Webroot commissioned Wakefield Research to query 600 SMB IT decision makers in the US, UK and Australia to discover current attitudes towards IT security among companies with less than 500 employees. Such companies are often thought to be more at risk of successful cyber-attacks because of smaller budgets, fewer IT staff, and fewer infosecurity products designed for the smaller company.
The results of the survey (PDF) show the curious mixture of reality and wishful-thinking that often affects perception of infosecurity. For example, only 31% of US SMBs consider ransomware to be a major threat in 2017 — despite 49% being concerned about ‘new forms of malware’. In the UK, ransomware is considerd a bigger threat at 50%, with 59% worrying about new forms of malware. This is despite previous Webroot research (PDF) showing that over 60% of companies have already been affected by ransomware; while most analysts believe the threat is still increasing.
Self-confidence is high. First, 72% of SMBs globally believe that they are at least “almost completely ready to manage IT security and protect against threats”; second, 89% of SMBs around the world believe they have staff who could successfully address and/or eliminate a cyber-attack; and thirdly, 87% are confident in their staff cyber security education.
“The lack of concern about ransomware is leaving a gaping hole in the security of global businesses, as witnessed by the recent outbreaks of WannaCry and not-Petya,” comments Adam Nash, Webroot’s EMEA regional manager. “This combined with the false sense of security when it comes to businesses’ ability to manage external threats is worrying.”
Nash believes that SMBs “can no longer afford to put security on the back burner and need to start engaging with the issues and trends affecting the industry.” It’s not as if they do not understand the costs. Asked about the estimated total cost of a cyberattack “where customer records or critical business data were lost”, US respondents replied with an average cost of $579,099.
This was the lowest figure. In the UK, it rises to $974,250; and to a colossal $1,509,938 in Australia.
Outsourcing security is often seen as a solution to the budgetary and staffing problems of SMBs. “Enlisting the help and expertise of a Managed Security Services Provider,” comments Nash, “is one way to implement a secure, layered approach to combat external threats.” But it is not yet the norm, with only 13% of SMBs currently outsourcing. The rest use a mix of in-house and outsourced IT security support (37%), or fully in-house security (50%).
This is likely to change. Eighty percent of the respondents expect to use a third-party cyber security provider to manage security in 2017.
Despite an overt appearance of confidence in their own abilities, there seems to be an increasing acceptance of the value of outsourcing. Ninety percent of the respondents believe that outsourcing their IT solutions in the future would improve their security and enable them to address other areas of the business.
The net result highlighted by this survey is that there is a huge opportunity for MSSPs to tap into an awakening but yet unfulfilled demand in the SMB market.