- About the Survey
- The Results
- 78% of SMBs are more concerned about cybersecurity than they were a year ago.
- The top three threats that SMBs are most worried about are phishing (62%), ransomware (61%), and malware (52%).
- 69% of SMBs say they have experienced at least one cyberattack in the last year.
- While 80% of SMBs view themselves as “well-protected” against cybersecurity threats, less than 60% are using essential measures like password managers, two-factor authentication (2FA), and cybersecurity training.
- 51% of SMBs are allocating 6-15% of their IT budget to IT security (including cybersecurity). This is the spending range that many experts recommend.
- 86% of SMBs have cybersecurity expertise in-house or through external consultants.
- 20% of SMBs have a fully deployed PAM solution.
- Get the Report
We are thrilled to announce that the Devolutions’ State of IT Security in SMBs in 2023-24 survey report is now available. Click here to download it now.
About the Survey
This is the fourth consecutive year that we have surveyed hundreds of executives and decision-makers in small and mid-sized businesses (SMBs) worldwide, and asked them to share their experiences, concerns, issues, technologies, and strategies related to:
- Privileged Access Management (PAM)
- IT Security Awareness
- Remote Access Management
- IT Security Management
Below, we highlight some key survey results:
78% of SMBs are more concerned about cybersecurity than they were a year ago.
This is an 11% increase from the last survey. That more SMBs are anxious is hopefully triggering more awareness, and ultimately leading to proactive vs. reactive decision-making. The increase also likely means that more SMBs are accepting the reality that risks and threats are getting worse — and so are the potential consequences and costs.
The top three threats that SMBs are most worried about are phishing (62%), ransomware (61%), and malware (52%).
This is the second consecutive year that phishing, ransomware, and malware are causing SMBs the most anxiety. This could indicate that the heightened concern among SMBs (as discussed a moment ago) may not be translating into effective measures to neutralize these specific threats.
69% of SMBs say they have experienced at least one cyberattack in the last year.
This is a 9% year-over-year increase, which should eliminate any lingering doubt that SMBs are “too small to be targeted.” On the contrary, hackers are focusing on SMBs precisely because compared to larger enterprises, SMBs typically have weaker defenses; especially with respect to administrating and governing privileged accounts.
While 80% of SMBs view themselves as “well-protected” against cybersecurity threats, less than 60% are using essential measures like password managers, two-factor authentication (2FA), and cybersecurity training.
Unfortunately, this is precisely what hackers want SMBs to think: that they are fairly safe and secure, and therefore don’t need to strengthen their cybersecurity profile — at least, not at the current time. However, as we see in the headlines on a daily (or make that hourly) basis, the reality is starkly different. Without basic measures such as password managers, 2FA, and end user training, SMBs are alarmingly vulnerable.
51% of SMBs are allocating 6-15% of their IT budget to IT security (including cybersecurity). This is the spending range that many experts recommend.
The proportion of SMBs in the recommended spending range fell 18% year-over-year, which lends credence to the speculation just discussed: when it comes to cybersecurity, many SMBs “feel safer” than they actually are — most likely because they have not (yet) been hit by a major cyberattack.
Unfortunately, some SMBs will discover in the coming months that it would have been far cheaper to make proactive investments in technologies, tools, and training vs. cover the costs of a breach. The average cost of a cyberattack for SMBs now ranges between $120,000 to $1.24 million per incident (USD) and 60% of small businesses shut down within six months of getting hacked.
86% of SMBs have cybersecurity expertise in-house or through external consultants.
This is a new question in the survey, and finally we have something positive to highlight! It appears as though most SMBs have realized — either through costly experience, or ideally by being proactive — that cybersecurity expertise (in-house or third-party) is a must-have. Things are changing too quickly to rely on generalists who know more than the average person, but are not in the same category as specialists.
20% of SMBs have a fully deployed PAM solution.
And the good news keeps on coming! In the last survey, 12% of SMBs had a fully deployed PAM solution in place. This 8% year-over-year increase shows that more SMBs are making PAM a priority. This uptick could also be driven by the growing number of insurance companies that are insisting on strong PAM controls as a pre-condition for getting cybersecurity insurance.
Still, 20% of SMBs with a fully deployed PAM solution means that 80% either have a partially deployed solution, or no solution at all. What is behind this? Thirty-five of these SMBs say that there PAM progress is blocked by implementation delays and too much complexity. This is a familiar complaint, as most PAM solutions are designed for enterprises with large in-house IT security/cybersecurity teams. Fortunately, there are now PAM solutions on the market that are powerful and comprehensive, but easy-to-use and ideal for SMBs with limited budgets and small teams. Find out more about Devolutions' own PAM solution right here.
Get the Report
All of the results discussed above — and several other notable and relevant findings — are discussed in the report. Click here to download it now.
Please also share your reactions, insights, and advice by commenting below. What results did you expect, and what did you find surprising or even shocking? And where do you see things heading in the year ahead?