Key Findings from the Survey
88% of SMBs are providing end users with some kind of IT security training. This is a 14% increase from last year. However, 35% of SMBs do not measure the impact of this training.
The most popular way that SMBs educate end users about IT security is online training (33%). This is followed by resources such as videos, webinars, and articles (31%); and live training and workshops (16%).
44% of SMBs do not have a comprehensive and updated cybersecurity incident response plan in place. This is 4% more than last year.
Since the pandemic began, 36% of SMBs have added staff to take care of IT security, and 8% are working with an external vendor such as a Managed Service Provider (MSP).
Overall, when it comes to IT security awareness in SMBs, things are — as the title of our survey report infographic says — “not as bad as you think.” But that doesn’t mean that they’re great, either.
Most SMBs need to increase IT security awareness across their company, in order to address and mitigate the growing risks and consequences of ransomware, malware, supply chain attacks, and other threats. To achieve this critical object in a pragmatic and cost-effective manner, we recommend that SMBs focus on three priorities: develop a comprehensive IT security plan, educate end users on core IT security fundamentals, and (if necessary) work with an MSP to close the skills gap.
Develop a Comprehensive IT Security Plan
The survey clearly revealed that the majority of SMBs do not have — but urgently need — a comprehensive IT security plan, which ensures that objectives and requirements are communicated in a timely manner to all required stakeholders. There are three core elements:
Define and Document Objectives: Many organizations focus entirely on end user competence and compliance, yet neglect to verify that objectives are understood or even known in the first place.
Define Roles and Responsibilities: Ensure that key internal stakeholders understand cybersecurity requirements across the business, and map them to a RACI (Responsible, Accountable, Consulted, Informed) chart. A RACI chart example is provided in the report (on page 57).
Communicate Downstream and Monitor Upstream: IT security policies must be available for all stakeholders, and updates should be communicated in a timely matter. Establishing bi-directional communication channels is critical, as is making continuous adjustments and improvements as necessary.
Educate End Users on Core IT Security Fundamentals
When training end users, at a minimum we recommend that SMBs cover the following IT security topics:
- Access Control
- Bring Your Own Device (BYOD)
- Cloud Services
- Data Leakage
- Identity Theft
- Incident Reporting
- Intellectual Property
- Introduction to Information Security
- Malware
- Mobile Devices
- Open Wi-Fi Risks
- Password Management
- Phishing
- Physical Security
- Privacy
- Protecting Payment Card Data
- Responsible Use of the Internet
- Social Engineering
- Social Networks
- Traveling Securely
- Working Remotely
Some executives and decision-makers may be looking at this list and thinking: “this is a rather big list, do we REALLY need to cover all of these topics in our IT security training?”
The answer is YES. It only takes a single breach triggered by an end user to open the floodgates. Keep in mind that the average cost of a data breach has climbed to $4.24 million per incident, and a whopping 88% of data breaches are caused by human error.
Work with a Managed Service Provider (If Necessary)
By 2024, an estimated 2.5 million IT security jobs will be unfilled worldwide. And by 2025, that number is expected to surge to 3.5 million. This is wonderful news for experienced and aspiring IT security professionals, whose main source of career stress is not going to be about finding a well-paying job, but rather about deciding which compelling job offers to reject (which is definitely one of those “nice” problems to have!).
But for most SMBs, the situation is far from wonderful. It is impossible to compete with large enterprises in terms of compensation and perks, such as access to the latest (and very expensive) technologies and tools
Fortunately, there is a viable option: SMBs can partner with a managed service provider (MSP) to close the skills gap, and maintain a strong and compliant IT security profile. We recommend that SMBs choose an MSP that:
- Is committed to providing informed and objective advice.
- Proposes strategies and solutions that are effective and affordable.
- Meets/exceeds responsiveness expectations as per the Service Level Agreement (SLA).
- Has the tools, people, and policies to monitor the SMB’s infrastructure 24/7/365, and support business continuity and disaster recovery.
- Provides informed and objective recommendations with zero self-interest (i.e., the MSP is “technology and vendor agnostic”).
- Can communicate effectively with technical and non-technical audiences.
Looking Ahead
In our next deep dive into the Devolutions State of IT Security in SMBs in 2022-23 Survey report, we will look at how SMBs are managing remote access, and the IT security challenges and concerns they face due to remote access