• 53% of midmarket companies have experienced a breach

• Up to 5000 Average number of security alerts

• Midmarket companies investigate 55.6% of security alerts

• 29% of midmarket companies say breaches cost them less than $100K. 20% say it costs $1,000,000-$2,499,999
  

Many small and midmarket businesses aspire to more effective cybersecurity practices just like larger counterparts. SMBs are dynamic - the backbone of innovation and the poster child of hardwork. They run even faster and work even harder than enterprise peers. And they are exposed to the same cyber threats.

In today’s cyber threat landscape, every organization, large or small, is at risk for an attack. But increasingly, small/midmarket businesses are the focus of attacks1 and often serve as a launch pad or conduit for bigger campaigns. Adversaries view small/midmarket businesses as soft targets that have lesssophisticated security infrastructure and practices and an inadequate number of trained personnel to manage and respond to threats.

Many small/midmarket businesses are only beginning to realize how attractive they are to cybercriminals. Often, that realization comes too late:after an attack. Recovering from a cyber attack can be difficult and costly—if not impossible—for these businesses, depending on the nature and scope of the campaign. This report will give an understanding of the risks smaller organizations face, share an understanding of how smaller organizations stack up against their peers with respect to security and share a bit of guidance to bear in mind in 2018 and beyond.

Consider this finding from the Cisco 2018 Security Capabilities Benchmark Study: More than half (54 percent) of all cyber attacks result in financial damages of more than US$500,000 including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs. That amount is enough to put an unprepared small/midmarket business out of operation—permanently.

A recent study by the Better Business Bureau (BBB)2 helps to underscore how small/midmarket businesses can struggle financially to survive following a severe cyber attack. The BBB asked small business owners in North America, “How long could your business remain profitable if you permanently lost access to essential data?” Only about one-third (35 percent) said that they could remain profitable for more than three months. More than half reported that they would be unprofitable in under one month.

By the way, we see SMBs as companies with fewer than 250 employees and define midmarket as companies with 250-499 employees. Both segments are included in this report.We analyze findings from SMB respondents in our 2018 Security Capabilities Benchmark Study, what we’ll refer to merely as our Benchmark study. It offers insights on security practices currently in use,and compares the full results to the past three years.Our SMB/midmarket data includes 1816 respondents across 26 countries.

What’s a day of lost business between colleagues?

Said no IT admin ever. System downtime, which undermines productivity and profitability, is a significant issue for businesses following a cyber attack. Research from the Benchmark Study found that 40 percent of respondents (250–499 employees) experienced eight hours or more of system downtime due to a severe security breach in the past year (Figure 1). Cisco saw similar results for larger organizations in the study sample (those with 500 or more employees). The difference,though, is that larger organizations tend to be more resilient than small/midmarket businesses following an attack because they have more resources for response and recovery.

Also, 39 percent of respondents reported that at least half of their systems had been affected by a severe breach (Figure 2). Smaller businesses are less likely to have multiple locations or business segments, and their core systems are typically more interconnected. When these organizations experience an attack, the threat can quickly and easily spread from the network to other systems.

Sleepless security nights

When asked about the biggest security challenges they face, respondents are most concerned with three things:

-- Targeted attacks against employees (think well-crafted phishing)

-- Advanced persistent threats (advanced malware the world hasn’t see before)

-- Ransomware

Ransomware (interestingly not cited as a “top 3” concern of large enterprise)—is, as you surely know by now,malware that encrypts data, usually until affected users pay a ransom demand. It can create severe disruption and system downtime for small/midmarket businesses. Ransomware is also costly in a different way for these organizations: Cisco security experts explain that small/midmarket businesses are more inclined to pay ransoms to adversaries so that they can quickly resume normal operations. They simply can’t afford the downtime and lack of access to critical data—including customer data. (See Figure 3.)

Other Threats SMBs Can’t Ignore

Despite worries about ransomware, Cisco security experts suggest it is a diminishing threat as more adversaries shift their focus to illicit cryptocurrency mining (“cryptomining”). The appeal of this activity is threefold: It can be highly lucrative, payouts can’t be traced, and adversaries can worry less about the potential for criminal liability for their actions. (For example, there is no risk of patients being deprived of critical care because a hospital’s systems and essential data are locked up by ransomware.) Adversaries can also deliver mining software (“miners”) through various methods, including email-based spam campaigns and exploit kits.

Cisco threat researchers explain that malicious actors using the new business model of illicit cryptomining “are no longer penalizing victims for opening an attachment or running a malicious script by taking systems hostage and demanding a ransom. Now, [they] are actively leveraging the resources of infected systems.”41For small/midmarket businesses unwittingly aiding illicit cryptomining operations, slower system performance might be the only red flag signaling they’ve been compromised—unless they have the right technology in place to detect when cryptomining activity is present.

The 0.5% insider threat: 100% too high?

As respondent companies move more data and processes to the cloud, they must also take steps to manage another potential threat: rogue insiders. Without tools to detect suspicious activity (such as downloading of sensitive customer information), they are at risk of losing intellectual property, sensitive financial and client data through corporate cloud systems.

