Small- and medium-size businesses are adopting cloud, seeking efficiency gains, customer experience enhancements and improved remote work capabilities. Many SMBs, however, are failing to adequately address cyber risks, according to an AWS survey of 800 C-suite executives.
More than one-third of SMBs haven’t prioritized security and 2 in 5 have yet to provide security training within their organizations, the report found.
While respondents understood security requirements, they were unsure of how to manage risk, and 2 in 5 believed they lacked sufficient technical expertise to shore up cyber defenses.
SMBs want access to the technologies driving enterprise growth and innovation among their larger competitors and they are making the investments. IT spending in the SMB segment is expected to grow 5.4% year over year in 2023 and reach 8.3% year-on-year growth by 2027, according to consulting firm Analysys Mason.
But hiring a CISO or standing up a cloud security team isn’t always practical for smaller organizations, Ben Schreiner, head of business innovation at AWS, told CIO Dive.
“The proprietors I talk to know that they are understaffed when it comes to security,” Schreiner said. “They’re fighting a losing battle.”
Nearly half of SMBs experienced an incident in the last year, payroll and financial software company Sage found in a survey of 2,100 SMB decision makers conducted by Danebury Research.
Many organizations are turning to third-party vendors, including cloud providers, for cyber assistance, too often after a breach has occurred, Schreiner said.
Misconceptions trigger risk
Several misconceptions can leave SMBs exposed to cyber risk.
SMBs commonly assume security in cloud is too costly and requires a large team of cyber specialists, AWS found. Half of respondents also believe migrated data is inherently less secure than on-prem.
The notion that data is more vulnerable post-migration fuels the myth that organizations must devote prohibitive resources to securing cloud deployments, Schreiner said.
Hyperscalers build security features into their platforms to ease the load on customers and also to protect their reputations. As cloud matures, these built-in security tools become easier to deploy.
In many cases, Schreiner said, it’s as simple as checking a box.
Schreiner also estimates that 80% of on-prem IT skills are transferable to cloud. “There’s still networking, databases, and applications, so a lot of it is similar,” he said. “It’s not starting from scratch.”
But, security features only work when they are activated. Organizations, regardless of size, have to enable security systems, update applications and maintain basic governance.
Schreiner offered two simple remediation strategies.
“If I could wave a magic wand, I would make it so that everybody uses two-factor authentication and nobody uses their root account,” Schreiner said.