Nearly half of small and midsize businesses (SMBs) plan to spend more on cybersecurity in 2023 — which is a good thing given that six in 10 firms (61%) have no dedicated cybersecurity staff, about half (47%) have no incident response plan, and 40% fail to conduct formal awareness training.
That’s according to a survey of IT professionals at SMBs with 250 to 2,000 employees from Huntress, published on March 15, which found that while respondent organizations deploy a variety of cybersecurity products — such as email security (86%), endpoint protection (79%), and network protection (73%) — they tend to forgo “basic defensive measures,” such as supplementing workers’ password security with two-factor or multifactor authentication — a recommendation recently made by the US Cybersecurity and Infrastructure Security Agency (CISA).
“A significant number of these businesses feel either unprepared, understaffed, and/or under-resourced for responding to evolving threats, and a significant number face challenges in securing cyber insurance coverage and proper security awareness training for their workforces,” the Huntress report stated, adding that “midsize businesses are aware of the need for multiple cybersecurity layers, [but that] notable gaps exist in their current tools and planning processes.”
To boot, a full third (34%) of respondents said they didn’t believe they could detect advanced threats.
“There’s a percentage out there that doesn’t know they’re actively being targeted or have already been compromised,” says Roger Koehler, CISO at Huntress. “Visibility is key for these businesses, as threat actors can be sitting in their networks for weeks or even months finding footholds and collecting information before they execute their attacks.”
The Huntress survey found that 14% of this business segment had confirmed an attack in the past year, while another 10% of those IT professionals surveyed were not sure whether a cyberattack occurred. Given that there are about 6 million businesses with 250–2,000 employees in the United States, those numbers can add up.
Additional Cyber Spending on the Way
The report did offer some good news: Huntress also found that 49% are planning to spend more on cybersecurity in the coming year to address the shocking need for more knowledge and preparedness. The fact that so many SMBs are taking a proactive approach going forward, rather than reacting to attacks, is hopeful, Koehler says. That said, sourcing the right staff will be the biggest challenge for figuring out how to spend that budget.
“Midsize businesses aren’t just waiting until they face an incident to respond, but are actually investing in preventative measures that will stop the attacks in the first place,” he says. “However, you can’t put a dollar value on having the right people on your team that have the skills to fight off attacks — and that’s where midsize businesses could improve.”
As of last fall, there were more than 700,000 openings in cybersecurity jobs, a 43% increase over 2021, according to CyberSeek. And with cybersecurity pros facing burnout and dissatisfaction, finding people to hire is tougher than ever.
The combination of more budget and a tight market for knowledgeable cybersecurity people will lead to strong growth in managed cybersecurity services, according to an October analysis by consulting firm McKinsey. The company’s consultants argue that half the market will go to managed security service providers (MSSPs) and security-and-operations management.
“Across all segments, forecasted changes in allocated security spending is increasing as a percentage of services between internal and third-party services,” McKinsey stated in its analysis. “So long as talent remains a problem, outsourced services will be essential for companies that need to support strong security outcomes.”