Techaisle Blog

Small and midsized businesses find it challenging to defend their users, applications, and data against external threats. Data from Techaisle’s SMB and Midmarket security research reveals 63% of US SMBs report that they experienced one or more cyberattacks in the last year, contributing to an average of 3.6% of revenue loss attributable to security incidents. For 46% of SMBs, preventing cyber-attacks is one the most pressing and critical IT issues. Yet, 59% of SMBs are very confident that their firms could recover from a cybersecurity incident. Nevertheless, security issues cast a long shadow over SMB IT priorities, especially as firms embrace the benefits of hybrid work, hybrid IT, only to find that their environments become more complex and more challenging to manage and protect. SMBs respond by expanding security budgets – but they lack the staff and expertise to construct effective shields around their organizations. The channel, working with leading-edge products like those from Fortinet, Cisco, Dell Technologies, Palo Alto Networks, has an essential role to play in defending their clients’ SMB businesses against security threats.

The origins of the saying “it’s about the journey, not the destination” may be unclear. Ralph Waldo Emerson, theologian Lynn H. Hough, Canadian rapper Drake, or others may have said the phrase, but its applicability in an IT security context is clear. There is no endpoint at which security is ‘done’; security requires constant updating to stay current with expanding threat vectors.

This requirement for continuously improved IT security is both a challenge and an opportunity for security suppliers.

What is the opportunity?

Techaisle has pegged global SMB security spending in 2023 at $68 billion. However, high IT security spending levels and growth rates mask an underlying sense of confusion concerning safeguarding emerging cloud and hybrid IT environments – and a lack of resources to address this problem. Compounding – or perhaps, causing – the lack of clarity into cloud security issues and the relatively tepid adoption rates for cloud security solutions is that SMB IT operations are under-resourced. Without specialized staff, SMBs cannot keep pace with the constantly changing threat vectors and security options.

The lack of insight by small businesses becomes clear: only 5% have IT security staff. 44% of midmarket firms have an average of three full-time internal security staff, but the demands of a business of this size would exceed a single individual’s bandwidth. The percentages more than double for upper-midmarket firms. Simply put, SMBs lack the bench depth needed to dedicate IT resources to security. Everywhere within the SMB segment, there is a mismatch between available resources and the depth of the skills required to keep pace with security needs.

The lack of understanding of a threat associated with a widely-used platform on the one hand, and the lack of IT staff resources available to address security concerns on the other, produces a clear conclusion: SMBs need suppliers to step up to the delivery of secure IT environments.

In many cases, these suppliers will be the mainstream channel partners who supply the SMB’s technology and act as the IT management presence within the SMB’s business. In other cases, including in many midmarket environments, the source of security products and services will be specialized managed security providers who focus tightly on operating SOCs and protecting client environments. In some scenarios, firms will ‘land’ by entering a client account from one of these positions and then ‘expand’ to serve a broader range of IT supply needs – crowding out competitors who can’t address the risk and compliance issues that are central to the CEO’s mandate.

What is the security supplier call to action?

As security suppliers move towards managing SMB security needs, they need to address the pace at which their clients absorb new offerings. Small businesses will not embrace eight new technologies, nor are midmarket firms going to integrate fourteen new solutions into their environments. Even if this were possible from a budget perspective, it would cause chaos in the business.

Instead, suppliers of security services need to co-create a security roadmap with their SMB, which starts with assessing the customers’ executive teams’ tolerance for risk. What absolutely must be secured, and in what order? The security supplier can then identify the solutions that best fit the customer’s immediate and longer-term needs and then deploy, integrate and manage the solutions over time. After all, data shows that 45% of SMBs feel it will be beneficial for them if an external services firm can help define and implementing security policies.

One key point of exposure in this process is the ability to ensure that different solutions work together. In the cloud world, and increasingly in the on-premise world as well, channel partners and MSPs focus on integrations: the breadth of a single vendor’s product line, plus – and importantly – the extent to which third parties develop and support links to a firm’s products.

There will be no slowdown in the digital transformation of SMBs; their business infrastructure will increasingly rely on technology. Likewise, there will be no slowdown in the threats to that infrastructure; as reliance on technology increases, so does the potential bounty for attackers. And as a result, there will be a continuous and growing need for IT security services – which will sustain firms adept at delivering and managing security solutions that combine expertise and industry-leading technology.

In all sectors, 2020 was a challenging year – and as a result, 2021 is challenging from a market planning perspective. The disconnect between 2020 and 2019 was so severe that it rendered spend forecasts virtually useless: IT suppliers reacted to shifting market trends in real-time. As we enter 2021, IT product and service suppliers look to create a context for understanding the range of outcomes that the new year may bring. Techaisle's 2021 report series illuminates issues and requirements in the vast SMB market to support that effort. To start 2021, here are our top 10 predictions.

1. Digital inequality will be more important than the digital divide
2. Quest for reinvention, innovation, resiliency will drive bursts of incremental transformation goals
3. The hybrid workplace will require HR focus and drive adoption of workspace, workflow solutions
4. Meaningful customer partners and not trusted advisors will determine supplier success
5. Pragmatism will overtake progressiveness in technology adoption for a future-ready organization
6. Requirements for automation and enhanced IT services will become time-critical
7. Security and risk mitigation will focus on a safe middle ground
8. Systems of insight will move into the analytics mainstream
9. AI will arrive as a capability integrated within other solutions
10. Open source adoption will become an indicator of cloud success

Risk mitigation is everyone's business, and SMB IT is uniquely positioning to manage reliability, privacy, and cyber-risk. In most SMBs, IT's role is to provide users with fast and reliable connections to needed systems and data. Increasingly IT is expected to prevent leakage of sensitive information that could harm the business or its customers. A global survey conducted by leading research firm Techaisle found that security solutions (cloud and mobility) are seen as a top IT priority by 75% of SMBs.

