Techaisle Blog

Techaisle’s SMB and Midmarket security solutions adoption research shows that although security is a top IT priority for 85% of SMBs, cybersecurity is still not the most pressing security issue for 80% of SMBs. These SMB firms maybe maneuvering around the edges of cybersecurity flame as 19% of small businesses and 28% of midmarket firms believe that they have established best practices to control cyber-attacks. 31% of SMBs report that they are very confident of recovering from a cybersecurity incident and another 20% say the recovery is dependent upon the type of incidence. Is it really the case that the security-confident SMBs have taken all necessary steps to safeguard data, user and environment? Answer lies in the next set of data points. Only 8% of small businesses and 24% of midmarket firms have tested their responses to breaches or security incidents to ensure that their protocols will be effective in a crisis situation. Less than 10% of SMBs are covered by cyber-insurance and only 5% are considering cyber-insurance.

SMBs that build effective, responsive security frameworks will be positioned to capitalize on new technologies and on the new efficiencies that they enable. There is no denying that the threats that IT security frameworks address are becoming both more pernicious and a greater threat to the success of IT-dependent businesses – which is to say, nearly all businesses.

In the Techaisle survey, respondents were asked “– what would be the impact on your organization if there was a security/data breach of corporate information?” Responses indicate that the damage would be widespread and substantial. As the chart below demonstrates, the most severe consequence of a breach would be damage to customer privacy and trust, but there would also be damage to corporate reputations and profitability, difficulty in meeting regulatory requirements, and personal reputation damage for both business and IT professionals within the firm.

The NIST framework does a good job of describing a business’s approach to cyber security, but it doesn’t actually address the approaches used by ‘bad actors’ to attack data and users. To understand how attackers work (and might be stopped), IT security professionals often turn to the cyber (or intrusion) kill chain. This seven-stage view of an attacker’s process, developed by Lockheed Martin in 2011, helps technical leads to align security technology and processes against an attacker’s progressive objectives.

There are many variants on the diagram. Some include responses to the intrusion kill chain, urging businesses to “detect, deny, disrupt, degrade, deceive and destroy” attackers and their malware. Others highlight the key technologies and technology processes used to support these responses: for example, security professionals combating intruders at the reconnaissance stage might use web analytics to detect an intruder’s activities, and then firewall technology to deny access to corporate systems. The specific details vary from scenario to scenario, and evolve over time. What is constant, though, is the need for technically-adept security professionals to invest in capable technologies, to integrate these systems with each other, to develop processes that connect effectively with threats and technology-based ‘shields’, and to align these systems and processes with management’s corporate objectives.

It isn’t an exaggeration to state that in today’s business world, IT infrastructure is business critical infrastructure. SMBs are heavily invested in IT, with IT-dependent processes throughout their operations. This ubiquitous dependence on technology means that systems failure will reverberate throughout all of a company’s daily operations. There is no way to disaster-proof against IT failure with insurance; appropriate investment in IT security processes, technologies and management strategies is the only way to capitalize on the productivity benefits of IT without creating exposure to organizational paralysis in the event of a malware invasion, a hacker attack or an employee’s negligence or malfeasance.

The lack of understanding of a threat associated with a widely-used cloud platform on one hand (and likely, additional confusion with respect to security issues associated with other technologies), and the lack of IT staff resources available to address security concerns on the other, produces a clear conclusion: SMBs need suppliers to step up to delivery of secure IT environments and prevent cyber-attacks.

In many cases, these suppliers will be the mainstream channel partners who supply the SMB’s technology, who act as the IT management presence within the SMB’s business. In other cases, including in many midmarket environments, the source of security products and services will be specialized managed security providers who focus tightly on operating SOCs and protecting client environments. In some scenarios, firms will ‘land’ by entering a client account from one of these positions, and then ‘expand’ to serve a wider range of IT supply needs – crowding out competitors who can’t address the risk and compliance issues that are central to the CEO’s mandate.

