SMBs play a critical role in national economies- as they comprise about 97% of all commercial enterprises. Until very recently SMBs did not consider themselves a prime target of cyber threats and rightly so- all the high-profile hacks were aimed at large enterprise, and it was widely assumed that cybercriminals wouldn’t bother with small stake targets. But, as the economy becomes more connected SMB are taking center stage in cyber activities as well. As SMBs are connected to both customers and larger enterprises and governmental organizations, they now become a compelling target for cybercriminals. In addition, low cost, mass production cyber weapons now make it economically feasible for cyber criminals to successfully target SMBs and even individuals. Of these, Ransomware has one of the highest return-on-investments ratio for criminals, regardless of the victim’s occupation or annual turnover.
Awareness and Impact
SMBs are targeted by cyber-attacks at a rate that was never seen before. According to the latest Research, over 50% of SMBs surveyed (sized 100-1,000 employees) reported a cyber-attack or data breach in the past year.
It is not surprising that SMBs are becoming more aware of cyber threats- high profile breaches make the headlines every day, and “small time” incidents hit more and more SMBs around them. Even so, in a recent survey it was shown that 60% of SMBs do not consider cyber-attacks to be a big risk to their organizations, while 44% don’t consider strong security to be a priority. Yet, Cyber-attacks could have a considerable financial damage to the business: the average cost of a cyber-attack for an SMB last year was over $8000, a significant amount of money to the typical small business. However, that cost does not include intangibles, such as down time, loss of business, remediation and so forth, meaning that the actual cost to an SMB is possibly far greater- some even estimate it at an additional 10,0000 US$.
Current state of industry solutions
The cybersecurity industry has yet to crack the SMB market. It has great success selling to large organizations, both governmental and private, yet the SMB market is an almost blue ocean in terms of sales.
One reason for this is psychological – the poor awareness (as discussed above), where misplaced beliefs (“Cybersecurity is needed for banks, not for my business”) slow the adoption of cyber solutions for this sector. The second is an economic reason- most SMBs find it difficult to pay the thousands of US$ needed to purchase top cyber solutions.
The third is the technical difficulty in setting up and maintaining these solutions- most SMBs are non-technical in nature and have little or no technical capabilities to operate most solutions. About 67% said that they lack sufficient personnel to handle cybersecurity. This last point is worth focusing on- the widening skills gap is forecasted to effect SMBs more that enterprises, because even if a large SMB wanted to hire a cybersecurity technician or CISO he will face a talent shortage and fierce competition for talent with larger organizations.
The fourth is that there simply aren’t enough solutions which are tailor made for smaller organizations. Very few cybersecurity companies have developed solutions specifically for SMBs, and most of them have not been commercially successful.
The only product which every SMB knows and uses is the Antivirus (see an in-depth discussion about AV here). As can be seen from the following list of the most essential cybersecurity technologies are:
- Client firewalls
- Password protection / management
- VPM and other secure Web gateways
- Intrusion detection and prevention
- Automated patch management systems
- Anti-denial of services
- Encryption technologies
- Web application firewalls (WAF)
- Identity & access management
It is evident that SMBs know focus on the traditional technologies. One can also speculate that until the first items have been purchased and implemented (effectively serving as the cybersecurity foundation or infrastructure) SMBs will not invest in more advanced technologies. Since budget and resources are of the outmost importance to SMBs, many will stop after buying the basics and will never move further.
Given the size of this potential market and the slow growth of enterprise customers (most of which have already implemented cyber solutions, and now deal with upgrades) it is certain that vendors will shift some of their focus to this lucrative market. However, it is clear that the differences between small and enterprise customers will inhibit the adoption of similar technologies, so novel technologies and business offerings have to be introduced. Here are some of the trends we identify that could potentially make and impact on the SMB market:
- Cloud solutions
SMBs have been quick to adopt cloud solutions- over 60% of SMB in the US use some sort of cloud solution. Greater adoption of cloud will enable the adoption of cloud based security solutions such as secure email services, secure storage and Cloud Access security Broker (CASB) solutions.
- Managed solutions
SMBs are discovering they can shift all the responsibility of cyber operations to an external party. An MSSP might be n overkill for a mom and pop shop but could be a great solution for a factory with hundred employees, one IT guy and no chance of hiring a CISO. In fact, over 30% of SMBs surveyed said they were using MSSP to help with cybersecurity operations.
- Cyber insurance
Cyber insurance could well be the driving force behind cybersecurity adoption by SMBs. Insurance policies for SMBs are becoming more common, and it won’t be long before the insurance companies will offer joint offerings of insurance plus security (in conjunction with leading security companies or MSSP).
SMB is the final frontier for cybersecurity industry. Large vendors who cannot grow any longer through innovation and promoting new products will need to expand to this huge market to maintain growth and profitability. The demand on the SMB side is destined to grow, so the race to meet this need is wide open – but in order to capture it security companies will need to change their mindset and technological and commercial offering.