Small Companies Overconfident about Their Security Posture, Finds Survey

Today, there are many factors that prevent businesses from effectively assessing and mitigating digital security risk. One contributor to The State of Security kicked off 2017 by discussing four of these causes. I won't spoil the article for you. I will say, however, that data access and asset control feature heavily in the post. That's only to be expected given how IT environments are evolving to meet the demands of a globalized world. How companies deal with these factors varies. Large enterprises with sufficient IT budgets can train personnel and charge them with mitigating digital security risk. By contrast, mid-market enterprises don't usually have this level of resources. Most of those businesses, therefore, invest in traditional perimeter defenses instead. These solutions might make small organizations think they're safe but in reality, they overlook a host of digital threats. Brian NeSmith, CEO of Arctic Wolf Networks, is all too familiar with this plight of small- and mid-sized businesses (SMBs). As quoted by Help Net Security:

"Most mid-market enterprises believe they are safe because they have the traditional perimeter defenses in place. This falls far short of what’s needed for rigorous security in today’s complex threat environment. The challenge smaller enterprises face is that they have all the same security issues as large enterprises with only a fraction of the budget and less specialized personnel."

To better understand how prepared SMBs are for today's digital threats, Arctic Wolf Networks conducted a survey in partnership with Vanson Bourne. The study, which is entitled "The State of Mid-Market Cybersecurity: Findings and Implications," spoke with 200 digital security IT decision-makers from mid-market enterprises in finance, healthcare, manufacturing and IT services. The data revealed that executives' perception regarding the strength of their organizations' security posture doesn't cohere with reality.

Perceptions vs. Reality of Adequate Protection

Many mid-market IT professionals are overconfident about their organizations' security postures. Almost all the survey's respondents (95 percent) said their company's posture is at least above average. At the same time, approximately an equal number of individuals (89 percent) said their IT perimeter security products could protect their organization against any threat imaginable. Most survey respondents also feel their organizations have adequate resources to mitigate digital security risk. For instance, 90 percent of IT decision makers reported their organization has at least one person whose sole focus is digital security. Perhaps it's this investment that has 97 percent participants convinced their company spends an adequate amount on digital security. That's their perception, anyway. SMBs are a lot more vulnerable than they think they are. One reason for this is because IT staff at mid-market enterprises usually are engaged in other matters besides digital security. Their understanding of this subject tends to be broad rather deep, which is a significant disadvantage when it comes to defending against today's complex threats. Consider the following statistics:

• 72 percent of participants said their role is so expansive that they can't focus on IT security as much as they'd like. Half of respondents said they don't know where to start because security is so complex. Approximately the same number of individuals said they'd like their organization to assign additional budget and resources to security.
• Most organizations might have employees whose focus is digital security, but that doesn't mean those personnel tackle security risks in a timely manner. Half of respondents said their IT and security staff investigate security alerts only when they have time. Along those same lines, it took more than an hour for IT personnel to investigate 77 percent of security alerts. This delay increases the likelihood of a breach expanding across enterprise networks, a process which could result in critical data loss.

The study also found that while most respondents support the idea of creating a Security Operations Center (SOC), few feel their budget allows for this option. Eighty-eight percent of participants believe a SOC would streamline their company's security. But given the 1.4 million USD needed to just create a SOC, more than half of IT decision-makers (59 percent) don't feel they can justify the expense.

Conclusion

Arctic Wolf's survey demonstrates the fact that mid-market enterprises should reconsider their approach to security. David Monahan, senior analyst at Enterprise Management Associates, couldn't agree more. As quoted by Yahoo! Finance:

"Many mid-market organizations seem to have a sense of security bravado that leaves them particularly vulnerable to compromise. Malicious activity has been on a steady increase over the last few years and has been especially targeting small and mid-market business because they have valuable data but are generally unprepared for the assault. Seventy percent of ransomware attacks happen to organizations under five thousand employees and sixty percent of the attacked organizations go out of business within six months. Given these types of statistics, it is imperative that mid-size organizations seriously consider services that are specifically designed to provide the mid-market businesses with enterprise-grade security that fits a mid-market budget."

Specifically, SMBs should consider investing in an advanced threat detection solution from a managed security service provider (MSSP). This solution should be tailored to mid-market companies. Organizations should also place a greater emphasis on prevention and response. This effort should involve analyzing logs and investigating security alerts soon if not immediately after they pop up.