Manual processes, security complexity, and a lack of support from business management plague SMBs.
Hello, dedicated readers! My blog is back from a restful week’s vacation on Cape Cod and ready to tackle the falling leaves, changing temperatures, and cybersecurity issues of autumn.
Back in August, I wrote a few blog posts about cybersecurity trends in small and mid-sized organizations (i.e. between 50 and 499 employees). The first blog post looked at the state of cybersecurity at SMBs, and the second post examined what SMBs are doing to address these issues.
Top cybersecurity challenges at SMBs
Aside from security incidents and subsequent actions, what are the major cybersecurity challenges experienced by small and mid-sized organizations? ESG asked this question in a survey of 400 IT and cybersecurity professionals working at SMB firms. (Note: I am an employee of ESG.) The results are as follows (multiple responses were accepted):
- 28% of respondents say their biggest cybersecurity challenge is that their organization depends upon too many manual or informal processes for cybersecurity.
- 27% of respondents say their biggest cybersecurity challenge is that it is difficult to manage the complexity of too many disconnected cybersecurity tools.
- 27% of respondents say their biggest cybersecurity challenge is that business managers don’t understand or support strong cybersecurity.
- 25% of respondents say their biggest cybersecurity challenge is that their organization doesn’t provide an appropriate level of cybersecurity training for non-technical employees, leading to increased risk.
- 24% of respondents say their biggest cybersecurity challenge is that their organization lacks the right skills to deal with modern types of cyber threats.
These challenges are understandable. In the past, security was thought of as an IT afterthought at many SMBs. Consequently, these organizations purchased security products on an ad-hoc basis with no central strategy, while cybersecurity responsibilities were often delegated to an interested IT employee who was simply told to do his or her best without disrupting the business. Employee training was often either neglected or guided by regulatory compliance requirements and little else.