813-999-0631 info@tetratos.com
Low Budgets, Limited Expertise and a General Attitude of “Not Us” Plague SMB Cybersecurity

August 28, 2019

In 2013, a Faronics/Ponemon study found that lack of budget and poor security capability skills were the primary causes behind the generally poor state of cybersecurity in small and medium-sized businesses (SMBs).

But, said Dmitry Shesterin, Faronics’ VP of product management at the time, “the main reason I see,” suggested Shesterin, “genuinely and honestly, they do not care — they concentrate on business.”

Fast-forward six years and little has changed — except that SMBs now do care. A new survey from Untangle indicates that 80% of small businesses now rank IT security as a priority for their business (slightly up from last year’s finding of just less than 80%).

However, the other problems persist: low-security budget aggravated by minimal or no security staff.

Untangle queried 300 SMBs, with the most common staff level between 25 and 300 personnel, for its 2019 SMB IT security report. It found that 29% of these companies have an annual security budget of less than $1,000 per year. Fifty-two percent have no dedicated security professional on staff, and instead, distribute the responsibility across multiple other roles.

SMBs not only should but NEED to realize that they are heavily targeted by cybercriminals, both in themselves and as part of the supply chain for larger organizations.

According to the Verizon 2019 Data Breach Incident Report (DBIR), 58% of SMBs experienced a cyber incident in 2018. Furthermore, SMBs are less likely to have the resources to fully recover from a serious incident.

But despite the lack of focus on cybersecurity, SMBs are heavily reliant on cyber technology. Fifty-one percent have up to 100 devices connected to their network, and 40% operate in at least five different physical locations (remote or overseas offices and remote workers). Seventy-four percent have deployed at least part of their infrastructure to the cloud, but 63% have not deployed a firewall in the public cloud.

With such low-security budgets (48% spend less than $5,000 annually) there is little room to improve security through security product — and no room to employ a security specialist. The general situation is not new and has led to the increasing use of available budget to outsource the solution. In 2017, a separate survey found that 80% of SMBs expected to use a third-party cybersecurity provider by the end of that year.


The 2019 SMB Cyberthreat Study surveyed 500 senior decision-makers at SMBs in mid-2019. To qualify for the survey, companies had to have no more than 500 employees.

In addition to the concerning amount of leaders who appear to not worry about cyber attacks and do not have a plan in place for them, only 9% ranked cybersecurity as a top business priority and 25% reported having “no idea where to start” in terms of a digital security strategy.

Keeper Security cites internal numbers drawn from a 2018 Ponemon Institute study that shows that 67% of SMBs experienced a cyber attack (the Verizon study from that time period reported that 58% of all cyberattacks were directed at SMBs). If those numbers are accurate, the number of SMBs being attacked almost exactly lines up with the number of company leaders that believe that they won’t be targeted for an attack.

21% of the respondents ranked cybersecurity dead last in terms of their business concerns, and 60% put it somewhere in the bottom half of their concerns.

Respondents overwhelmingly seem to believe that company revenue correlates with the likelihood of being attacked. 73% of respondents with an annual company revenue of less than $1 million felt that they were not likely to be attacked, while that number lowered to 47% among the companies that made more than $1 million per year.

There is also a correlation between length of time in business and confidence about not being breached. New companies formed in the last five years showed much more concern about being attacked, while 70% of respondents in companies that had been around for at least 10 years felt that they were unlikely to be a target.

Here’s how Darren Guccione, CEO and co-founder of Keeper Security, summed up this observation:

“We’ve observed this trend throughout the data, and several indicators such as the age of the respondents surveyed or the longevity of the businesses reveal differences in prioritization of cybersecurity. It could be that the businesses operating for longer periods erroneously assume that they won’t be attacked if they haven’t been already, or that cybercriminals have no interest in them. Given the rapid speed at which technology has advanced in recent years, it’s possible that that newer businesses and younger leadership are more ingrained with technology and thus better understand the security risks it presents, although there is still plenty of work to be done from an awareness and preparedness standpoint across the board.”

There is also an age correlation – younger decision-makers (32%) are much more likely to believe they are going to be attacked as leaders over the age of 55 (5%) are.

Other factors that caused respondents to be more aware of cyber risks included the industry they worked in (with extremes of 47% of financial industry decision-makers vs. only 4% of those in the entertainment industry), their level of education (postgrad degrees were much more likely to expect attacks), and being in a subordinate position to the CEO (such as CFO or COO).

Interestingly, of all the decision-makers CEOs were the most likely to believe that cyber-attacks were not likely (43%). This was also the leadership group that was most likely to not know what their own company’s password security policies were.

The biggest takeaway from all of this is that SMBs very often do not take cybersecurity seriously until they’ve been stung at least once. Unfortunately, just one attack could be fatal to a smaller business. Research from 2018 indicates that 60% of SMBs that experience cyber attacks go out of business within six months; also consider that this data was collected in the United States, where massive fines for data breaches such as those levied under the terms of the GDPR do not exist.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This