Survey Findings: SMB Cyber Readiness
While larger businesses have regularly purchased Cyber and Technology Errors & Omissions (Tech E&O) policies for a number of years, the small- and medium-sized business (SMB) segment is still playing catch up. The lack of both offerings in the market and overall awareness of the risks to SMBs have combined to keep uptake of cyber protections low for too long — which is one reason companies like Corvus have expanded offerings to meet this segment's needs. Oftentimes, these organizations have specific concerns and factors to take into account when considering cybersecurity and risk mitigation. To learn more, in Q4 2021 Corvus deployed its first Policyholder Cybersecurity Benchmarking Survey to our Cyber and Tech E&O policyholders. Respondents’ titles ranged from C-suite to Vice Presidents, Directors, and IT Managers while company size ranged from fewer than 50 employees to over 250. With nearly 300 responses, the data shed light on concerns and perspectives that are often present within the SMB segment.
Survey responses showed that small- and medium-sized businesses are primarily concerned with external threats — attack vectors including ransomware and phishing. That’s understandable, given those are widely discussed strategies used by malicious actors — the things that make fodder for news headlines and advertising copy intended to instill fear. Yet they also bring to light the fact that many companies may fail to emphasize and act on the need for an internal security culture. A focus on internal security is not only necessary to mitigate the risk that technology and services vendors present to businesses, but to minimize insider security threats as well.
Among the largest businesses within the surveyed group — those with 250 or more employees — just 18% reported having a dedicated cybersecurity budget (as seen in Table 1). That may sound like a small number, but it handily beats the smaller businesses with fewer than 50 employees, of which only 8% have a dedicated budget.
Budget Based on Employee Count
Note: total does not equal 100%, as survey participants could select multiple answers
As companies scale, many (63% of survey respondents with 250+ employees) eventually do allocate a percentage of technology spend and headcount to security in an attempt to strengthen their posture. However, not having a dedicated budget from the outset means that investing in security can become an ad hoc behavior, often forcing investments in security to be deprioritized during budgetary planning. Organizations that plan a security budget — even a modest one that covers some security expenses — can begin making more informed decisions around security. Ultimately, the budget becomes a forcing function for discussions on cybersecurity investments and exactly where to focus company efforts to see the strongest return on investment. Companies must understand where their risks lie and how to invest to mitigate those risks, or face potential security breaches and associated costs — whether monetary or reputational. Figure 9 highlights key reasons companies are planning to increase security spend in the near future.
Of course, where companies spend their dedicated security budget varies based on the organization. We are currently seeing investments in products for advanced endpoint security, primarily Endpoint Detection and Response (EDR) and Next-Gen Antivirus (AV). Spend may also go toward next-generation firewalls, with a smaller subset dedicating budget to email security as well. Survey responses also demonstrated investment in security awareness training and penetration testing — key components when starting a security program. As more organizations adopt cloud services, greater investments in areas such as Identity and Access Management (IAM) and cloud security will also be required to maintain a strong security posture. When it comes to IAM, implementing a Single Sign On (SSO) solution can help IT teams more easily manage user identities and subsequently streamline the adoption of cloud platforms and SaaS solutions. For cloud security, we are still in the early stages of these directed cyberattacks. When cloud focused attacks do occur, they are often tied to common system misconfigurations — the frequent thorn in security. Effectively addressing emerging security gaps, including those that come with the adoption of cloud services, will continue to require expanding knowledge, skill sets, and solutions.
The majority of survey participants did report feeling supported by their CEO and senior management, with 60% of participants stating that their security spend, whether part of a designated budget or not, is expected to increase in the next year. At mid-sized SMBs, one-third of survey participants reported having a CISO on staff — oftentimes a key executive stakeholder who can help bridge the gap between technologists and business needs, minimizing those potential monetary impacts from poor security posture.
At the same time, Corvus survey responses showed that at companies with fewer than 50 employees, security efforts are more often outsourced — supporting the idea that either way, security investments must be made, even if through outside resources. Interestingly, respondents at those smaller companies also reported having the highest level of confidence that they have implemented or are in the process of implementing all necessary steps from a cybersecurity risk standpoint. Of the participants who stated that they do need help with security improvements, 72% were companies that lacked a CISO — reinforcing the idea that a CISO can play a large part in drafting a strategy to enhance an organization’s security posture. Company size also plays a role when considering key cybersecurity concerns, including “staying current on the latest threats”: smaller companies reported a higher degree of concern here, while larger companies worry more about vendor breaches and the potential downstream impacts on their businesses. We see these varied concerns as highlighting how security sophistication and needs grows as companies grow — an evolution of the security mindset that’s required for survival.
Factors Preventing Improvements
With this insight, it’s especially crucial to note that if someone feels they have implemented all the necessary steps for cybersecurity, they are almost certainly thinking too small. Threat actors’ attack vectors will continue to evolve, often exploiting vulnerabilities in critical services or finding ways to bypass existing security controls. Organizations still need to make investments in market-leading tools, but they require support to manage those tools. In fact, survey respondents highlighted a lack of resources and the overall complexity of security as key driving factors currently preventing improvements in their defenses (Table 2). We know from open-ended survey comments that some policyholders may not have the clearest understanding of their security posture — a circumstance that can be made more manageable with the addition and support of qualified cybersecurity talent.