Recently, IT research and analytics firm Enterprise Strategy Group ESG conducted a survey of 400 professionals from the world of cybersecurity and IT, all of them workers in small and medium-sized organizations in North America.
What is the state of cybersecurity in small and medium-sized enterprises?
Two-thirds of the organizations surveyed reported having experienced at least one cybersecurity incident (compromised systems, malware, DDoS, phishing, data leakage, etc.) in the past two years.
How did security incidents affect you?
- About half(46%)responded that security incidents caused lost productivity.
- 37% said these incidents led to disruption of business applications and IT systems.
- Also 37% pointed to an interruption of business processes.
Note: Multiple responses were accepted in the survey.
The fact is that small and medium-sized organizations are currently under attack and engaged. In addition, these security incidents tend to have a quantifiable financial impact.
Main causes of security incidents
Respondents were also asked to identify the main players in the generation of these security incidents. These were the results:
Human error (35%)
Small cybersecurity/IT teams are usually made up of IT specialists, but they are not so much in cybersecurity. As a result, bad configurations and incorrect security procedures are performed.
Lack of understanding of cybersecurity risks (28%)
Many small businesses don’t think they can be attack targets, so they invest little or ignore security readiness. Small business executives should be aware that these incidents can – and indeed happen – anywhere.
Implementation of new IT initiatives (Cloud computing, SaaS…) without the necessary security measures (27%)
Probably due to reasons such as lack of knowledge, or discharge into SaaS services by company staff, without communication to IT.
Lack of cybersecurity preparedness for non-technical people (24%).
Small businesses, as they are not considered cyberattack targets, do not usually invest in training in this area.
Cybersecurity personnel cannot with the full workload (20%)
Small organizations often do not have sufficient skills and staff in the area of cybersecurity. In these cases, it is necessary to use an external managed security service provider (MSSP).
It is therefore crucial that small and medium-sized business executives are aware that their organizations are also being targeted by cyber-users; either to extort them, steal valuable information for the company, etc.