A recent investigation by Cisco threat researchers highlights the risk: From January to June 2017, they examined data exfiltration trends using machine-learning to profile 150,000 users in 34 countries who were using the cloud. Over 1.5 months, researchers found that 0.5 percent of users made suspicious downloads. Does half a percent seem bad?Put another way, this means two employees at a 400 person firm would be insider threats. That is 100 percent too high.Specifically, those users downloaded, in total, more than 3.9 million documents from corporate cloud systems. That’s an average of 5200 documents per user during a 1.5-month period.

Challenges

The best defense against the threats described earlier—requires coordination and orchestration of IT resources.Those resources are most commonly the people, processes, and technology that businesses can amass to deter attacks.

However, even more so than their larger counterparts, smaller businesses are challenged to coordinate these resources in ways that yield insights into threats and stop or mitigate attacks before they cause damage.The perennial lack of security talent that affects enterprises impacts smaller counterparts even more.

SMB security tech trends

Moving forward, smaller organizations indeed seek to address the cybersecurity challenges that threaten their organizations with new tools to stop threats.

Benchmark Study respondents said that if staffing resources were available, they would be more likely to:

-- Upgrade their endpoint security to more sophisticated advanced malware protection/EDR – the most common response at 19 percent.

-- Consider better web application security against web attacks (18 percent)

-- Deploy intrusion prevention, still seen as a vital technology to stop network attacks and exploit attempts.(17 percent). (See Figure 5.)

As organizations consider new technologies, a challenge is determining how well their products interoperate to keep businesses protected. The management burdens of combing through many consoles to respond to threats or security incidents should not be underestimated.

“Many people think that if they go with a multivendor, best-of-breed approach, it will protect them better,” says Ben M. Johnson, CEO of Cisco partner Liberty Technology in Griffin, Georgia. “But what we see is that it’s harder to manage, costs more, and decreases security effectiveness overall.”

Machine Learning: Security Help or Hype? 

We’ve all heard about machine learning given its recent hype. It turns out midmarket businesses rely about the same amount as larger peers on behavioral analytics solutions that can effectively detect attacks.Solutions using machine learning and automation are

relied on slightly less heavily by midmarket businesses when compared to organizations with more than 1000 employees (Figure 4).

Machine learning is most effective when it is an additional detection layer in an already deployed product as opposed to buying a separate product in order to “do machine learning.” This way teams gain the benefit of machine learning to detect anomalies and threats at machine speed without any new team burdens.

Mobile Midmarket

Businesses also recognizethat their security approaches must meet the demands of the modern workenvironment—  in particular, the shift tomobility and the embrace of mobile devices. Fifty-six percent of respondentssaid that  defending mobile devices fromcyber attacks is considered very challenging or extremely challenging. 

Midmarket and the Cloud

In recognition of their security challenges,many  respondents are looking to thecloud to bolster  defenses without addingpeople or straining existing  resources.The question is whether moving security  tothe cloud is enough of a strategy to ward off attacks. Also, businesses can’t simply offload security  responsibility by moving data to the cloud:They must  still be knowledgeable aboutthe security controls  imposed by cloudproviders as well as how potential  breachesin the cloud might impact on-premises  resources.  

The adoption of cloud services amongmidmarket  businesses is clearly on therise, based on Cisco’s  research. In2014, 55 percent of these businesses said they hosted some of their networks via a form of the  cloud; in 2017, that number increased to 70percent  (Figure 5).  

Many respondents believe that the cloud canhelp  close some gaps in their defensesas well as resolve  some shortcomings intheir infrastructure and the  abilitiesof their staff. In fact, according to Cisco’s research, midmarket businesses’ top reason for hosting  networks in the cloud is the belief that itoffers better  data security (68percent); the second most popular  reasonis that the business lacks enough internal IT workers (49 percent). (See Figure 6.) 

Midmarket businesses also favor the cloud because of  its scalability—that is, reducing thebusiness’ reliance on  its internalresources—and the flexible shift to operational expenditures instead of capital expenditures (Figure 6). 

People: Finding staff to strengthen security

The good news is that the Benchmark Study shows that 92 percent of midmarketbusinesses have an executive responsible and accountable for security. (SeeFigure 7.) 

Given ample staff resources, midmarket businesses would be willingto add more security tools such as advanced endpoint protections or web appfirewalls.

Midmarket has something in common with larger counterparts: ashortage of IT staff hindering the ability to shore up defenses. There simplyaren’t enough people in-house to manage tools that could improve security,according to Cisco’s research. 

For that reason, many small/midmarket businesseslook to outsourced assistance to gather the talent they need to increase theirknowledge of threats, save money, and respond to breaches more quickly. The desirefor unbiased insight was the most common reason given by midmarket businessesfor outsourcing their security tasks (Figure 8), followed by costeffectiveness andthe need to respond to security incidents promptly. 

