central to the CEO’s mandate.

What is the security supplier call to action?

As security suppliers move towards managing SMB security needs, they need to address the pace at which their clients absorb new offerings. Small businesses will not embrace eight new technologies, nor are midmarket firms going to integrate fourteen new solutions into their environments. Even if this were possible from a budget perspective, it would cause chaos in the business.

Instead, suppliers of security services need to co-create a security roadmap with their SMB, which starts with assessing the customers’ executive teams’ tolerance for risk. What absolutely must be secured, and in what order? The security supplier can then identify the solutions that best fit the customer’s immediate and longer-term needs and then deploy, integrate and manage the solutions over time. After all, data shows that 45% of SMBs feel it will be beneficial for them if an external services firm can help define and implementing security policies.

One key point of exposure in this process is the ability to ensure that different solutions work together. In the cloud world, and increasingly in the on-premise world as well, channel partners and MSPs focus on integrations: the breadth of a single vendor’s product line, plus – and importantly – the extent to which third parties develop and support links to a firm’s products.

There will be no slowdown in the digital transformation of SMBs; their business infrastructure will increasingly rely on technology. Likewise, there will be no slowdown in the threats to that infrastructure; as reliance on technology increases, so does the potential bounty for attackers. And as a result, there will be a continuous and growing need for IT security services – which will sustain firms adept at delivering and managing security solutions that combine expertise and industry-leading technology.

New work patterns and the acceleration of distributed workplaces are resulting in a range of productivity benefits for SMBs today. As such, businesses see increased workforce efficiencies and talent recruitment while minimizing cost by reducing intermediaries and integrating contract professionals – and even improved environmental performance through reduced commuting and building footprints.

In the quest to deploy a perfect hybrid workplace technology infrastructure, SMBs often overlook networking – wireless, routers, firewalls, and beyond. Similarly, as small business retailers and other small commercial offices struggle with re-opening uncertainties, they also grapple with the daunting task of enabling secure and safe environments for their employees and customers. Digitization with minimum IT disruption and low manageability is on their minds.

Cash flow constraints, limited access to finances, competitive landscapes, the need for innovation, erratic revenue, uncertainties, the pace of technology change, and many more are drivers for achieving cost efficiencies within SMBs. Digital transformation is no longer the domain of only upper midmarket firms and enterprises. Techaisle's SMB and Midmarket Digital transformation survey research shows that 46% of SMBs are adopting digital transformation to reduce costs, and 38% are planning for innovation in customer engagement and services.

Helping SMBs thrive with robust IT solutions

Unbeknownst to many, the Cisco Meraki platform and the solutions it powers is a critical foundational technology to fast-forward digital transformation for SMBs. Much of this comes from its ease of use, simplicity, and flexibility for lean IT to innovate by doing more with less.

Cisco acquired Meraki in 2012, around the same time (2013), when it divested Linksys to Belkin. Over the years, Cisco has continued to innovate on its highly successful Meraki platform. It is no secret that Cisco Meraki invented cloud-managed networking technology in 2006. It has continued to innovate and expand the networking portfolio to IoT solutions and cover any business need or use case. The Meraki platform consists of switching, security & SD-WAN, wireless access points, mobile device management, and extending to IoT, including smart cameras and AI-equipped sensors to drive business intelligence.

Regarding deep intelligence and analytics, Meraki Health and Meraki Insight allow SMBs to monitor all aspects of their network and applications from the Meraki dashboard or API and easily detect and fix potential issues in minutes. Techaisle's survey shows that only 4% of small businesses have internal full-time IT staff. They spend 79% of their time on support, maintenance, and troubleshooting— creating an IT efficiency deficit and negatively impacting organizational productivity. Meraki Health's objective is to simplify troubleshooting for the lean, almost non-existent, or over-burdened small business owner/manager. Small businesses need to propel growth and enable new business initiatives freeing up time and resources. To ease the digital transformation, Meraki provides many capabilities that protect SMBs of any size, including:

• Preventing cyber-attacks: Meraki MX Security & SD-WAN appliances protect SMB businesses, users, and devices. Meraki security has the backing of Cisco Talos, one of the largest commercial threat intelligence teams globally.

• Deploying remote workers: Meraki Z3 teleworker gateways provide connectivity and secure and seamless in-office experiences. Meraki Insight delivers deep visibility into critical business applications and proactive troubleshooting for remote workers.

• Ensuring safe occupancy: Meraki MV smart cameras let SMBs maintain social distancing guidelines by remotely monitoring and tracking safe occupancy levels in physical environments through intelligent analytics, such as object detection and tracking.

