Think you have your SMB customers on lockdown when it comes to providing cybersecurity solutions? A research report conducted by Continuum and Vanson Bourne indicates that might not be the case…by a longshot.
The study, titled “Underserved and Unprepared: The State of SMB Cyber Security in 2019,” produced data that managed service providers might find downright shocking, not to mention alarming. At first blush, it appears SMBs are clearly worried about the incidence of cyber attacks and have prioritized it from a business and investment standpoint. But the most sobering statistics speak to the SMB’s regard, or lack thereof, for their current MSPs.
In short, SMBs are ready to cut ties with their current providers, should the “right” solution be introduced to them.
Among the major findings uncovered by the study:
- 89% of respondents see cybersecurity as the top or top five priority in their organization;
- 75% agree that there should be more emphasis placed on security in their organization;
- 79% of SMBs are planning to invest more in cybersecurity over the next 12 months.
Most SMBs believe they are ill-equipped to deal with cyber attacks on their own. For example:
- 62% say they lack the in-house skills to deal with cybersecurity;
- A mere 13% who do not use an MSP feel confident in all cases that their organization would be able to defend itself during an attack;
- And 52% feel helpless to defend themselves from new forms of cyber attacks.
But perhaps the biggest eye-opener is SMBs’ attitude toward their current MSPs on the matter of cybersecurity, offering good and bad news for providers:
- An impressive 84% who do not use an MSP would consider using one if offered the “right” cybersecurity solution.
- And 93% would consider moving to a new MSP if they offered the “right” solution, even if they weren’t planning to change. Respondents indicated they would be willing to pay up to 25% more with the “right” solution.
Depending on one’s viewpoint, the lack of MSP loyalty can either be viewed as a threat or an opportunity, notes Jay Ryerse, chief technology officer of security products for Continuum. Noting that respondents would be open to paying up to 25% more for the “right” solution, he took a glass-half-full approach to the findings.
Jay Ryerse, Continuum
Service providers, however, must wonder about the factors behind this apparent lack of confidence in incumbent providers. “I believe it starts with defining what the ‘right’ security solution looks like for the SMB,” Ryerse said. “Keeping in mind that every SMB has different requirements, the challenge MSPs will face is delivering a solution that is ‘right’ for their client.
“The lack of confidence likely stems from the lack of conversations around what SMBs are doing to secure company data,” he added. “To solve for this, MSPs need to do a risk assessment or business impact analysis to determine what data is worth protecting, and then putting in the right solution to successfully secure those tools. They might be the ERP system, the cloud-based CRM, or even an onsite file server with critical data in place. They should start by understanding which departments are most important and then protect the critical tools that are needed for that department to function. That approach will build confidence in their services and protect their client base.”
Methodology
Vanson Bourne, an independent technology market research specialist, spearheaded the project, which was commissioned by Continuum. Between January and March of this year, IT and business decision makers involved in cybersecurity, representing 850 SMBs in the United States, United Kingdom, France, Germany and Belgium, were interviewed (the U.S. portion accounted for 300 respondents). These organizations employ between 10 and 1,000 people and represent a wide range of business sectors.
The interviews were conducted online using a rigorous, multi-level screening process to ensure that only suitable candidates were given the opportunity to participate.
SMB Attitudes
The good news is, cybersecurity is on the radar for most SMBs. According to the findings, 49% state that cybersecurity is currently critical to their business and is a top priority. Also, 52% of respondents say that protecting against cyber attacks is one of their organization’s biggest priorities in the next two years. The bigger the SMB, the more important the issue is for the company. For example, with companies that employ 250-1,000 people, the tally rises to 57%.
Nearly eight in 10 respondents indicated they planned to invest more in cybersecurity over the next 12 months. Those who use an MSP are also more likely to increase their cybersecurity investment compared to those who do not have a provider (83% to 62%).
As 79% of SMBs are planning to invest more over the next year, confident SMBs must mobilize to seize on this willingness to invest in cybersecurity, according to John Schweizer, vice president of office technology for Continuum.
“The office equipment dealer with MSP proficiency has a tremendous opportunity and the clients’ comfort level with them will be reinforced based on their organizational strength and financial stability,” Schweizer said. “The need will be driven by concern: 80% of SMBs fear an attack, the lack of skills to protect and respond at the SMBs level, and the significant risks of an incident.
John Schweizer, Continuum
“The office equipment dealer can’t go it alone, though. The speed of change in cyber threats requires careful coordination of technology and skilled personnel, credentialed personnel being out of the typical dealer’s price tolerance. The dealer should carefully pick a partner that has security as a core offering, along with significant scale in tools, technology and personnel. The dealer should also look to the partner for education and reinforcement of security best practices. Continuum rises to the task with a complete security practice and brain trust that is appropriately married to our Help Desk, NOC and BDR disciplines. All of this is coupled with a dedicated staff designed to support the success of office equipment dealers.”
Worst Fears
The threat of an attack weighs heavily on SMB minds: 80% are worried they will become the target of a cyber attack in the next six months, and 75% feel there should be more emphasis placed on security within their organization.
When it comes to cyber attack consequences, the most common fears are loss of data (50%), customer loss (43%) and damage to reputation (39%). Other fears include customer data being breached (82%), data being stolen from outside the organization (77%) and IT systems downtime (77%). And 76% are worried about customer-facing applications being breached.
Rate of Incidence
Cyber attacks against SMBs have become commonplace. Nearly two-thirds of respondents’ organizations have suffered an attack, and about one-third have experienced one in the last 12 months. Of those companies attacked, only 2% claim there was no impact on their business. The most common aspects cited an impact via monetary costs (35%), costs of time/effort in dealing with the issue (33%) and data loss (32%).
Respondents who say their organization was affected by cost due to an attack report a total business cost of just under $54,000, on average. The larger the organization, the greater the cost impact of an attack.
Security Expectations
It is clear that SMBs have high expectations of the benefits of using an MSP, but also in terms of who is liable in the event of a cyber attack. Of those that use an MSP, 69% claim they would hold their MSP accountable at some level in the event of an attack, with 35% saying they would hold their MSP solely accountable. Three quarters (74%) of SMBs who use or plan to use an MSP would take legal action against them in the event of an attack, while 38% report they expect their MSP to have complete accountability for legal issues in the event of a security issue.
MSPs to not only provide their SMB clients with sufficient and robust protection but also properly set expectations as it pertains to responsibility and liability in the event of a cyber attack.
“I wasn’t surprised to see it, but was intrigued by the number of SMBs that would blame their MSP after a breach,” Ryerse noted. “We’ve seen that over and over again in the marketplace, but to see stats around that speaks volumes to what we’ve been sharing with MSPs. I also looked closely at the data across different SMBs based on their size and was excited to see that in general, businesses with 10-50 employees were facing the same issues that business with more than 250 employees. I had expected to see large differences but there were no material differences.”
