Cybersecurity: Why is it hard for SMBs?

Cybersecurity is a central concern for Small Medium Businesses (SMBs), as the latter are increasingly relying on IT systems and infrastructures in order to support their business models and deliver their services. According to PricewaterhouseCoopers (PwC) Information Security Breaches survey, in 2015, over 74% of SMBs in the UK faced at least one cyber security breach associated with their IT infrastructures and services. At the same time SMBs across all sectors experience an over 10% increase in cybersecurity incidents every year. Cybersecurity can have a serious impact on SMBs competitiveness, as it disrupts operations, incurs significant remedial costs and jeopardizes SMBs compliance to security regulations. Furthermore, even though there is a host of cybersecurity solutions available, there is no easy way for SMBs to adopt and deploy them.

SMBs Cybersecurity Challenges

In principle SMBs face very much the same cybersecurity issues as large corporations, without however possessing the knowledge, staff and equity capital required to successfully prevent, mitigate and confront these challenges. This makes them relatively more vulnerable to cybersecurity attacks, when compared to larger enterprises. Overall, when it comes to adopting and leveraging cybersecurity solutions, SMBs have to deal with the following challenges:

• Cybersecurity knowledge challenges: SMBs lack the knowledge and expertise needed to understand cybersecurity challenges and to confront threats accordingly. In most cases they cannot identify their main risks, along with possible solutions.
• Expanding complexity of IT infrastructures: Nowadays, SMBs tend to deploy more complex IT infrastructures, compared to the past, such as cloud, internet-of-things (IoT) and Big Data infrastructures. While these infrastructures help them improve their productivity, they raise additional security concerns as well, which require more sophisticated solutions.
• Cost Factors: SMBs have limited financial resources, which challenges their ability to implement and put in place security controls for the full range of their IT systems and processes.
• Usability Factors: SMBs need user-friendly security solutions, which should have advanced ergonomics, increased automation and configurability at the business rather than at the technical level.

Managed Security Services and Security-as-a-Service

The rise of Managed Security Solutions (MSS) provides SMBs with a way of eliminating some of the above challenges. MSS alleviate SMBs from the burden of hosting and understanding the details of the cybersecurity infrastructure, since security is outsourced to a provider. MSS is essentially a Security-as-a-Service (SECaaS) model, which enables SMBs to access security services on-line. Examples of on-line SECaaS services include data protection, network protection, intrusion detection, authentication, anti-virus protection, security incidents detection, vulnerability analysis and more. MSS and SECaaS enable SMBs to secure their IT infrastructures and services without on-site resources (e.g., hardware, software, personnel). Moreover, these services are delivered on the basis of a pay-as-you-go paradigm, which leads to cost-savings as compared to the upfront purchase of licenses for security products and services.

MSS and SECaaS Limitations

Despite their benefits, MSS and SECaaS solutions are currently associated with several constraints, which limit their applicability for SMBs. These challenges include:

• Inability to secure emerging cyber infrastructures: Most MSS and SECaaS solutions support baseline infrastructure and services such as protection of hosts against network attacks and viruses. Hence, they do not support emerging cyber assets and related deployment configurations (e.g., IoT devices, hybrid cloud configurations), which are increasingly used to support SMB’s business models and operations.
• Poor usability and ergonomics: Most MSS and SECaaS solutions have been built in-line with the needs of corporations with adequately staffed IT departments (e.g., large corporations maintaining IT business units). Thus, they offer “default” usability for IT ‘experts’, hence making it difficult to understand and use by the less tech-savvy personnel of SMBs.
• No off-the-shelf support for security and data protection regulations: Compliance to security and data protection regulations is a big headache for SMBs, as it is an obligatory, yet expensive security project they have to undertake. For example, SMBs in the financial services and healthcare industries are obliged by law to implement certain data protection directives. Unfortunately, there are only few MSS services that provide such compliance as a service.
• Lack of SME friendly business models: MSS and SECaaS adhere to conventional licensing and pay-as-you-go business models, which are not tailored to the needs of SMBs in terms of cost-effectiveness and cost-structure flexibility.

Overall, the implementation of proper cybersecurity control remains challenging for SMBs. MSS solutions provide benefits, but are still not adequate to cover all SMEs concerns. Therefore, SMBs have to plan and launch cybersecurity projects that will safeguard them from security risks, while at the same time enabling them to adhere to security and data protection regulations. Partnering with the proper expert is vital towards properly planning the needed cybersecurity project in a way that minimizes risk and optimizes costs.