SMBs need to prioritise cybersecurity preparedness, says study

At a time when cyberattacks are seeing a phenomenal rise, impacting businesses across sectors and sizes, a new report finds that nearly one-third of small and mid-sized businesses (SMBs) do not have a proper cyber security strategy in place to counter cyber-attacks. For example, over a third of them lack even having a proper incident response plan (IRP) in place. An IRP is a set of written instructions for detecting, responding to and limiting the effects of an information security event. Others cite reasons such as lacking the right tools, awareness and budget to prevent themselves from bad actors.

The Egnyte survey, conducted by Wakefield Research among 400 C-levels with tech executives at companies of 100 to 1,000 employees, said that with the number of nation-state and data exfiltration-based cyberattacks continues to increase, smaller organisations need to re-examine their cybersecurity preparedness and foster a culture wherein every member has some level of security awareness that can help them in the event of a cyber-attack.

"Traditionally, mid-sized organisations have lacked the proper cybersecurity resources, so it is important that they understand the value in staying one step ahead of rapidly-evolving threats like ransomware," said Kris Lahiri, co-founder and chief security officer at Egnyte. 

"The findings of this study reinforce that all businesses can bolster their cybersecurity defences by leveraging holistic data governance tools, including data backup processes, training for end-users, and solutions to identify suspicious activity," Lahiri said.

The report also identifies trends such as cyber insurance premiums are on the rise. Forty-seven percent of organisations experienced premium increases of 76% or more in the past year. Likewise, cybersecurity awareness training is being delivered more frequently. Sixty-three per cent of respondents' organisations conduct cybersecurity awareness training at least once a quarter.

Another recently released report from Corvus Insurance said that only 8% of businesses with fewer than 50 employees have a dedicated budget for cybersecurity. Their survey found many of those small businesses lump cybersecurity into IT or another department’s budget, and 47% have no cybersecurity budget at all. The numbers don’t get much better when you look at slightly larger small companies, either, with only 14% of companies with 50-249 employees claiming a dedicated cybersecurity budget.

While these are US-specific data, in India too, half (50%) of SMBs surveyed have experienced a website breach at some point, with 20% reporting a breach in the last 12 months, said a Cisco report. The danger, however, is, nearly half perceive their business as too small to be the target of a cyberattack, and 73% believe they are effectively mitigating risks.

It can be easy for smaller companies to fall into the trap of pushing cybersecurity to the side. Also, most breaches that receive wide media attention are those that happen to gargantuan corporations, but there are plenty of bad actors out there targeting SMB, as well, Lahiri said.