Techaisle research shows that the SMB and Midmarket spend on IT security will likely be US$84.2 B in 2023, an increase of 9.6% from 2022. IT security is the 2nd top priority for SMBs and 1st priority for core midmarket and upper midmarket firms. Between 55% and 54% of firms consider preventing cyberattacks a priority. 52% of SMBs and 71% of midmarket firms experienced ransomware attacks last year. Similarly, 56% of SMBs and 88% of midmarket firms had cyberattacks. Yet only 32% of SMB and midmarket employees understand phishing. Only 15% of employees have had security awareness training. At the same time, 41% of SMBs and midmarket firms are sure that 100% of their employees have access privileges beyond what they require. The two most significant challenges are implementing security cost-effectively and meeting business requirements.
Techaisle survey data shows that while cyber insurance is being increasingly considered, the ubiquitous dependence on technology means that cyberattacks will reverberate throughout a company’s daily operations. There is no way to disaster-proof against IT failure with insurance; appropriate investment in IT security processes, technologies, and management strategies is the only way to capitalize on the productivity benefits of IT without creating exposure to organizational paralysis in the event of a malware invasion, a hacker attack or an employee’s negligence or malfeasance.
In today’s market, it is critical for vendors to build a detailed understanding of the small and midmarket segments and to align resources and strategies with requirements as SMBs and Midmarket firms move from initial experimentation with sophisticated solutions toward mass-market adoption. In its latest research SMB & Midmarket Security Adoptions Trends report, Techaisle analyzes 2,035 survey responses to provide the insight needed to build and execute IT security strategies for the small and midmarket customer segments. Techaisle’s deep understanding of IT and business requirements enables vendors to understand the ‘why’ and ‘when’ of solution adoption, current and planned approaches to solution use, the benefits that drive user investments, and critical issues in aligning with buyers and building and intercepting demand.
Within the entire segment, it is easy to point to a lack of budget as a reason why these firms are not proactive when addressing security issues. However, that may not be the whole problem or the greatest obstacle to adopting security technology. Techaisle data illustrates that small businesses have limited internal IT security staff relative to midmarket firms, are not generally working with a managed service provider capable of handling security needs, and are about one-third less likely than larger peers to work with outsourcers delivering Security-as-a-Service. While micro businesses could theoretically pursue the same strategies that larger competitors use, they need more experience and skills to identify, deploy and manage the products and relationships used to develop shields protecting valuable corporate data, applications, and human assets.
By their own admission, 49% of firms believe they have formal security protocols in place yet seek external guidance to define and help implement policies. SMBs and Midmarket firms seek IT security supplier guidance to 1/ identify the right security technology, 2/ determine overall IT security strategy, 3/ define and implement security policy, 4/ implement IT security projects, and 4/ Prioritize IT security investments.
Security is the most amorphous of IT market categories. Virtually all other technologies occupy a defined position within the solution stack: for example, in a collaboration or ERP solution, end-point devices access software via a network; the software is, in turn, housed in a data center or the cloud; the software reads and writes to/from storage devices; the core application is integrated with other applications that either add to its capability (for example, by providing the videoconferencing capability to a collaboration system, or by adding analytics or reporting to an ERP package); information is backed up to other facilities to provide BC/DR capabilities. The technologies are assigned to a specific spot within the workflow or stack in each case.
Security, though, needs to permeate all layers of the solution: it is used to protect the devices and their connection to the central application, to identify compromise (or malfeasance) of system users, and to safeguard the application itself; to protect the data both as it is in motion and when it is at rest; to build a shield around the data center and the connections between applications; to provide assurance that backups and BC/DR systems don’t become points of exposure for sensitive information. IT security isn’t a discrete category – it is ubiquitous in all aspects of IT/business infrastructure.
It was not always so difficult to position security within the IT firmament. For many years, businesses took an IT security approach roughly analogous to the defense strategy in medieval Europe: they built a hardened wall around their most valuable assets, allowing entry only through a carefully-controlled portal (firewalls in IT networks, the drawbridge in castles).
The advent of mobility and cloud, like the introduction of cannons in medieval Europe, made traditional defense strategies obsolete. With mobility and cloud, there is no fixed perimeter to harden and defend – the edge shifts with the physical movement of each device-holding end-user, and the core assets are distributed between owned and as-a-Service facilities.
Security is no longer an attribute that is applied as a wrapper around the IT environment – it is a feature that needs to be present within each layer of the stack, comprised of various tactics and technologies that need to be integrated to ensure that they provide comprehensive coverage, that they do not leave holes between the different shields, and that they can respond to new threat sources as they arise.
The need for security as an integral part of each solution component has led IT vendors to embed security features in various offerings. This applies in varying degrees to different types of products and services. Conventional infrastructure products – traditional servers and applications – typically have some embedded security features, but require regular patches and updates. Mobile devices and applications have relatively limited inherent security capabilities and often require specific policies and solutions. In the cloud, applications (ranging from Google Workspace and M365 to Salesforce and other enterprise-grade systems) and infrastructure (notably, IaaS platforms) tout security features as intrinsic attributes of their offerings.
For some businesses, especially micro-businesses with less than 20 (or even 10) employees, embedded security capabilities are seen as adequate, or at least more advanced than what the users could assemble and deploy. There may be some truth to the idea that micro businesses lack the skills and tools to improve on embedded security capabilities, but most larger organizations take a more proactive approach to secure their IT environments.
SMB and midmarket firms realize that security is an enabler of success rather than an anchor of progress. It is also a critical component of the business strategy needed to address a substantial and increasing threat landscape.