For too long, misconceptions about cyber risk have prevented serious mitigation efforts by SMBs. The leading fallacy? They are relatively safe from serious cyber-attacks. On top of that, cyber insurance wasn’t catering to businesses of their size. An endorsement added to a general liability policy was viewed as ample coverage for their needs and budget. Unfortunately, our current risk environment renders that thinking as horribly outdated. Larger organizations have had a head start with their overall cyber risk programs — internal security/IT teams, strong controls, and cyber insurance policies built for a modern threat landscape — leaving them better equipped for worst-case scenarios.
Through compiling our Risk Insights Index, we’ve explored how small-and-medium-sized businesses have reacted to the rising pressures of ransomware attacks, social engineering attempts, and other ongoing threats by building out their cyber investments. What restraints do they face, what do they prioritize, and how do they compare to each other? To answer all of this, we deployed a survey to Corvus’s Cyber and Tech E&O policyholders, with nearly 300 respondents ranging from members of the C-suite to IT Managers. Participants’ company size ranged from fewer than 50 employees to over 250. Find our insights below:
It's Not One Size Fits All
The top concerns among Corvus policyholders surveyed were ransomware and phishing. That’s fitting, as our internal metrics confirm that those attack vectors comprise the majority of cyber claims (but we’ll see more variation once we dig deeper into the data). And while ransomware steals the major headlines, phishing is profitable for threat actors — 80% of organizations reported at least one successful phishing attack in 2021, says ProofPoint. The risk of these external threats is easy to emphasize – they’re widely discussed in the cybersecurity world, and now outside of it as well — especially as the US government encourages the private sector to boost their own cyber hygiene.
Company Size Plays a Role
While small and medium-sized businesses agreed on the need to combat external threats, company size played a role in deciding what else to prioritize. Smaller companies were more worried about “staying current on the latest threats,” while larger companies focused on vendor breaches. Why the difference? We chalk it up to the discrepancies of where each organization is on their own security journey. The medium-sized businesses are most likely further along in their security sophistication — they may have a CISO or an internal team guiding the process and warning them of the threats vendors pose, which we’ve seen with spikes in ransomware claims tied to software vendors — while smaller companies getting their foot in the door are left playing a game of “whack a mole,” trying to keep up with individual threats.
Spotlight on Third-Party Risk
Spikes in claims this year can be attributed to major cybercrime events, like Microsoft Exchange, PrismHR, and Kaseya. All of these attacks caused a significant rise in claims — although temporarily — which highlights the cost of downstream impact. This only solidifies the necessity for SMBs (just like larger organizations) to focus security efforts towards their vendor relationships, and what their plan is in the event of a third-party breach.
Budgeting for Cybersecurity
Cyber Piggy Bank
The current reality: Among the largest businesses within the surveyed group — those with 250 or more employees — just 18% reported having a dedicated cybersecurity budget. While that’s not a terribly impressive percentage, smaller businesses with fewer than 50 employees are even further behind, with only 8% having a dedicated budget.
As companies scale, many (63% of survey respondents with 250+ employees) eventually do allocate a percentage of technology spend and headcount to security in an attempt to strengthen their posture. We’ll be honest: without a dedicated budget, an organization’s investments in security may be deprioritized when it comes time for budgetary planning. Organizations that plan a security budget — even a modest one — can start making more informed decisions around security. Having money set aside specifically for security posture means decisions will be planned and informed, not rushed.
We expect to see more major investments in cybersecurity budgets. Sixty percent of participants stated that their security spending is expected to increase, and have support from their CEO and senior management on these initiatives.
Why Increase Spending?
Risk mitigation efforts matter. Let’s take into account something we noticed through the compilation of our data: fewer ransoms are being paid compared to those demanded. The percentage for the last quarter of 2021 held steady in the low twenties, down significantly from figures that once were over 50%. As recently as Q3 2020, the ratio was 44%.
We can at least partially attribute this decrease in cost and severity to improved security controls. A robust backup strategy, among other controls, can significantly reduce the harm threat actors wreak on your systems.
The CISO Impact
Of the participants who stated that they need help with security improvements, 72% were companies that lacked a Chief Information Security Officer (CISO) — reinforcing the idea that a CISO can play a large part in improving security posture. Survey respondents highlighted a lack of resources and the overall complexity of security as key driving factors currently preventing improvements in their defenses. At mid-sized SMBs, one-third of survey participants reported having a CISO on staff. The complexity of cybersecurity is daunting, but having experienced cyber talent can be a major differentiator. An on-staff CISO can play a pivotal role to bridge the gap between technologists and business executives. That means a designated employee both on top of cybersecurity trends and capable of implementing (and spearheading) the incredibly important budget you’ll need for progress.
Want more insights on the current threat landscape, backed by our own proprietary data?
The full impact of zero-days and third-party risk.