Despite daily headlines of cyberattacks, nine out of 10 IT and security leaders believe their organizations are still falling short in addressing cyber risks, according to Foundry’s 2021 Security Priorities Study.
But there is hopeful news. The study found that among the small and midsize businesses (SMBs) increasing their security budgets, they are aiming to double their spending on average, from approximately $5.5 million in 2020 to $11 million in 2022.
Furthermore, because many SMBs tend to have limited expertise in security, they are turning to outsourcers for help. This year, 21% plan to have fully outsourced their security functions.
However, before doing so consider this: Many managed services providers (MSPs) also lack security expertise. In the face of cutting-edge cyber threats, their approach may be limited to configuring basic firewall rules and deploying antivirus solutions, says Gaidar Magdanurov, chief success officer at Acronis.
Unfortunately, ensuring a better security posture comes at a higher cost to organizations. That sometimes leaves gaps and risks – for both SMBs and the customers they serve.
“We typically see that few SMBs have a strong security posture,” Magdanurov says. “So, when they are serving as vendors of large enterprises, they inadvertently become the weak link in the security chain.” As an example, he points to multiple recent security breaches of large retailers, including Target and Home Depot, through third parties.
Security Initiatives for SMBs
The first step is to engage with partners that can deploy and manage security information and event management (SIEM) systems, as well as monitor events to detect security threats, Magdanurov says. “Reactive security is not enough, and SMBs need to have security solutions that assess vulnerabilities, deploy patches, and improve configurations.”
SMBs should invest in systems that are able to quickly restore systems to an operating state after attacks while maintaining a copy of the information for analysis and investigation to prevent future breaches. If you aren’t sure how to go about prioritizing and tackling these, an MSP with security expertise or a managed security services provider (MSSP) can help.
“The partner should guide you through the options available, based on the budget you’re able to allocate to security,’’ Magdanurov says.
People are still responsible for about 90% of all breaches.
It is also critical to invest in employee education around security best practices because people are still responsible for about 90% of all breaches, he added. Such incidents might occur when users open a phishing email, adopt weak passwords, or leave unlocked devices in public.
“SMBs should also request that their MSP or MSSP partners regularly review their environments to constantly improve the security posture,’’ Magdanurov says.
When Finances are Limited
For those with a limited budget, at the very minimum, Magdanurov advised the deployment of an integrated system that combines cybersecurity with data protection and management.
“SMBs need proactive protection with patch management capabilities, vulnerability assessments, and antivirus and anti-malware protection,” he says. They also need the ability to quickly recover in the event of failure by restoring from backup – automatically, if possible – to local hardware or even the cloud.
An integrated offering is the most economical decision, Magdanurov says, because “it allows an SMB – or the MSP managing their infrastructure – to save on resources spent deploying multiple agents and managing multiple consoles, maintaining a patchwork of solutions, and training staff to work with disparate vendors.” Using multiple solutions decreases actively increases complexity and the chance for human error, he notes, decreasing reliability and putting organizations in harm’s way.