Recently, IT research and analysis firm Enterprise Strategy Group ESG conducted a survey of 400 cybersecurity and IT professionals, all working in small and medium-sized organizations in North America.

What is the state of cybersecurity in small and medium-sized enterprises?

Two-thirds of the organizations surveyed reported having experienced at least one cybersecurity incident (compromised systems, malware, DDoS, phishing, data leakage, etc.) in the past two years.

How did security incidents affect you?

  • About half(46%)responded that security incidents caused lost productivity.
  • Thirty-seven percent stated that these incidents led to the disruption of business applications and IT systems.
  • Also, 37% reported a business process interruption.

Note: Multiple responses were accepted in the survey.

The fact is that small and medium-sized organizations are currently under attack and engaged. In addition, these security incidents tend to have a quantifiable financial impact.

Main causes of security incidents

Respondents were also asked to identify the main players in the generation of these security incidents. These were the results:

  • Human error (35%)

    Small cybersecurity/IT teams are usually made up of IT specialists, but they are not so much in cybersecurity. As a result, misconfigurations and erroneous security procedures are performed.

  • Lack of understanding of cybersecurity risks (28%)

    Many small businesses don’t think they can be attack targets, so they invest little or ignore security readiness. Small business executives should be aware that these incidents can – and indeed happen – anywhere.

  • Implementation of new IT initiatives (Cloud computing, SaaS…) without the necessary security measures (27%)

    Probably due to reasons such as lack of knowledge, or the registration of SaaS services by company personnel, without communication to the IT department.

  • Lack of cybersecurity preparedness for non-technical people (24%).

    Small businesses, as they are not considered cyberattack targets, do not usually invest in training in this area.

  • Cybersecurity personnel cannot with the full workload (20%)

    Small organizations often do not have sufficient skills and staff in the area of cybersecurity. In these cases, it is necessary to use an external managed security service provider (MSSP).

It is therefore crucial that small and medium-sized business executives are aware that their organizations are also being targeted by cyber-users; either to extort them, steal valuable information for the company, etc.