Outsourcing help is a goodway for businesses to make the most of limited resources. But these companiescan run into trouble if they assume that an outsourced provider or a cloudpartner will provide all of the capabilities that they lack in-house. 

ChadPaalman, CEO of NuWave Technology Partners in Kalamazoo, Michigan, a Ciscopartner, finds that many small/midmarket businesses are unaware of exactly howmuch (or how little) analysis and monitoring their outsourced securityproviders offer.

“Many business leaders are not educatedabout their  networks. They assume thatif they have a firewall, then  they havea padlock on the door and no one can get in. They also assume that if their security has been outsourced  to a managed service provider (MSP), logmonitoring is  happening, or the serviceincludes intrusion detection.” 

The bottom line, however, is that small/midmarket businesses count on theiroutsourced partners to deliver:  

-- Outsourcedadvice and consulting services (57 percent), 

-- Incidentresponse (54 percent),  

-- Securitymonitoring (51 percent).  

However,they are less likely to outsource tasks such as threat intelligence (39 percent). (See Figure 9.)  

The good news is that midmarket businessesappear  to be setting aside some of theirlimited resources for  understanding andresponding to threats for things like  bolsteringthreat intelligence and incident response. 

Processes:Regular check-ins for  managing security  

Comprehensive, regular security processes—suchas  controls for high-value assets andreviews of security  practices—helporganizations identify weaknesses in  theirsecurity defenses. Such processes are not as prevalent in small/midmarket businesses as they should  be, perhaps owing to the lack of staffing.  

For example, according to the Cisco 2018Security  Capabilities Benchmark Study,midmarket businesses  are less likelythan larger organizations to agree that  theyreview security practices regularly, that they have  tools in place to review securitycapabilities, and that  they routinelyinvestigate security incidents (Figure 10). 

On a positive note, 91 percent of midmarket businesses  said they conduct drills to test theirincident response  plans at least once ayear. However, as with their reliance  onthe cloud and outsourced partners, the question is  whether such incident response plans areadequate to  push back on increasinglysophisticated attackers. 

Connecting people, processes, and technology:  The orchestration challenge  

If small/midmarket businesses addmore security products and vendors to their defenses—  and shift IT resources to managing theseproducts—will their organizations better manage security? The opposite may be true, at least in terms of understandingand orchestrating  security alerts. 

Mostsmall/midmarket businesses today  recognizethat as they create a more  complexproduct and vendor environment,  theirresponsibilities increase. For instance, 77 percent of midmarket businesses found it somewhat challenging or very challenging  to orchestrate alerts from these many  solutions (Figure 11).  

When businesses try to analyze  these alerts, the combined challenges  of people, processes, and technology  can cause many alerts to be left  uninvestigated, as the benchmark  study found (Figure 12): 

Recommendations for the future  

Technology  

As organizations consider new tools,ideally, they can avoid adding to the  numberof vendors they manage and alerts they must respond to.  

With that in mind, are products built withopenness in mind? How will  theyintegrate with others in terms of sharing data and threat intelligence?  Is there management console integration?  

If a vendor says products are built to fitand work with others – does this  happenout of the box or will the buyer have to do considerable API work?  

Machine learning, while surrounded with hype,has its place in security.  However, lookfor machine learning as a detection layer inside already  deployed products versus a stand-aloneproduct from another vendor  that addsanother product to manage.  

Peopleand Process  

To put it plainly, developa strategy to improve cybersecurity. Only 38 percent of small/midmarket businesses have an active cyber-risk strategy  in place, according to the Vistage ResearchCenter, a resource center for  business leaders.1  

Does your planning include end usersreceiving appropriate training? Do your  insurancepolicies cover the loss of business stemming from a cyber attack?  How about creating business continuity andcrisis communication plans to  enablefaster recovery and help prevent reputational damage.  

Also, IT leaders must explain in clear termswhat business management  really wants toknow with respect to breaches:  

-- Whatis the impact to the organization?  

-- Whatmeasures the security team is taking to contain and investigate  the threat. How long it will take to resumenormal operations.

“By adopting a set of security platforms  and toolsthat all  work together, versus  disparate pieces that  may actually conflict  with each other, you  get an amplification  of security effectiveness, as well  as asimplification of  management.”  

Ben M. Johnson,  CEO of Liberty  Technology 

“Small/midmarket  businesses should  assess these risks and develop  response plans  before a breach—not  after.” 

Chad Paalman,  NuWave Technology  Partners 

Conclusion 

Afinal recommendation for small/midmarket businesses to drive improvements incybersecurity is to recognize  thatincremental change is better than no change. In short, they should not let adesire to be “perfect” in their security approach get in the way of becoming “better.” Perfect, as in all things,does not exist.  

Small/midmarketbusinesses also must understand that there is no “silver bullet” technologysolution to solve all  of theircybersecurity challenges. The threat landscape is too complex and dynamic. Theattack surface is always  expanding andchanging. And, in response, security technologies and strategies mustcontinually evolve as well.