• Cost savings from simplicity: All Meraki products are deployed and controlled from a single pane of glass. Meraki Health is available for all devices, saving many troubleshooting times by pinpointing specific problematic devices and clients via root cause analysis.

SMBs agree that Meraki solutions can be quickly deployed with zero-touch provisioning and configuration and remotely managed through a cloud-based GUI dashboard (single pane of glass), with all-inclusive licensing. Meraki provides 24/7 technical support (email or phone) and a lifetime warranty on devices (except cameras & outdoor APs) with advanced replacement.

Challenges in small business security

Techaisle's SMB security survey research data shows that security is a top IT priority and challenge for 76% of SMBs, and 65% are planning to increase IT security investments. Within the SMB segment, small businesses often lack the skills required to work with software-based security solutions and are 25%-33% less likely than midmarket firms to work with managed service providers.

Most small businesses are not proactive in addressing security issues, but that may not be the whole problem or perhaps even the greatest obstacle to small businesses’ adoption of security technology. Relative to midmarket firms, small businesses have limited to no internal IT security staff, are not generally working with a managed service provider capable of handling security needs, and are about 50% less likely to embrace external vendors' software-based security solutions.

While small businesses could theoretically pursue some strategies used by larger competitors, they lack the experience and skills to identify, deploy, and manage the products and relationships used to develop shields protecting valuable corporate data, applications, and human assets.

Meraki addresses these issues by providing a secure in-office experience to remote workers—giving access to applications while maintaining visibility and control from anywhere with a cloud-managed dashboard. It also encrypts data with Auto VPN, allowing employees to quickly, securely, and remotely connect to corporate locations.

Meraki smart cameras also address physical security, remote monitoring, and intelligence by including on-device storage and flexibility to access data through the cloud. The cameras allow for many playback features with machine learning and AI to compress the data and provide business intelligence instantly gleaned from long recordings. It is an ideal product for SMBs implementing social distancing guidelines, remotely monitoring physical spaces, reducing in-person exposure on-site, and ensuring comprehensive security.

How SMBs can adapt and digitize

As I said earlier, there is increasing importance for innovation and digitization (not referring strictly to the substitution of digital records for physical documents, but more broadly to the use of digital technologies to meet business goals) in SMB strategy. Dependence on technology as a critical element of business success, burgeoning complexity, and cost constraint has created a perfect storm for small businesses to adapt to changing environments using specifically designed technology.

Over the last few months, we studied use cases and Meraki's usefulness within the SMB segment. Meraki addresses real and compelling issues, and I believe it will continue to expand within the SMB community. Verticals such as healthcare, manufacturing, retail, and financial services have been quick adopters of Meraki, specifically for launching new business models, deploying remote workers, transitioning to hybrid workplaces, cybersecurity, location analysis, contact tracing, social distancing, personal safety, curbside pickup, and more.

SMB owners and executives are concerned with issues that extend beyond technology. Yet, today's business environments are increasingly dependent on IT support, products, and services that improve productivity and efficiency or expand market reach and potential.

Final Techaisle Take

IT initiatives that can be linked meaningfully to broader business objectives can attract SMB executive support – meaning that products and services that address key business priorities have the most significant growth potential. Meraki is well on its way.

Today's economy demands that technology support SMB activities. The future will be defined by them capitalizing on technology-enabled business options. If SMBs are thinking about the path forward, from today's foundation to tomorrow's opportunity, they should include Meraki in their evaluations. Writing this analysis reminds me that I work from home and should probably replace my mesh routers with Meraki devices.

Techaisle’s worldwide survey of N=5505 SMBs covering 1-999 employee size segment reveals that 34% of small businesses (1-99 employees size segment) experienced one or more cyberattacks in the last one year. The percent jumps to over 50% when mobility security attacks and internal malicious thefts are included. Technology is to businesses in the 21st century what roads and assembly lines were in the 20th: the platform on which all processes are based, on which all business is conducted. But with the limitless potential of IT/business infrastructure comes a vast and growing set of threats. Small businesses cannot simply rely on regulators or the ‘rules of the road’ (from telcos or hyperscale cloud providers) for protection – they need to take action to safeguard their customers, their staff, their devices and their confidential corporate information.