There is evidence of the enormous requirement for the defense of an ever-expanding perimeter – but if anything, it understates SMB's focus on cybersecurity. SMBs have deployed, and continue to deploy, increasingly-sophisticated shields to protect against the relentless advance of threat sources attacking businesses of all sizes through their cloud instances, mobile devices and connected users, and new technologies (such as IoT) and core networks and systems. SMBs (and the managed services suppliers they work with) are responding by developing better internal processes and deploying IT security solutions that are frequently enhanced by advanced features rooted in analytics and AI.
Defense against cyber-threats requires a comprehensive approach that spans people, process, and technology: appropriate systems need to be deployed, configured, integrated and continuously upgraded, processes – particularly related to the management of sensitive data – need to be established and embedded in work routines, and staff (all users, including IT) need regular and relevant training. A gap anywhere in this continuum will leave openings that intruders can exploit.
And as daunting as a defense against cyber-risk may be, the reality is that IT's role in ensuring information and infrastructure integrity is extending into other vital areas as well. With businesses now reliant on technology for most tasks' performance, IT must deliver continuous access to systems and safeguard data against loss. And in most environments, it is expected that IT will play a meaningful role in maintaining the privacy of sensitive data. In today's SMB, the IT leader is responding to multiple risk management demands.

SMBs typically start with basic endpoint/user security technologies – and many stop there as well. Even organizations that deploy additional 'shields' often shy away from taking the next step beyond trying to prevent a breach: assuming that a breach will occur and developing processes and deploying technologies needed to minimize the resulting damage and exposure. Some experts also point out that many firms – SMBs and enterprises – don't fully understand their devices (including back-end infrastructure, user devices and sensors), access points, applications, data, and system users. Building this inventory is an essential step in understanding the scope of potential exposure to breaches or losses.
Deployment of security technology will be an ongoing challenge as SMBs attempt to identify, budget for, deploy, integrate, and operate the security shields that are most important to their businesses' operations. In many cases, access to skilled professionals is the most tricky part of this equation. In this environment, SMBs struggle to attract and retain capable security staff members. Increasingly, this is leading to the use of managed security services: Techaisle's global survey shows that managed security, currently used by 29% of SMBs, is in the plans of an additional 44% of small and medium businesses – which will result in a 152% increase in the use of managed security services. 

Privacy is a component of many different SMB business responsibilities: it is critical to compliance, and as a result, to senior executives and shareholders; it is a crucial issue for legal advisors; included in statements made by marketing; and of course, concerning data, it is assumed to be something that is managed by IT. Privacy is a cross-functional responsibility. Sensitive data needs to be classified as such and prioritized for the highest-level security; the security may be an IT function, but the classification needs to be done by the business leaders closest to the inputs and implications of disclosure. Leaks are very often the work of insiders rather than anonymous external hackers. Here, too, while IT plays a role (through monitoring technologies and systems that look to prevent data exfiltration), HR and business unit managers also need to be proactive in preventing privacy breaches.

Security – both the technology and the skills needed to optimize security systems and keep them current, integrated, and complete – is one of IT's most complex areas. To address these complex (and related) issues, SMB IT is needing to develop a portfolio of security technologies and skills that is equal to the task of defending against cyber-threats; develop and continuously execute on business continuity plans; deploy network and access technologies that are aligned with user needs; implement training approaches and management processes that reduce the risk that human error (or malfeasance) will bypass the SMB's technology shields.

They cannot do it in isolation. There is no 'silver bullet' that SMB executives can use to deliver a failure-proof, future-proof approach to risk management. However, by connecting security, privacy, and reliability/continuity – by working with the right suppliers who understand business requirements – SMB IT leaders want to make a real difference to their organizations' regulatory compliance, customer trust, and bottom-line success.

Techaisle’s worldwide survey of N=5505 SMBs covering 1-999 employee size segment reveals that 34% of small businesses (1-99 employees size segment) experienced one or more cyberattacks in the last one year. The percent jumps to over 50% when mobility security attacks and internal malicious thefts are included. Technology is to businesses in the 21st century what roads and assembly lines were in the 20th: the platform on which all processes are based, on which all business is conducted. But with the limitless potential of IT/business infrastructure comes a vast and growing set of threats. Small businesses cannot simply rely on regulators or the ‘rules of the road’ (from telcos or hyperscale cloud providers) for protection – they need to take action to safeguard their customers, their staff, their devices and their confidential corporate information.

Large enterprises have the means to hire SWAT teams of infosec professionals. But what can and should smaller businesses do, to grasp the potential of technology without opening themselves up to cyber threats? Survey data shows that only 3% of small businesses have full-time internal dedicated IT security staff. Let that data point sink in. Regardless of the relatively tiny presence of security staff, as compared to 87% within midmarket firms and 100% in enterprise segment, 55% of small businesses are currently handling their security needs internally and if the projected plans are followed-through then it will increase by another 25%. However, small businesses are not naïve. 61% are also outsourcing either all or some of their security needs to MSPs and other channel partners and plan to increase their outsourcing commitment by 41%. For 37% of small businesses, insufficient IT budget is a major constraint towards seeking outside expert advice, deployment and security management. Although 55% of small businesses are confident about recovering from a cybersecurity incident, 32% are quick to admit that they need external services to define an overall security strategy, help select right-fit security technology/products and assist in determining the risks faced by the organization.

The next question is - what worries small business executives?