The beleaguered cybersecurity teams of small and medium enterprises (SMEs) are being forced to become very creative in keeping up with the modern threat landscape. Lacking resources and struggling to find and retain enough qualified personnel, SME security teams are being forced to find a variety of outsourced solutions to fill in coverage gaps in the face of an onslaught of attacks.
A new report from Cynet, “2021 CISO Survey of Small Cyber Security Teams,” found that 100% of respondents have outsourced at least some amount of their cybersecurity and threat mitigation details. The survey included 200 Chief Information Security Officers from small to medium sized businesses with five or fewer regular security staff members and annual cybersecurity budgets of no more than $2 million. These cybersecurity teams appear to be facing a barrage of threats that is comparable to what enterprise-level organizations regularly field, but with far fewer resources and staff to handle the burden. 53% are making use of a managed detection and response (MDR) service to help carry the load, while the remaining 47% are going with a managed security services provider (MSSP). There is also strong interest in Endpoint Detection & Response (EDR) systems and SMEs are attempting to maximize what budgets they have with automated solutions, consolidated tools/platforms and investing in training of their in-house personnel.
Small cybersecurity teams rely on outside help, automated tools
Enterprise-scale companies are the world’s biggest targets in terms of potential criminal gain, but they also have the resources to defend themselves well. Cyber criminals are often more interested in the easiest target that still provides substantial value, and very often that is the SME with relatively small cybersecurity teams and budget.
63% of the CISOs surveyed feel that they are now at greater risk than enterprises. In spite of this, 57% feel that their ability to protect the company is lower than it should be and that current staff does not have enough skill and experience to fully fend off attacks.
80% are investing in automated systems to make up for this shortfall. 61% are both consolidating security tools and platforms, and investing in more training for the cybersecurity teams that they currently have. And 52% have implemented an EDR, though 79% of these said that it took staff at least four months to become proficient enough to use it effectively.
Though cybersecurity teams are seeing outside contractors pick up some of the slack, they are also cutting some corners to make things work. 16% of teams do not follow up on alerts that have been automatically mitigated, and 14% only follow up on those flagged as “critical.” 61% no longer have a full-time team member tasked with chasing alerts. 48% of CISOs felt that if they had a bigger team they would have avoided some of the security incidents they experienced last year.
62% believe that consolidation is the immediate answer to their challenges. In this area, CISOs seem to be showing a preference for MDRs that can handle all of these functions that are falling by the wayside: 24/7 monitoring of and follow-up on alerts, remediation capabilities and incident response recommendations.
Among breach and personal data protection technologies, the most commonly used are EDR/EPP (52%) and NTA/NDR (45%). Cloud access security brokers (CASB), next-generation antivirus (NGAV) and extended direction & response (XDR) are also in use at 15% to 30% of these organizations. SMEs show a strong interest in Deception and User & Entity Behavior Analytics (UEBA), with many either planning to purchase them or expressing a desire for them, but the high cost of these systems remains an obstacle for some.
Budget, staffing issues at the core of security woes for SMEs
Just about every major challenge that the cybersecurity teams of SMEs face can be traced back to two common factors: budget, and recruiting. With less money available, SMEs struggle to keep up with the ever-expanding threat landscape and to compete with enterprise organizations in attracting and retaining qualified professionals.
70% of the SMEs surveyed had an annual budget of no more than $1 million for their security programs; 13% of these had a budget of between $250,000 and $500,000 to work with. Only 3% had a budget that exceeded $2 million. Though SMEs still struggle to come up with money for cybersecurity functions, there are signs that senior leadership is coming around to the importance of security posture: 85% of all respondents said that the company was planning to up the budget by at least 5%, and 23% said that increase would be over 10%.
When asked about the top challenges facing their organization, 47% of CISOs said that staff lacked skills to protect against all types of attacks and 43% said that threats were outpacing the network security staff and tools on hand. CISOs are also aware of the risks, however; 63% feel they are now more likely to be attacked than a larger enterprise organization, and 30% say the risk is about the same. Though they are aware that they are now just as likely to be targets of sophisticated attackers as larger companies, more than half of CISOs feel that they are either already overmatched by cyber attacks or will be in the near future.
Cybersecurity teams are hoping that third party services and cloud security tools will close the gap and keep data breaches at bay, but they are experiencing pain points in this market as well. 51% said that the biggest problem was the implementation of overlapping technologies from different sources. 37% said that they are dealing with too many dashboards, 36% have issues with computing lag on deployed devices, and 35% have too many alerts to keep up with.