Why SMB Cybersecurity Is A Non-negotiable Today

For SMBs, Cybersecurity hasn’t been a priority, as they focused on generating and growing revenues. But today, it is emerging as a top priority as evident from Zinnov’s recent survey of 600 SMBs (Small Medium Businesses) in the US, which shows that 45% of SMB owners consider Cybersecurity as one of their top 3 priorities, with 18% mentioning it as their #1 priority. This growing awareness stems from the ever-increasing number of cyberattacks over the last few years.

According to the National Cyber Security Alliance, in 2021 alone, 47% of all SMBs were hit by a successful cyberattack, and of that number, a staggering 60% never recovered. This means that 28% of all US SMBs were forced out of business after a cyberattack. Although the number of cybercrime victims since the onset of COVID remained relatively the same as pre-COVID, the total number of attacks and their severity increased drastically. The IBM Cost of a Data Breach Report 2021 found that the average cost of a data breach increased 10% in 2021 to USD 4.24 Mn, while costs were lower for organizations with more robust Cybersecurity policies than organizations with little security infrastructure.

To counter this growing threat, SMBs have radically shifted their focus to integrating Cybersecurity solutions across their organizations. Our recent comprehensive Cybersecurity point of view highlights that this shift was led by a rising number of millennial CEOs who are more tech savvy. Cybersecurity is becoming far more important than ever before for SMBs, and it will continue to evolve as a core focus for them for an indefinite future. To help counter threats, many governments, including in the US, are providing incentives to SMBs to focus more on Cybersecurity.

The Growing Threat

While many businesses weren’t prepared for the pandemic and its economic impact, small businesses were the hardest hit, which forced many of them to digitize quickly. Amid the slowing economic activities, SMBs increasingly moved to e-Commerce, providing and purchasing more goods and services online. According to Salesforce’s Small and Medium Business Trends Report, 72% of SMBs have increased their online presence over the past year. Also, 19% of SMBs say that they are planning to move to a fully digital business model, up from 12% just a year ago. Additionally, in a recent study by PYMNTS, remote working, which has become commonplace since the beginning of the COVID-19 pandemic, adds to this growing digital complexity among SMBs. This increased digital presence posed greater Cybersecurity risks as hackers took advantage of the gaps (SMBs’ security requirements and the solutions being offered to them) created when many organizations failed to follow/adopt security best practices. The surge in cyberattacks proves how the market has failed to meet the SMBs’ needs in this area, and the SMBs’ buying priority has markedly shifted to fill this gap.

Ransomware has emerged as the most common cyberattack on SMBs and has become more complex and costlier to manage. Malware, phishing, and compromised devices follow ransomware in the long list of attacks that SMBs need to deal with. According to CNBC’s report, the ongoing geopolitical unrest has caused the US to be more vigilant of cyberattacks, so as to not be drawn into a direct conflict with another country.

However, the number of crippling attacks against everyday businesses continues to grow. Cybersecurity company Symantec’s analysis has revealed that 52.4% of “phishing” attacks this year were against SMBs – with a massive spike since the onset of the Russia-Ukraine war. Here are just a few examples out of thousands, that the public will probably never hear about: Efficient Escrow of California was forced to close its doors and lay off its entire staff because cybercriminals nabbed USD 1.5 Mn from its bank account. The thieves gained access to the escrow company’s bank data using a form of ‘Trojan horse’ malware. A car dealership in Kansas, Green Ford Sales, was attacked by hackers who swiped bank account information, resulting in a loss to the tune of USD 23,000. They added nine fake employees to the company payroll in less than 24 hours and paid them a total of USD 63,000 before the company caught on to the attack.

Amidst the increasing threat of cyberattacks, three quarters of Americans expect businesses in the US to experience a major cyberattack within the next 12 months, as per the latest SurveyMonkey polling. Certainly, consumers’ expectations for cyber-preparedness have increased, and they won’t hesitate to leave a brand if those expectations are not met. This fear of losing customers is one of the key drivers for the increasing investment in Cybersecurity among SMBs. Small business owners in the finance and insurance industries are some of the most confident to quickly respond to a cyberattack, with more than 7 in 10 saying that they would be able to combat an attack. Among those in the arts, entertainment, and recreation industry, 5 in 10 say that they are confident in their Cybersecurity infrastructure, and despite this growing confidence, SMBs need to invest more in Cybersecurity to gain the trust of and retain customers.

