Cyberattacks are a major challenge for organizations of all sizes, but small and medium-sized enterprises (SMEs) face distinct threats when it comes to cybersecurity. Unlike large companies, they often lack the resources and expertise to implement extensive security measures or manage complex solutions, making them targets for malicious actors.
To help us better understand the security needs and trends of SMBs, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct aresearch focused on security for companies with 25 to 299 employees. By sharing the insights below and initial actions that can be taken to address them, SMBs can find additional best practices to stay safe in theKit Be Cybersmart(in English).
- One in three SMEs has been the victim of a cyberattack
With the increase in cyberattacks, SMEs are being affected more and more. Research shows that 31% of SMEs have been victims of cyberattacks, such as ransomware, phishing, or data breaches. Despite this, many SMEs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targets for hackers or assume that compliance equals security. It is crucial to understand that malicious actors pose a threat to companies of all sizes, and complacency in cybersecurity can lead to significant risks.
How can SMEs approach this?
Microsoft, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices for building a solid cybersecurity foundation:
- Use strong passwords and consider a password manager.
- Enable multi-factor authentication.
- Learn to recognize and reportphishing.
- Make sure you keep your software up to date.
- Cyberattacks cost SMEs over $250,000 on average and up to $7 million
The unexpected costs of a cyberattack can be devastating for an SME and hinder financial recovery. These costs may include expenses incurred for investigation and recovery efforts to resolve the incident and fines associated with data breaches. Cyberattacks not only pose an immediate financial threat but can also have long-term impacts on an SME. The diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future.
It is difficult to anticipate the impact of a cyberattack because the time required to recover can range from one day to more than a month. Although many SMEs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities.
How can SMEs approach this?
SMEs can conduct a cybersecurity risk assessment to understand security gaps and determine the steps to address them. These assessments can help SMEs identify vulnerabilities to attacks, minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more.
Planning effectively and proactively can help minimize the financial, reputational, and operational costs associated with a cyberattack, should it occur. Many organizations provide self-assessment tools, and working with a security specialist or security service provider can bring additional expertise and guidance throughout the process, as needed.
- 81% of SMBs believe AI increases the need for additional security controls
The rapid advancement of AI technologies and the ease of use through simple interfaces pose notable challenges for SMEs when used by employees. Without the proper tools to protect the company's data, the use of AI can lead sensitive or confidential information to fall into the wrong hands. Fortunately, more than half of the companies that currently do not use AI security tools plan to implement them within the next six months for more advanced protection.
How can SMEs approach this?
Data security and governance play a critical role in the successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and protecting data, can help establish a framework to effectively organize data.
- 94% consider cybersecurity critical to their business
Recognizing the critical importance of cybersecurity, 94% of SMEs consider it essential for their operations. Although it has not always been considered a priority, given limited resources and internal expertise, the increase in cyber threats and the growing sophistication of cyberattacks now pose significant risks to SMEs. Managing work data on personal devices, ransomware, and phishing are cited as the main challenges that SMEs are facing.
How can SMEs approach this?
For SMBs looking to get started with the resources available to train and educate employees, security topics inCybersecurity 101, Phishing(in English) and more are provided through the website ofCybersecurity Awarenessand Microsoft.
- Less than 30% of SMEs manage their security internally
Given the limited resources and expertise within SMEs, many turn to security specialists for assistance. Less than 30% of SMEs manage security internally and typically rely on security consultants or service providers to handle their protection needs. These professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMEs are protected against new threats.
How can SMEs approach this?
Hiring a Managed Service Provider (MSP) is commonly used to complement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee daily IT activities. Security support examples may include researching and identifying appropriate security solutions for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on behalf of SMEs. This model allows SMEs more time to focus on their main business objectives, while MSPs keep the company protected.
- 80% intend to increase their spending on cybersecurity, with data protection as the main area of investment
Given the growing importance of security, 80% of SMEs plan to increase cybersecurity spending. The main motivators are protection against financial losses and safeguarding customer and consumer data. It is no surprise that data protection is the main area of investment, with 65% of SMEs saying that increased spending will be allocated there, validating the need for additional security with the emergence of AI. Other main areas of expenditure include firewall services, anti-phishing, ransomware and device protection, access control, and identity management.
How can SMEs approach this?
By prioritizing these investments in the areas above, SMEs can improve their security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activities and prevent sensitive data from leaking outside the company, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure that only the right people have access to the appropriate information.
- 68% of SMBs consider secure data access a challenge for remote workers
The transition to hybrid work models has brought new security challenges for SMEs, and these issues will persist as hybrid work becomes permanent. With 68% of SMEs employing remote or hybrid workers, ensuring secure access for remote employees is becoming increasingly critical. A significant 75% of SMEs are concerned about data loss on personal devices. To protect sensitive information in a hybrid work environment, it is essential to implement security and device management solutions so employees can work securely from anywhere.
How can SMEs approach this?
Implement measures to protect data and devices connected to the internet, including promptly installing software updates, ensuring mobile apps are downloaded from legitimate app stores, and avoiding sharing credentials via email or text message, only sharing them over the phone in real time.
Next steps with Microsoft Security
- Read thefull reportto learn more about how security continues to play an important role for SMEs.
- Get theKit Be Cybersmart(in English) to help educate everyone in your organization with cybersecurity awareness resources.
To learn more about Microsoft Security solutions, visitthe website. Favorite o Security blog(to accompany specialized coverage on security issues.) Additionally, follow on LinkedIn (Microsoft Security) and no X (@MSFTSecurity) for the latest cybersecurity news and updates.v