Related research

US SMB and Midmarket Security adoption trends

Europe SMB and Midmarket Security adoption trends

Asia/Pacific SMB and Midmarket Security adoption trends

Latin America SMB and Midmarket Security adoption trends

Techaisle research into SMB approaches to digitalization shows a great belief in organizational commitment to digitalization strategies. 17% of small businesses and 31% of midmarket firms, down from more than 40% two years ago, believe that they are “holistic” with respect to digital transformation – that within their firms, the Internet and digital technologies impact every aspect of the business and are at the core of organizational strategy. Another large proportion of the SMB population – 32% of small businesses, 45% of midmarket firms – report that their organizations are best categorized as “inclusive,” seeing digital as important to the business, but as a relatively minor factor in strategic planning, and not having organization-wide impact. Lesser proportions of both populations see themselves as ‘siloed’ with respect to digital initiatives, but within 19% of small businesses, up from 5% in 2017, digital is not seen as core to their operations.

Pace of digital business adoption within SMBs

To add context to the previous data set, figure below shows how rapid the take-up of digital business within the SMB community has been and is expected to be over the next two years. Overall, SMBs expect 32% of business activities to be digitized by 2021, which will be up from 17% in 2017, nearly double. On average, roughly a quarter of small business and midmarket companies’ operational processes are digitized today: this represents a 51% increase (from 16%) within small business and a 47% (from 18%) increase within midmarket firms over the past two years, with a further 24%-28% increase (to nearly one-third of all processes) expected by the end of 2021. Suppliers selling into the SMB market with a digitalization position/messaging strategy should find a large number of firms looking to accelerate digital business initiatives.

Constraints to SMB digital strategies

A follow-on question about inhibitors found that 30% of SMBs “lack the skills” to embrace digital business practices; nearly as many (28%, rising to 36% in small business) cite staff or management reluctance to change current practices as a barrier to digital business adoption, and substantial proportions of the SMB community also point to “lack of investment capital/budget” (26%, and again, higher within small business) a risk averse corporate culture (24%) and inadequate installed technology (23%). In all, seven different constraints were cited by at least 20% of SMB respondents – highlighting the fact that SMBs face numerous challenges to development and adoption of effective digital business strategies.

Related SMB survey research reports:

US SMB & Midmarket Digitalization Trends

US Midmarket Digital Transformation Trends

US SMB & Midmarket SaaS Adoption Trends

Europe SMB & Midmarket SaaS Adoption Trends 

Asia/Pacific SMB & Midmarket SaaS Adoption Trends

Latin America SMB & Midmarket SaaS Adoption Trends

White papers

Prologue and Epilogue of Digitalization in SMB Market

Digital Transformation for the Modern Midmarket: Red Paper

Future of Work - Interwork: the next step in connected businesses

Digital Transformation & the Future of Reseller Channel

Techaisle’s Europe SMB and Midmarket security adoption trends survey shows that both small businesses and midmarket firms recognize that cloud poses a risk to their data: “cloud usage/services put us at a higher risk of a data breach” is the security-related statement that resonates most with small businesses, and it is one of the top three issues identified by midmarket respondents. However, 24% believe that they are better prepared than most to address cloud security issues. “Our security budget is sufficient to meet our needs” is the most commonly-advanced statement on IT security by small businesses but 52% of midmarket firms believe that their "budget is not sufficient to meet their security needs". Only 8% of European small businesses have formal security protocols in place to respond to a security incident as compared to 32% of midmarket firms.

There is no denying the threats that IT security frameworks address are becoming both more pernicious and a greater threat to the success of IT-dependent businesses – which is to say, nearly all businesses. Survey data also shows that in Europe, 52% of small businesses and 62% of midmarket firms experienced one or more security incidents in the last one year.

At least within the European SMBs and midmarket firms there seems to be adequate awareness of the quantity, variety and severity of threat sources but the unpreparedness is in part due to weak reporting of breaches when they occur, with only events too big to hide becoming the subjects of public discussion. Tougher disclosure legislation will make SMBs more aware of the extent of IT security issues – which in turn will likely boost investment in security solutions and reduce the number of respondents expressing comfort with their current state of readiness.

