Connect with us

Hi, what are you looking for?


Endpoint Security

Upleveling the State of SMB Cybersecurity

Gone are the days when cyberattacks were deemed concerns solely by corporate giants.

SMB Cybersecurity

When reading the news, it often appears that cyber adversaries are solely focused on exploiting large enterprises. However, small and medium-sized businesses (SMBs) are increasingly finding themselves in the crosshairs of cyber threats. According to a recent study by Vanson Bourne Research, titled “The State of SMB Cybersecurity in 2024,” 94 percent of SMBs have suffered from at least one cybersecurity attack in the past, up from 64 percent in 2019. This surge translates into elevated levels of concerns about further attacks, with 89 percent of SMBs worried about being targeted within the next six months.

Gone are the days when cyberattacks were deemed concerns solely by corporate giants. Recent years have shown a significant shift, with cybercriminals setting their sights on smaller, more vulnerable targets—SMBs. As major enterprises bolster their cybersecurity, SMBs become attractive targets due to perceived weaknesses. Accenture’s Cybercrime study in 2023 revealed that nearly 43 percent of cyberattacks targeted small businesses, and only 14 percent of these businesses were prepared to face them.

Cybersecurity Challenges Faced by SMBs

While SMBs acknowledge the growing threat, they also report increasing difficulty in thwarting cyberattacks. SMBs face numerous challenges in cybersecurity due to their unique position and resource constraints. Here are some of the primary challenges:

  • Limited Resources: SMBs often have limited budgets, making it challenging to invest in robust cybersecurity measures and tools. Furthermore, many SMBs lack dedicated IT staff, let alone specialized cybersecurity personnel. This leads to overburdened employees who may not have the necessary expertise.
  • Lack of Awareness and Training: Employees in SMBs may not be well-trained in recognizing and responding to cyber threats, making them more vulnerable to phishing attacks and social engineering. In addition, business owners and managers may underestimate the importance of cybersecurity, leading to inadequate prioritization and investment.
  • Sophisticated Threats: Cyber threats are becoming more sophisticated and targeted. SMBs might not have the advanced security infrastructure to defend against these evolving threats.
  • Regulatory Compliance: Navigating the landscape of cybersecurity regulations (e.g., GDPR, CCPA) can be difficult for SMBs, particularly those with limited legal and compliance expertise. Non-compliance with regulations can result in significant fines and legal consequences, adding pressure on SMBs to stay compliant.
  • Incident Response and Recovery: Many SMBs lack comprehensive incident response plans, making it difficult to respond effectively to breaches or cyber incidents. Limited access to sophisticated data backup and recovery solutions can prolong downtime and exacerbate the impact of cyber incidents.
  • Third-Party Risks: SMBs often rely on third-party vendors and partners, which can introduce vulnerabilities if those entities have weak cybersecurity practices.
  • Technology Obsolescence: SMBs might use outdated hardware and software that no longer receive security updates, creating exploitable vulnerabilities. The cost and complexity of upgrading to more secure technologies can be prohibitive for SMBs.
  • Lack of Cybersecurity Strategy: Without a clear cybersecurity strategy, SMBs may implement security measures in an ad-hoc manner, leading to gaps and inconsistencies. Proper risk assessment and management practices are often lacking, resulting in a poor understanding of potential threats and vulnerabilities.
  • Vendor Management: Identifying and selecting appropriate cybersecurity solutions and vendors can be overwhelming, especially with the proliferation of products in the market.

Addressing these challenges requires a multi-faceted approach that includes increasing security awareness, investing in appropriate security measures (e.g., multi-factor authentication, risk and vulnerability assessments, endpoint and SaaS security, as well as data backup), developing comprehensive cybersecurity policies, and leveraging external expertise when necessary.

MSPs to the Rescue

In this context, Managed Service Providers (MSPs) are becoming an increasingly vital lifeline for SMBs striving to boost their IT resources and cyber defense capabilities. According to Vanson Bourne Research, an increased 94 percent of SMBs are now using an MSP, compared to 89 percent in 2022, and 74 percent in 2020.

Selecting the Right MSP

Choosing an MSP is a crucial decision for SMBs seeking to enhance their cybersecurity posture and overall IT management. Here are key criteria to consider when evaluating MSPs:

Advertisement. Scroll to continue reading.

Security Expertise: Look for MSPs with staff who hold recognized cybersecurity certifications (e.g., CISSP, CISM, CEH). Assess the MSP’s experience and success in handling cybersecurity threats and incidents.

Range of Services: Ensure the MSP offers a full suite of services, including network security, endpoint protection, data backup, disaster recovery, and compliance management. The MSP should be able to scale their services to grow with the SMB’s business needs.

Customization and Flexibility: The MSP should provide customized solutions tailored to their client’s specific business needs and industry requirements. Look for flexible contract terms that allow you to adjust services as needed without heavy penalties.

Reputation and References: Research reviews and testimonials from other businesses, particularly those in your industry. Ask for case studies or examples of how the MSP has successfully helped similar organizations.

Service Level Agreements (SLAs): Ensure the MSP provides clear and detailed SLAs outlining the scope of services, performance metrics, response times, and resolution times. The SLAs should include provisions for accountability and consequences if the MSP fails to meet agreed-upon standards.

24/7 Support and Monitoring: Confirm that the MSP offers 24/7 support and monitoring to address issues promptly and minimize downtime. The MSP should provide proactive monitoring and maintenance to prevent issues before they arise.

Compliance and Regulatory Knowledge: The MSP should be knowledgeable about the compliance requirements specific to your industry (e.g., HIPAA, GDPR, PCI-DSS).

Incident Response and Recovery: Assess their incident response capabilities, including their ability to detect, respond to, and recover from security incidents.

Technology and Tools: Verify that the MSP uses advanced, industry-standard tools and technologies for cybersecurity, monitoring, and management. Their tools should integrate seamlessly with your existing systems and infrastructure.

Transparency and Reporting: The MSP should provide regular, detailed reports on system performance, security incidents, and overall IT health.

Cost and Value: Compare the cost of services with the value provided. The cheapest option is not always the best; consider the quality and comprehensiveness of services.

Partnership and Communication: The MSP should function as a partner, collaborating with your internal team and providing strategic IT guidance. Assess their communication skills and responsiveness, ensuring they keep you informed and involved in decision-making processes. For SMBs, choosing the right MSP requires thorough research and careful evaluation to ensure alignment with business needs and effective support for IT and cybersecurity objectives.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights