Cyber-security investment lacking for SMEs

Chris Mckie at Datto, a Kaseya company, argues that, while small and medium-sized companies are investing more in cyber-protection, it is still not enough

With almost daily news on hacks and cyber-threats, businesses increasingly worry about the risks of being hit by malware. According to recent research by Datto, a Kaseya company, many are taking extra measures to protect themselves against attacks. The annual State of Ransomware Report surveyed nearly 3,000 IT professionals in small and medium-sized businesses (SMBs) – including 370 from the UK – about the steps they are taking to protect themselves, from buying additional security solutions to testing their defences.

The report found that SMBs globally are actively investing in cyber-security. On average, a fifth of the IT budget is dedicated to security. This proportion is a little less in the UK (16%), but 42% of UK respondents saw an increase in their IT security budget this year – albeit most reported this to be 10% or less.

Overall, the UK has one of the highest rates (66%) of using security and software tools. The majority of SMBs have installed basic defences – anti-virus and email protection – and are expanding their security strategy to other areas. Over half (52%) of UK SMBs plan to add cloud security in the next 12 months, while 47% percent are looking to invest in network security. Businesses are also considering security solutions for collaboration tools, business continuity and disaster recovery (BCDR) and endpoint security.

Aside from having the right tools, SMBs are more aware of the need to identify any weak spots in their infrastructure. Nearly two thirds of UK businesses (63%) already run at least two vulnerability assessments a year, with over a third (37%) scheduling them three or more times. In addition, a quarter (24%) have identified vulnerability assessment as a key investment area.

Investments in cyber-insurance

Cyber-insurance can offset the repercussions of security incidents and a growing number of SMBs sign up to a policy. Just under two thirds (63%) of UK respondents said they have cyber-insurance in place, and 32% are planning to invest in it within a year. However, insurance is becoming harder to obtain due to stricter regulations and developing cyber-threats. Some insurers require customers to have certain security controls in place to qualify.

When buying cyber-insurance, fear of being hit by ransomware seems to be one of the drivers, as 42% of those with insurance believe it’s extremely likely that they will fall victim to a ransomware attack. Additionally, the survey found that organisations with cyber-insurance are more likely to have experienced a security incident in the past. And the effects could be devastating: Two thirds (66%) of UK respondents admitted that a successful attack would have an ‘extreme’ or ‘significant’ impact on their business.

The risk of being hit is real. One in five UK businesses has been exposed to ransomware in the past. Nearly a third (32%) of UK respondents faced computer viruses in the last year and 20% encountered COVID-19 related scams or threats. A third (34%) had to deal with phishing emails, which were blamed for security issues by nearly half (47%) of respondents. However, 24% said their security issues were caused by poor user practices and gullibility and around a fifth (21%) felt they were down to lack of end user training.

Lack of training and preparedness

Although Kaseya’s survey found heightened awareness and increased investment in cyber-protection, there is another area that falls short, aside from training – and that is planning for the worst-case scenario. According to the research, just one in four UK businesses has a best-in-class recovery plan in place. Over half (55%) rely on a standard plan instead. Worse still, 15% admitted they have no formal recovery plan at all, risking major disruptions to the business and its customers.

Perhaps this explains why over half of UK respondents (56%) say their companies would find recovery from a cyber-attack difficult – while 8% fear their business would not recover at all. Many SMBs also don’t have the tools to minimise downtime following an attack, such as a unified BCDR solution, a managed security operations centre (SOC) or an incident response strategy.

Half (51%) of UK SMBs had to rely on manual backups to recover data during an incident. One fifth were forced to reinstall systems from scratch. Slow recovery processes meant over a third (34%) of businesses endured downtime of two days or more before they could resume operations. This translates into an expensive problem: The average cost of downtime for a UK company in 2022 amounted to approximately £53,000.

With cyber-risks only increasing, investment in new solutions alone will not be enough. Many SMBs will need external help preparing for, and dealing with, attacks. A third (32%) of the surveyed UK SMBs said their organisation already relies on outsourced IT support. It is likely that this proportion will grow.

Chris McKie is VP, Product Marketing Security and Networking Solutions at Datto, a Kaseya company. The full ransomware report can be downloaded at www.datto.com/resources/datto-smb-cybersecurity-for-msps-report.

Main image courtesy of iStockPhoto.com