The cybersecurity paradox for SMBs: High vulnerability, low resources

Small and medium-sized businesses (SMBs) are uniquely vulnerable to cybersecurity threats. Compared to larger enterprises, they have far fewer resources available for the increasingly complex tasks of monitoring, identifying and remediating a huge array of risks, from strong-encryption ransomware to distributed denial-of-service (DDoS) attacks. This shortfall kicks off a vicious cycle, through which SMBs are often successfully breached, resulting in significant financial damages that in turn make adequate security implementations even more challenging to realize.

A 2018 survey of 1,000 SMBs by domain name provider GoDaddy highlighted this very trend, noting that half of them had suffered monetary losses from breaches and one-eighth reported a loss of $5,000 or more. At the same time, up to 40 percent rarely if ever checked for vulnerabilities, with some spending virtually nothing ($500 or less) each year on their security-related projects. Paired with the longstanding shortage of skilled security personnel – who can command considerable salaries given their current scarcity – this resource pressure puts SMBs in a pinch and requires creative solutions.

“SMBs look at the option of outsourcing their security management to understand threats, save money, respond to breaches and for an unbiased insight. Outsourcing is a good idea to make up for the lack of resources – a challenge that most SMBs face.”

CISCO Cybersecurity Special Report, 2018

Roadmap for SMB cybersecurity success: 4 key practices

Cybersecurity isn’t a destination – there’s no point at which you can say you’re “finished,” as threats continually evolve and require ongoing attention. Our recipe for success takes this into account by emphasizing four key points that put SMBs on a sustainable trajectory:

1. Patch management: While basically the opposite of a glamorous or enjoyable activity, patch management is nevertheless the foundation for security readiness. Outdated and unpatched operating systems, applications and services are magnets for cyberattackers, who exploit known vulnerabilities; only 36 percent of SMBs reported regularly patching their software in a Federation of Small Businesses survey of U.K.-based organizations. A patch management strategy ensures that anything in need of a security update is quickly identified and patched after the patch itself is verified and tested. Managed service providers (MSPs) can help streamline the patch management process as part of a larger offering that includes solutions such as network monitoring.
2. MSP security solutions: Indeed, in addition to patch management, an MSP might provide a range of services at a price point that SMBs themselves couldn’t match with an in-house team. For example, an MSP partner could offer DDoS mitigation, firewalling, virtual private networks and content filtering. Moreover, all of these functions would be backed by 24/7/365 oversight.Indeed, in addition to patch management, an MSP might provide a range of services at a price point that SMBs themselves couldn’t match with an in-house team. For example, an MSP partner could offer DDoS mitigation, firewalling, virtual private networks and content filtering. Moreover, all of these functions would be backed by 24/7/365 oversight. Working with an MSP has the dual benefit of reducing the cost and complexity of cybersecurity management and freeing up limited SMB staff for other projects. Managed security means not having to choose between keeping critical systems safe and focusing on essential non-security efforts for the organization.