If you’re a small to midsize organization, you may be inclined to believe that penetration testing just isn’t necessary. After all, cybercriminals only target the big names, right? In fact, this is precisely the line of rationale that puts any small or medium business at risk. If you were a threat actor, would you not consider pursuing the organization that is not expecting it? The companies with a smaller budget for cybersecurity is often the path of least resistance.
While initially, many are inclined to think that no one would care enough to hack a lesser-known organization, businesses of all sizes encounter threat actors; too often, they only realize after it’s too late. For threat actors, or hackers, it is not just about sensitive information, such as trade secrets or customer data; threat actors also take aim at controlling technologies, critical infrastructure and just about anything else they can exploit from a business, regardless of size. A recent survey, from Cynet, surveyed CISOs of small and medium businesses to get a handle on the challenges they face.
2021 CISO Survey of Small Business
Aptly titled, “2021 CISO Survey of Small Cyber Security Teams,” the survey reflected that companies with small security teams, generally Small to medium enterprises, are facing a number of unique challenges, putting these organizations at greater risk than their larger enterprise counterparts. These risks are forcing all of the two hundred surveyed companies to outsource at least some of their security procedures in order to maintain a level of cyber safety.
The survey, potentially a first of its kind, exclusively focused on organizations those with 5 or less security team members, and budgets of less than less than 1 Million USD, to unearth how these teams are handling the prolific and increasingly complex cybersecurity threats. The 2021 Survey of CISOs with Small Security Teams surveys 200 CISOs at 200 companies with between 500 and 10,000 employees, each. These small security teams face odd challenges as they hold a critical role within their organizations but do so with a relatively small group of individuals and a limited budget.
The CISOs surveyed hold the position that their risk of compromise is higher than enterprises with larger security teams. Given the threat landscape facing today’s organizations, it seems there’s a minimum threshold of human resources, expertise and technology that is required to protect any organization, and most of those surveyed believe they simply do not meet that threshold, leaving them vulnerable. It goes without saying that facing higher risks with fewer resources puts these CISOs in a risky situation.
The primary vulnerability is the lack of security resources that smaller organizations have to contend with; and it is no secret to cyber criminals. Threat actors are well aware that these smaller organizations are low hanging fruit when compared to larger, more secure organizations.
As discussed in our article on Initial Access Brokers, there is a massive network of cybercriminals who rely on the dark web’s networks, tools and consultants. Threat actors can apply the tools and methodologies used to attack larger enterprises and achieve a much better success rate when targeting smaller organizations. For cybercriminals, business is business, so even highly skilled cybercriminals carefully balance risk and reward potential and ultimately focus on small organizations better their success rates. Even relatively unskilled cyber criminals can target smaller organizations and expect a good success rate with trivial effort on their part.
Small Business Cybersecurity Takeaways:
57% of CISOs admitted that their ability to successfully protect their companies is much lower than they prefer.
57% of companies suggested they do not have enough skill and/or experience to adequately protect their organizations against cyberattacks.
63% of these CISOs believe their risk of attack is higher compared to larger organizations, despite the fact that large organizations are larger targets
80% of responding CISOs said they would like to invest in more automated security solutions to cut costs.
100% of small cyber security teams are outsourcing mitigation to an external provider with 53% outsourcing to a Managed Detection & Response (MDR) service and the balance outsourcing to an MSSP provider.
Current Solutions and Packetlabs Suggestions
Investing in Automation
In small business cybersecurity teams, 80% of CISOs responded that to reduce the impact of current threats, they would like to invest more in automated processes. 48% of CISOs revealed that they could have avoided some security incidents in 2020 if they had a bigger team. Without the financial means to meaningfully expand their teams, CISOs believe that automating processes would allow their current teams to accomplish more, with less. Unfortunately, in our experience in this industry, that approach is a Band-Aid and provides very little value in the long term.
In small business cybersecurity, CISOs know which breach prevention technologies are indispensable, with EDR at 52% adoption amongst the surveyed, and 87% of CISOs see good value from its’ use. To a lesser degree, 15% of CISOs report having an XDR solution. XDR solutions make sense as it supports several methods indicated by respondents, including the investment in automation solutions and processes (80%), consolidating security tools and platforms (61%) and replacing complex security technologies (52%).
Lastly, outsourcing is another popular approach, among small business CISOs, to approach risk. This approach is divided between companies outsourcing to an MSSP service (47%) and MDR services (53%). When using an MDR, one-third of CISOs prioritize critical alerts and monitoring, 21% are looking for remediation capabilities, and 21% prioritize incident response recommendations.
Packetlabs Finishing Remarks
At the end of the day, protecting an organization with a small security team and a limited budget is not an easy task. Top tiers CISOs of small businesses must be highly resourceful, experienced stretching limited budgets and prepared to make the tough choices. That’s why, at Packetlabs, as security professionals, we understand it is our responsibility to provide the best value to all of our customers, regardless of size or industry. We believe that our customer satisfaction should speak for itself, and understand that a secure client, is a long-term client. If you would like to get started learning about how the team at Packetlabs can help secure your small business, contact us today to learn about our services!