Overconfidence is an Existential Threat to Small Businesses

By George Anderson

Small and medium-sized businesses (SMBs) may have never presented more enticing targets to cybercriminals, malicious state actors, and purveyors of corporate espionage as they do today. And when these engines of economies are targeted, the costs to a nation’s economic well-being can be severe.

That’s why it’s incumbent upon MSPs to address the need (and opportunity) to protect their clients from attacks and breaches by providing affordable, relevant, and tailored 360-degree security.

The Great Disconnect: SMB Attitudes Toward Cybersecurity

Time and again, in talking to SMBs about cybersecurity, a pervasive and pernicious line of thinking emerges. It takes many forms, but generally goes something like this: We simply don’t have the resources to prioritize cybersecurity spending, but that’s okay because we’re too small or don’t house data valuable enough to catch the eye of cybercriminals.

Unfortunately, there’s plenty of data available to disabuse SMBs of this notion. In a recent Webroot report for instance, 71 percent of SMBs admitted to experiencing a breach or attack within the previous 24 months that resulted in “operational disruption, reputational damage, significant financial losses or regulatory penalties.”

Thirty-six percent of SMBs reported in the survey that they had no full-time staff dedicated to cybersecurity, even though more than half of small businesses surveyed by the Better Business Bureau in 2017 said they couldn’t remain profitable for more than a month if they lost access to critical business data, as would happen in a ransomware attack.

In the United Kingdom, where Webroot conducted original research in early 2019, cybersecurity concerns ranked behind only Brexit as the biggest source of uncertainty about the future. Yet almost half (48 percent) of SMBs were actually deprioritizing cybersecurity spending. That’s despite a similar percentage (46 percent) believing that a serious enough cyberattack could shutter their business completely.

It’s not difficult to see the doublethink here. Cyber attacks threaten businesses and SMBs are experiencing them in record numbers, but at the same time it’s not necessary or possible to prioritize cybersecurity as a business objective. Luckily for MSPs, herein lies the opportunity.

Standing Up for the Little Guy: The Emerging Role of MSPs

The SMB challenges outlined above can be the greatest opportunity for MSPs today if they are responded to effectively. After all, another Webroot finding is that a whopping 87 percent of SMBs expected to increase spending on managed IT services in the coming year, and managed security services revenue is expected to eclipse $24 billion annually by 2022.

For MSPs with the security know-how to combat rising threats to SMBs, it’s time to grab a bigger slice of that pie. But to maintain effectiveness and reputation, it has to be done the right way. Cookie-cutter security offerings aren’t enough. A doctor’s office is not a supermarket and the two don’t have the same IT security needs.

“Managed” is the key word in MSP here. A necessary first step—and this may be a hard pill for some MSPs to swallow—is to secure their own businesses first. Any respectable managed security service provider must implement the same level of security they recommend for their clients, or disastrous instances of island hopping are likely to occur.

And through it all, the role cybersecurity education should play in securing SMBs cannot be overstated. We’ve seen how nonchalant managerial attitudes toward cybersecurity play a harmful role in their overall security posture. But overconfidence rears its ugly head at the employee level, too. Another study conducted by Webroot of 4,000 office professionals found that, though a strong majority (79 percent) were confident they could identify a phishing email in their inbox, 49 percent had also actually clicked on one while at work.

To be successful, MSPs must deliver security services easy enough for their SMB clients to use, but still capable of protecting them against today’s threats. That means more than just malware—it also means ransomware, DDoS attacks, social engineering, and more.

And to ensure their own business viability, the security services they offer must be integrated, scalable, and easy to manage across an increasing number of sites and customers. This can only be accomplished with security tools that are built with MSP needs in mind.

George Anderson is the director of product marketing at Webroot. George has spent the past 20 years in the IT Security industry in roles for Computacenter (Europe’s leading systems integrator), global product marketing lead for Clearswift (a data loss prevention, email and web security vendor) and for the past 9 years with Webroot where he is currently responsible for product marketing for their business security division – Endpoint and DNS Protection and Webroot Security Awareness Training.

Cybersecurity stock photo by BeeBright/Shutterstock