The SMB Response

To combat the growing cyberattacks, investment in Cybersecurity has significantly increased over the last year. The above graph shows that the biggest Cybersecurity investments were in web vulnerability scanning tools, firewall tools, and antivirus software. The web vulnerability scanning tools reduce businesses’ exposure to threats by making sure that endpoints are adequately secured, and that the company is resilient in the event of a breach. Antivirus and advanced malware protection, known as Endpoint Detection and Response (EDR) systems make it easy to detect devices that are connected to a network and respond to threats that the system recognizes. For example, if someone who has malicious intentions is connected to a network, the EDR system provides detailed information about the device that was connected and its activity. Next-Generation Firewalls (NGFW) provide broad protections against an array of threats, while making it easier for outside users to enjoy secure connections to a network.

Beside investing in technology, 29% of SMBs have started training their employees on identifying potential security vulnerabilities, recognizing and avoiding scams, creating strong passwords, and protecting sensitive customer and company information. According to Verizon 2021 Data Breach Investigations Report, “80% of data breaches are the result of poor or reused passwords.” While employees are now expected to keep their company networks secure, an average employee now needs to keep track of 191 passwords across their entire digital life. Hence, 66% of people mostly use the same passwords across multiple websites. This proves that people are the weak link, thus emphasizing the importance of employee training to avoid data breaches.

Another major trend that surfaced from Zinnov’s survey of SMBs is that companies are shifting from buying many separate best-in-class point solutions to working with integrated platforms. Workday is one SMB tech platform vendor that is making a very strong case that unified security is always stronger and more supportable than “franken-solutions” that tend to be patched together through multiple vendors, as business add-ons or updates. To help SMBs, Workday is providing a unified, scalable, and a transparent security environment for many different workloads, making it less complex to secure their customers’ systems. Other software companies would benefit from this approach of providing an umbrella security rather than endpoint security, when designing solutions for SMBs.

What’s next?

SMBs do not feel that the security solutions being offered by software vendors is adequate and are demanding more. They need more unified protection solutions across their entire digital footprint and not separate tools for each point solution.

In light of these demands, we believe Independent Software Vendors (ISVs) should consider the following four actions:

• Prioritize SMB-specific pricing, packaging, and channel: To reduce the complexity that arises from integrating multiple point solutions, ISVs should target SMBs with a pre-integrated suite of products and services that are competitively priced. These types of bundled offerings will also potentially help ISVs in strengthening their average revenue per customer. Additionally, now that most SMBs have a digital presence, ISVs should focus on building efficient remote sales channels that use agile marketing practices to drive traffic and optimize online journeys, while deploying Machine Learning models for lead nurturing.
• Offer cyber insurance coverage: One novel approach to build trust with customers and prove that the vendors stand behind the quality of the security they provide, is to offer cyber insurance with their solutions. While ISVs don’t want to be insurance companies, with every vendor claiming that they offer the best security, sharing the risk with the customers would send a strong message.
• Assist in the buyers’ decision-making process: Without substantial knowledge of Cybersecurity, it is difficult and confusing for buyers to differentiate between which of the ISVs’ offerings would end up addressing their specific requirements. As buyers trust the advice of System Integrators (SIs), peers and online reviews, ISVs should ensure that SIs regularly interact with SMBs in their buying journey, collect feedback from current customers for digital marketing, and share customer references with potential buyers. Building trust through transparency will eventually boost their revenue.
• Position yourself as a Cybersecurity thought leader: Experts should showcase their thought leadership in emerging Cybersecurity technologies such as use cases of Artificial Intelligence (AI), 5G, Edge Computing and more, by regularly sharing content on social media, speaking at events, being quoted in the media, or contributing to online publications. The goal is to establish oneself as a credible and reliable source of information within the industry, resulting in the promotion of products and services.

Clearly, Cybersecurity is the SMBs’ top tech priority now and likely to remain so for the foreseeable future, thus making it an increasingly attractive market segment for technology providers to cater to and capitalize on. In our survey, we found that 4 in 10 small business owners felt that their respective businesses were very vulnerable to a cyberattack within the next 12 months, proving that they weren’t satisfied with the current security solutions that their technology vendors have been deploying. Moreover, most of these companies are not able to afford professional Cybersecurity solutions or do not know where to start.

For Cybersecurity solution providers, this provides a hot opportunity. The customer challenges are clear. Players who directly address these specific needs are sure to emerge as the ultimate winners in the market.