A majority of small and medium-sized enterprises (SMEs) are overwhelmed by an ‘endless volley’ of cyber-attacks — a problem exacerbated by an absence of the high budgets enjoyed by larger organisations, which have the ability to throw money at security issues.
According to a new report from Cynet, these SMEs are resorting to outsourcing some aspects of their threat mitigation in order to safeguard IT assets, as a result of the heightened risk of serious breaches.
Cynet’s survey, which quizzed 200 CISOs working at SMEs with five or fewer security employees and budgets of US$1 million, found that 63% feel their risk is higher than enterprises, despite the fact that the more prominent companies have a larger target on their back.
Additionally, 57% of respondents admit their ability to adequately protect their companies is lower than they would like it to be. The same percentage believes their security teams do not have enough skill or experience to defend against the stronger cyber-attacks.
As a result, every single respondent confirmed that they were outsourcing security mitigation, with 53% outsourcing to a managed detection and response (MDR) service, and 47% to an MSSP provider.
“This analysis looks at the reality of how CISOs with small security teams are taking on increasingly larger security challenges,” says Cynet founder and CEO Eyal Gruner.
“The result of this survey was a rare insight into the inner workings and dynamics of SMEs and a spotlight on how they are responding to the ongoing wave of criminal and state-sponsored cyber-attacks.”
For most respondents, automation is the ideal way forward — 80% said they want to invest more in automated security, which would help offset the disadvantage SME security teams are at in terms of staff count and budget.
However, SME security teams also possess an advantage: a greater understanding and appreciation of the value of solutions like endpoint detection & response (EDR).
87% of those using an EDR solution said it was valuable. However, the vast majority of respondents (79%) said it took their teams more than four months to finish their EDR deployment and become proficient in using the solution.
The top tactics used by these smaller operations to improve processes was to invest in automated solutions and processes (80%) followed by investments in security training and certifications (61%), consolidation of security tools and platforms (61%), replacement of complex security technologies (52%) and outsourcing to service providers to fill security tool gaps (51%).