Feature Week
A new report from STL Partners suggests that small and medium-sized businesses (SMBs) consider cybersecurity a priority, but lack the expertise to manage it themselves
SMBs’ cybersecurity spend on the rise
With the rise of AI over the past two years, the cybersecurity landscape for SMBs is rapidly growing more complex, with bad actors able to conduct more frequent and more personalised attacks on smaller enterprises.
The scale of the threat this presents to SMBs should not be underestimated. According to a recent report by STL Partners that surveyed 826 IT decision-makers across seven markets (Australia, Canada, France, Germany, Spain, the UK, and the US), 58% of SMBs report being the victim of a cyberattack.
“This may not even be the true total,” explained Marina Koytcheva, Research Director at STL Partners. “There will be some companies who are not even aware they have become victims.”
Against this background, it is hardly surprising that the study found 91% of the surveyed SMBs say cybersecurity is a top priority for their management. But, more importantly, these companies are also putting their money where their mouth is, with the respondents’ average spend on cybersecurity equating to 39% of their annual IT budgets.
“That the average spend on cybersecurity accounts for almost 40% of a company’s IT spend has really surprised us as researchers,” said Koytcheva. “It’s a testament to how important SMBs see cybersecurity.”
Furthermore, in line with the expanding threat landscape, the majority (64%) of SMBs said that they expect their cybersecurity spend to increase in the coming year.
A lack of resources and expertise
Part of the challenge here for SMBs is that while cybersecurity attacks are becoming more common and more sophisticated, SMBs’ own cybersecurity capabilities remain relatively stagnant. The report notes, for example, that 48% of SMB’s manage cybersecurity in-house via a non-expert.
“Most SMBs simply don’t have the budget to employ a full-time cybersecurity specialist,” explained Koytcheva. “They’re heavily reliant on cybersecurity service providers to meet their needs.”
Indeed, this lack of internal expertise is particularly telling with regards to SMBs’ most prominent cybersecurity risk: human error.
“The biggest challenge [SMBs] face in managing cybersecurity is ensuring that their employees behave responsibly,” explained Koytcheva, noting the large number of devices taken to and from a typical workplace each day. “Cybersecurity technology may capture the majority of the threats before they reach employees, but it’s very difficult to stop everything. That’s why cybersecurity training for staff is so important – humans make mistakes.”
But without in-house expertise, the question of how to provide this training is a difficult one. Training resources are relatively plentiful on the internet, but assessing and implementing them is problematic for small businesses.
“There may be free resources – sometimes even provided by the government – but even finding those and implementing those requires a lot of time. And small companies tend to be time poor,” said Koytcheva. “Solution providers that can provide not just technical support but staff training could have a really big competitive advantage.”
The nature of these businesses also means that they have little scope for cybersecurity testing at scale.
“For example, major organisations can conduct a phishing and other tests among all of their employees quite easily,” said Koytcheva. “This can help identify weak spots in cybersecurity understanding. But smaller businesses can’t do that – they need the solution provider to handle that.”
An opportunity for telcos?
Given these inherent cybersecurity limitations, SMBs are left heavily reliant on cybersecurity providers for protection, both in terms of technology and skills development. For Koytcheva, this represents an underexploited opportunity for the telco sector, which already has the technical expertise and the customer trust needed to succeed.
“Telcos are well positioned to offer cybersecurity services to SMBs because they already have solid relationships with them,” said Koytcheva. “They enjoy quite a high level of customer openness to considering their propositions, so the first steps are there for telco cybersecurity offerings.”
“I think that the market share taken by managed service providers is something that telcos can target, because their proposition is similar. Many SMBs buy cybersecurity from manage service providers as an add-on, so why wouldn’t they buy it as an add-on from a telco?” she added.
Telcos’ close understanding of their SMB customers could be invaluable, allowing them to offer services more personalised than those of established players in the IT space, which often view SMBs as a homogenous monolith.
“SMBs really shouldn’t be thought about as one group,” explained Koytcheva. “In fact, those who have, say, 10 or 20 employees are very different from companies that have 250 right at the other end of the scale. Their cybersecurity needs mirror those differences.”
Telcos could also assume the role of cybersecurity aggregators for SMB customers, bringing together multiple plug-and-play offerings from different vendors. This would allow them to better serve their SMB customers’ unique needs, as well as to scale their offerings alongside SMB growth.
“As businesses grow their needs for protection grow, but so does their ability to pay. Flexible propositions that can grow in tandem with SMBs will be invaluable. This could be a big revenue opportunity for telcos,” said Koytcheva.
You can access the full report here