Security teams at small businesses are just as good at defending corporate data and networks as their colleagues at bigger organizations, according to a new survey from Cisco.
Cisco’s new survey, “Big Security in a Small Business World: 10 myth busters for SMB security” said that SMBs face the same challenges that big companies do, including inquiries from customers about security issues and privacy policies.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
SMBs also deal with about the same amount of downtime due to security breaches as big companies do. Twenty-four percent said they had more than eight hours of downtime during the most severe breach in the past year, compared with 31% of big companies that had the same level of downtime. The amount of downtime dropped when compared to the 2018 survey, which showed that 40% of SMBs had more than eight hours of downtime.
Researchers surveyed 500 SMB leaders in companies that employ 250-499 employees. The myths about security at small- and medium-sized companies that Cisco researchers identified in the new report include:
- Only large organizations face public scrutiny
- Larger businesses suffer less downtime and recover faster from attacks
- SMBs lack personnel dedicated to security
- Large businesses have more updated infrastructures
- SMBs face different threats than larger businesses
- SMBs don’t proactively perform threat hunting
- Smaller businesses don’t test their incident response plans
- SMB leadership doesn’t take security and data privacy seriously
- Smaller organizations don’t regularly patch vulnerabilities
- SMBs can’t measure the efficacy of their security programs
Wolfgang Goerlich, advisory CISO with Cisco Security, said two survey responses surprised him. The first one was the finding that 60% of SMB owners said they have a team of 20 people or more dedicated to cybersecurity.
“I think this shows people at SMBs are much more security savvy than we give them credit for,” he said.
Goerlich also was surprised to see that 72% of business owners reported that they have employees dedicated to proactive threat hunting, compared to 76% of large companies. Threat hunting involves looking for attacks that have penetrated a network without raising any alerts.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
“We usually think of this as a more advanced skill and only saw it in bigger organizations, but with the democratization of threat intel, there’s better information out there than there has ever been,” he said.
To stay on top of the new security risks created by entire companies working from home, Goerlich said optimize cyber defenses and use threat intelligence data to make improvements to the system.
“You want to make sure your investments are aligned in the direction the work is going and aligned with the direction the attackers are going,” he said.
Advice for keeping defenses strong
To maintain a strong defense or bolster it if your company’s security posture is not reflected in these survey results, the Cisco report recommends these steps:
- Master the basics: Patching vulnerabilities, training employees, implementing zero-trust access with multi-factor authentication, and securing network, endpoints, cloud, and applications
- Balance security with usability so that employees can do their jobs
- Partner with vendors that simplify security infrastructure
SMBs working with a cloud-based infrastructure have somewhat of an advantage over larger companies still using on-premise data centers. Goerlich said that SMBs should think about patching as a way to increase resilience.
“This is where companies that are already in the cloud have an advantage because resiliency relies more on the vendor to keep systems patched,” he said.