Small Firms, Big Security Issues: Partners Ramp Up Security Expertise As SMBs Look To Spend More
They may be smaller than their enterprise peers, but the security problems at small and mid-sized businesses can be just as large and significant, solution providers say.
While recent mega breaches at larger organizations, such as the Office of Personnel Management, Experian, Hilton and Excellus Blue Cross Blue Shield might garner lots of media attention, partners say their SMB clients face the same threats – but are relying on shoestring budgets to defend against them.
For example, Matt Johnson, CEO of Millersville Md.-based security solution provider Phalanx Secure, said he recently got a call from a four-employee health care client that had been hit with a data breach. While the client had only about 40,000 records, compared to the 10.5 million exposed in a September breach at Excellus, Johnson said the company is held to the same regulations and expectations as its enterprise peers.
[Related: 10 Security Solutions For SMBs That Partners Should Check Out]
"They have real-world concerns because everything is the same for them [as with an enterprise]. They have the same types of information, just fewer records," Johnson said.
Johnson's client is not alone. According to a 2015 survey of 1,000 small-business owners by Bank of America, more than 1 in 10 reported having been the victim of a breach.
Johnson said he’s now getting more calls than ever from companies with 50 to 200 employees that might have ignored security concerns in the past but are now looking to invest in security.
"They are just as concerned," Johnson said.
However, the challenge for many small and mid-sized businesses is that they might not be able to shell out the same hundreds of thousands -- or even millions -- of dollars that an enterprise might on its security portfolio.
According to Webroot's 2015 SMB Threat Report, 59 percent of SMBs said they believed they were at a "disadvantage to better-funded enterprises with more resources." Only 15 percent said they strongly believed they were as prepared as an enterprise might be against a cyberattack.
As a result, 63 percent of the IT decision makers surveyed said they did not feel completely confident in their ability to protect their businesses from security threats.
For partners, that means a huge revenue opportunity. Of the more than 150,000 partners in the market, more than 96,000 serve the small business market, according to data from The Channel Company, the parent company of CRN. Less than half -- around 41,000 -- of those partners said they already have security practices.
"The nature of cyber threats has changed dramatically throughout the past five years. From our many discussions and exchanges with organizations, small to medium-sized businesses are not fully equipped to manage IT security," the Webroot study said.
"In today’s world, the automation, commoditization, and low upfront costs of becoming a professional cybercriminal are such that it requires minimal skill to set up a cybercrime business and start trawling the Internet for victims. Understandably, the under-protected, under-funded small-to-medium business makes for an attractive target," the study went on to say.
However, many small businesses don't realize that they’re just as vulnerable as an enterprise, Dmitriy Ayrapetov, director of product management at Dell SonicWALL, said. The study attributed the phenomenon to an "it won't happen to me" attitude, as SMBs often don't realize that their intellectual property, innovation and data are valuable to hackers.
"The small businesses often don’t realize that they are just as susceptible to being hacked as large businesses," Ayrapetov said. "It's not a matter of being targeted, it's a function of being online … Everyone is susceptible to this."
The implications of an attack are huge. According to a study by Kaspersky Lab, the average, direct costs of a data breach for an SMB is $38,000, about a third of which would come in the form of lost business from clients. On top of that, the study said SMBs also spend an average of $8,000 per incident in additional staff hiring, training, and infrastructure upgrades related to the breach.
The Kaspersky Lab study also noted the damage a data breach can inflict on a company’s reputation. The study tried to quantify that impact, pulling together consultancy expenses, lost opportunities and money spent on marketing and public relations activities. It found that an SMB, on average, sees indirect reputation effects of $8,653 from a data breach, on top of the direct costs.
According to Michael Bruemmer, a vice president at credit data provider Experian who leads its Data Breach Resolution Group, those types of high costs can be a life-or-death situation for many small and mid-sized firms. He said 80 percent of small businesses that have a cybersecurity incident end up going out of business within 18 months.
"That supports the fact that there’s a lot more pressure on small and medium businesses than there is on larger organizations," Bruemmer said.
Kevin Pouche, chief operating officer at K Logix, a Brookline, Mass.-based solution provider that has specialized in the security industry for more than 13 years, said he has recently seen an "uptick" in SMB companies looking to invest in managed security services.
"SMB companies, they have the same problems," Pouche said. "Awareness is going across the whole spectrum."
The global market for information security is booming too, with research firm MarketsandMarkets predicting that it will reach $170.2 billion by 2020, up from $106.3 billion in 2015. Managed security services will be a significant portion of that market opportunity, the report said, already having accounted for 40 percent of it in 2015, MarketsandMarkets said.
One partner getting into the space is ArcSource Consulting, based in Berkeley, Calif. Its CEO, Dave Monk, said his business is investing big in building out its security story for SMB clients in 2016.
"The number of small businesses is very, very high and the number with adequate security protections is very, very low," Monk said. He said he starts security conversations with clients around evaluating risk, then helping them address those issues with SMB-focused solutions from such vendors as Sophos, Meraki and Netgear.
The good news for partners in the space is that most SMBs want to invest more in 2016. According to the Webroot study, 81 percent of IT decision makers said they planned to increase their security budgets during the year, with an average jump of 22 percent.
Even better news for partners is that SMB customers see the value of managed service providers in helping them with their security needs, the study said. Eighty-one percent of respondents said they agree that MSPs would "make up for the lack of time and in-house expertise" and "improve their bandwidth for addressing other tasks," as well as help with cost-associated concerns of investing in security.
"With better targeting and funding, the goal of achieving that security posture is becoming increasingly attainable," the study said. "SMBs no longer need to go it alone. Through a carefully considered mix of stronger cybersecurity approaches, increased spending, and management outsourcing, they can deploy and maintain the same business security as larger enterprises, for a fraction of the cost."