Large enterprises have the means to hire SWAT teams of infosec professionals. But what can and should smaller businesses do, to grasp the potential of technology without opening themselves up to cyber threats? Survey data shows that only 3% of small businesses have full-time internal dedicated IT security staff. Let that data point sink in. Regardless of the relatively tiny presence of security staff, as compared to 87% within midmarket firms and 100% in enterprise segment, 55% of small businesses are currently handling their security needs internally and if the projected plans are followed-through then it will increase by another 25%. However, small businesses are not naïve. 61% are also outsourcing either all or some of their security needs to MSPs and other channel partners and plan to increase their outsourcing commitment by 41%. For 37% of small businesses, insufficient IT budget is a major constraint towards seeking outside expert advice, deployment and security management. Although 55% of small businesses are confident about recovering from a cybersecurity incident, 32% are quick to admit that they need external services to define an overall security strategy, help select right-fit security technology/products and assist in determining the risks faced by the organization.

The next question is - what worries small business executives?

Techaisle’s SMB and Midmarket security solutions adoption research shows that although security is a top IT priority for 85% of SMBs, cybersecurity is still not the most pressing security issue for 80% of SMBs. These SMB firms maybe maneuvering around the edges of cybersecurity flame as 19% of small businesses and 28% of midmarket firms believe that they have established best practices to control cyber-attacks. 31% of SMBs report that they are very confident of recovering from a cybersecurity incident and another 20% say the recovery is dependent upon the type of incidence. Is it really the case that the security-confident SMBs have taken all necessary steps to safeguard data, user and environment? Answer lies in the next set of data points. Only 8% of small businesses and 24% of midmarket firms have tested their responses to breaches or security incidents to ensure that their protocols will be effective in a crisis situation. Less than 10% of SMBs are covered by cyber-insurance and only 5% are considering cyber-insurance.

SMBs that build effective, responsive security frameworks will be positioned to capitalize on new technologies and on the new efficiencies that they enable. There is no denying that the threats that IT security frameworks address are becoming both more pernicious and a greater threat to the success of IT-dependent businesses – which is to say, nearly all businesses.

In the Techaisle survey, respondents were asked “– what would be the impact on your organization if there was a security/data breach of corporate information?” Responses indicate that the damage would be widespread and substantial. As the chart below demonstrates, the most severe consequence of a breach would be damage to customer privacy and trust, but there would also be damage to corporate reputations and profitability, difficulty in meeting regulatory requirements, and personal reputation damage for both business and IT professionals within the firm.

The NIST framework does a good job of describing a business’s approach to cyber security, but it doesn’t actually address the approaches used by ‘bad actors’ to attack data and users. To understand how attackers work (and might be stopped), IT security professionals often turn to the cyber (or intrusion) kill chain. This seven-stage view of an attacker’s process, developed by Lockheed Martin in 2011, helps technical leads to align security technology and processes against an attacker’s progressive objectives.

There are many variants on the diagram. Some include responses to the intrusion kill chain, urging businesses to “detect, deny, disrupt, degrade, deceive and destroy” attackers and their malware. Others highlight the key technologies and technology processes used to support these responses: for example, security professionals combating intruders at the reconnaissance stage might use web analytics to detect an intruder’s activities, and then firewall technology to deny access to corporate systems. The specific details vary from scenario to scenario, and evolve over time. What is constant, though, is the need for technically-adept security professionals to invest in capable technologies, to integrate these systems with each other, to develop processes that connect effectively with threats and technology-based ‘shields’, and to align these systems and processes with management’s corporate objectives.

It isn’t an exaggeration to state that in today’s business world, IT infrastructure is business critical infrastructure. SMBs are heavily invested in IT, with IT-dependent processes throughout their operations. This ubiquitous dependence on technology means that systems failure will reverberate throughout all of a company’s daily operations. There is no way to disaster-proof against IT failure with insurance; appropriate investment in IT security processes, technologies and management strategies is the only way to capitalize on the productivity benefits of IT without creating exposure to organizational paralysis in the event of a malware invasion, a hacker attack or an employee’s negligence or malfeasance.

The lack of understanding of a threat associated with a widely-used cloud platform on one hand (and likely, additional confusion with respect to security issues associated with other technologies), and the lack of IT staff resources available to address security concerns on the other, produces a clear conclusion: SMBs need suppliers to step up to delivery of secure IT environments and prevent cyber-attacks.

In many cases, these suppliers will be the mainstream channel partners who supply the SMB’s technology, who act as the IT management presence within the SMB’s business. In other cases, including in many midmarket environments, the source of security products and services will be specialized managed security providers who focus tightly on operating SOCs and protecting client environments. In some scenarios, firms will ‘land’ by entering a client account from one of these positions, and then ‘expand’ to serve a wider range of IT supply needs – crowding out competitors who can’t address the risk and compliance issues that are central to the CEO’s mandate.

Related research

US SMB and Midmarket Security adoption trends

Europe SMB and Midmarket Security adoption trends

Asia/Pacific SMB and Midmarket Security adoption trends

Latin America SMB and Midmarket Security adoption trends