Despite the dichotomy of potential of security threats and overconfidence, SMBs are concerned about their threat landscape, both at the PC-level as well as with cloud.

Data clearly shows that small businesses and midmarket firms have very different perceptions of cyber-security risks, security approach and attitude, cloud and end-point security concerns and most effective security solutions to protect cloud data.

A review of cloud security threats and mitigation options available to European SMBs illustrates the fact that while cloud brings unique challenges, the measures used to address the expanded threat profile are consistent with those that would represent good practice in any infrastructure context. 37% of SMB survey respondents are concerned with data exposure during transfers to remote locations, 35% are concerned with the potential for cloud-based accounts to be hijacked, and 28% are worried about unauthorized access to or breaches of data repositories in the cloud, insecure interfaces used to access cloud-based systems, the potential for insiders within a cloud service provider to exfiltrate information, and denial of service (DDoS) attacks – all of which represent cloud-specific threats.

SMBs have very strong perception and understanding of technologies and practices that are considered most effective at protecting data in the cloud and addressing their cloud security concerns. These include data and network encryption, intrusion detection and prevention (IDP), the setting and enforcement of security policies, the creation of data boundaries that separate different information sets, use of access control technologies, and unified threat management. Unlike the threats, though, that are specific to cloud/hybrid IT infrastructure, these approaches do not arise uniquely from use of cloud: they can and should be applied within environments that are not cloud based as well. Any business that relies on a network and supports mobile users (necessitating access control) would do well to implement all of these measures.

Techaisle believes that there are different take-aways for suppliers focused on small and midmarket customers. In small business, there is a need to educate buyers about the gaps that exist between current preparedness and risks, and between small business readiness and the approaches that are common within larger organizations: small businesses need to understand where and how to invest in a wider range of security solutions, especially with respect to covering threats associated with mobility and cloud. There is also a need to respond to price-performance pressures.

Clearly, security itself is a complex solution area, and the marketing challenges faced by suppliers – which need to articulate solutions in terms that are appropriate to small and midmarket businesses, to BDMs and ITDMs, and via sources and channels that are relevant to the evaluation and purchase process – are complex in their own right. Security permeates all aspects of IT service delivery – and as a result, success in navigating the solution and marketing needs offers great upside for successful suppliers.

The core changes in the demands on different areas of the channel business are critical and challenging, but they can be seen as more effect than cause. In all aspects of channel business, long-held business tenets are being replaced by an emerging reality that has been ushered in by the move to cloud and amplified by many other trends – changes in buyers and buyer behavior, as well as management and process changes, and evolutions in service/technology delivery – that are reshaping how technology is acquired and used, and how suppliers need to act to meet buyer requirements.

NEXT channel

Techaisle has identified twelve areas where channel partners must abandon ingrained behaviors and move to new approaches that will enable NEXT (Networked, Engaged, Extended, Transformed) channel businesses.

Partner-to-partner relationships are important to cloud business success

There are seven imperatives that impact all areas of channel business operations, there are two imperatives that relate to internal management/process items, two that impact service/technology delivery, two that affect go-to-market and customer relationship management, and one – the shift from ‘turnkey solutions’ to ‘ecosystem collaborative solutions’ – that touches on all three areas. Let us discuss this last imperative.

Solution packaging isn’t a ‘religious issue’, it’s a ‘customer choice issue’ – and customers are clearly choosing to move from turnkey systems to hybrid environments that can be aligned with their evolving needs; this will also require an accelerated frequency of partner-to-partner collaboration (not opportunistically but strategically).

The chart above illustrates an important feature of this migration: it increases both the scope of projects that the channel partner can engage in and the profitability of those engagements. As the chart demonstrates, 65% of channel firms that consider themselves to be “very successful” in selling cloud report that they frequently collaborate with other channel partners; firms that struggle with cloud success are much less likely to proactively work with peer channel firms.

Drilling into the data from 2014 to 2018, we find that the opportunistic collaboration has increased by 69%. There are many sporadic efforts but no single vendor is formalizing and enabling this P2P collaboration.

What is the new Turnkey solution: