In our first myth-busting story, we set several cybersecurity misconceptions straight and began establishing that, contrary to popular belief, small- and medium-sized businesses (SMBs) take IT security very seriously indeed.
In fact, a Cisco Benchmark Survey shows that SMBs are proactively investing in protecting their data and infrastructures. The Cisco survey studied almost 500 SMBs, defined as organizations with 250-499 employees. Let’s use this study to demystify three misunderstandings about cybersecurity and SMBs.
FACT OR MYTH?
SMBs don’t proactively perform threat hunting.
MYTH. According to Cisco, 72% of SMBs have employees dedicated to threat hunting - the proactive security exercise designed to seek, find, and identify attackers that have penetrated a network but haven’t raised any alerts.
The concept of threat hunting sounds like it involves a mysterious crime scene investigation, with its nuances and complexity out of reach for smaller businesses. SMBs have their hands full trying to investigate alerts; they don’t have time to go hunting for other threats, right? Wrong.
Although their levels of maturity may differ from larger organizations due to less resources, the Cisco data suggests that SMBs recognize the value of and are embracing a proactive approach toward cybersecurity.
FACT OR MYTH?
SMB executive leadership doesn’t make security a priority.
MYTH. This is a big one – the one that the collective industry has unfortunately been peddling for years. The idea that SMB executives are in the dark on how much danger they’re in – and haven’t nurtured an organizational culture around security and data privacy.
Cisco’s data proves that this myth is far removed from the truth. There are three ways to prove this from the survey:
1. Data privacy
Cisco’s data shows that 90% of IT decision-makers say they are familiar with their data privacy program, compared to 91% in larger companies – not much of a difference.
2. Cybersecurity awareness training
Eighty-four percent of SMBs make security awareness training mandatory, while larger organization do so at a slightly higher rate of 88%.
3. Executive buy-in
Eighty-seven percent of SMB executives in SMBs agree that security is a high priority. This is just three percentage points behind the 90% at larger businesses.
Security must permeate across the business to have any effect, and executive support is critical to operationalize security. This is as true for an SMB as it is for a larger organization – and in most cases, easier to achieve in a presumably more agile environment.
Based on the survey’s findings, SMBs have nurtured organizational cultures around security and data privacy. More than two thirds of respondents across all industries said their executive leadership considered security to be a high priority.
FACT OR MYTH?
Smaller organizations regularly patch vulnerabilities.
FACT. Patching often falls under the basics of cybersecurity, but in practice, it can be challenging to implement. One industry misconception suggests that some SMBs would rather use their resources elsewhere than find ways to minimize the disruption caused by patching.
Fifty-six percent of SMBs patch daily or weekly, compared to 58% of large businesses – showing that for the very regular patching routines, all business sizes approach it the same.
Cisco data shows that enterprises and organizations with between 500-999 employees are the most likely to experience an incident from a vulnerability that is known, showing that those in the SMB category are more effective at patching known vulnerabilities than some larger businesses, resulting in fewer incidents.
IT Security eBook
Small businesses deserve big protection
Big companies may face more cyberattacks — but it’s smaller businesses that are often hit the worst. Read our guide on how to solve those unique IT security challenges.
