Business survey 2019: almost 25% of small businesses feel that their cyber-security protection is inadequate – podcast
In this podcast, Research Director, Tom Rebbeck discusses some of the results of our recent business survey and what it tells us about cyber security and small businesses.
Listen to or download the podcast
The cyber-security market for micro, small and medium-sized businesses is large, and growing rapidly. Analysys Mason estimates that enterprises with fewer than 1000 employees will spend around USD50 billion on security in 2019 and that this will grow at an average annual rate of 13% between 2019 and 2024.
However, the market may not achieve this growth unless security vendors do a better job of servicing it. Vendors that want to succeed in the small and medium-sized business market need to do more to explain the security risks that these companies face and increase awareness of products that can help mitigate such risks.
Our recent survey of 3000 businesses worldwide shows that the smaller a business, the larger the relative impact of a cyber attack. Despite this, small companies are not well served by security vendors.
High-profile cyber attacks on large businesses such as British Airways or Equifax may make headlines, but rarely have severe long-term consequences for the business. In contrast, a cyber attack can threaten the existence of a small business. According to our survey, the average cost per employee of all attacks in the past 12 months was over USD400 for a micro business, compared to costs of USD25 for a large business.
Security incidents are also relatively common for smaller companies. In our survey, 32% of micro businesses and 39% of small businesses reported that they have experienced a security-related incident in the last 12 months. Again, if we compare the data on a per-employee basis, smaller companies are more vulnerable than larger ones.
This vulnerability is reflected in how smaller companies feel about their level of protection. Only 77% of micro businesses said that they felt fairly or extremely well-protected against cyber-security attacks and threats from external parties. The remaining 23% felt either somewhat or not satisfactorily protected, compared with just 10% of large businesses.
Few micro or small businesses have dedicated security personnel. Security is often the responsibility of an office manager, or even of the company owner. This makes it more difficult for security vendors to target the right person than when targeting larger organisations.
But, this should not be mistaken for a lack of interest in security; our survey shows that the security priorities of smaller businesses are almost identical to those of larger organisations. Protecting customers' data and ensuring business continuity are almost equally important for businesses of all sizes.
The lack of specialist security staff and limited budgets are considered to be barriers to the development of security capabilities by surveyed businesses of all sizes. However, smaller businesses were far more likely than larger ones to cite the lack of awareness of new security vendors and their products as a challenge.
Vendors might regard smaller firms as unattractive business propositions for many reasons: spend per company will be low relative to larger organisations; prospects can be hard to find and expensive to serve; price may be more important than technical capabilities in decision making, as may ease of use.
For vendors that are willing to tackle this market though, these negatives create an opportunity. As our survey shows, even the smallest enterprises are interested in improving their security. A security breach is likely to cost at least a few thousand dollars, and for a small business with tight cash flows, that could represent the difference between surviving or not. Despite this (or perhaps because of it), smaller enterprises are less likely to feel well-protected than their larger counterparts.
Vendors that want to sell to micro and small businesses need to highlight the impact of a security breach, to show how their products can help to mitigate the risks and make it easy for businesses to adopt their services.
These vendors should experiment with self-serve options, freemium models and free trials that can be used to demonstrate the threats that businesses are facing.
If you liked this podcast and would like to hear more, please subscribe to our podcast feed. It can be found in Apple Podcasts, Google Podcasts and other podcast applications.