There is a lot of talk about SMBs and cybersecurity, much of it surrounding why SMBs need to do a better job at taking security more seriously. The reasons so often come down to issues like budgets and staffing, and as a Ponemon Institute study from last year reported:
the introduction of cloud applications and infrastructure and more mobile devices is creating more security risks that will stretch these companies’ resources.
With this observation in mind, we shouldn’t be surprised by the outcome of a recent study from Netwrix that revealed the differences in the way SMBs and large enterprise operations prioritize cybersecurity. SMBs focus more on protecting endpoints, while enterprise puts an emphasis on protecting data.
Proving the Ponemon study’s observations, Netwrix considers visibility into on-premises systems, cloud systems, and corporate mobile devices to be most critical for security, while enterprise sees BYOD and shadow IT as a challenge as critical for its overall security of the infrastructure.
What about budgets and staffing, those two most-often cited reasons for SMBs not focusing enough on cybersecurity? Not surprisingly, budget and staffing are a universal problem for everyone, but they also set up different concerns between large and small businesses. Enterprises said they struggle with the ability to support a complex infrastructure; SMBs cited security’s time constraints on staff.
This leads into another area in which the two part ways. A third of enterprises said they do not have a separate security function, and just a little more than half say that IT is also at least partly responsible for security. On the other hand, nearly three quarters of SMBs don’t have a separate security department, and 80 percent say their IT staff is responsible for cybersecurity. This closely matches a similar study from IDG that found two-thirds of enterprises have a CSO or CISO, compared to a third of SMBs.
Finally, according to IDG, the security skills gap hurts everyone, with 29 percent of organizations admitting they have at least three unfilled security positions, a number that jumps to 43 percent in enterprises.
On the surface, it may look like the enterprise is more equipped for security, but Michael Fimin, CEO and co-founder of Netwrix, said in a formal statement that enterprise is no less vulnerable than SMBs when it comes to actual risks. It’s just that they are focusing their security efforts in different ways, and even that may be changing, Fimin said:
We see a growing interest from SMBs in adopting a data-centric approach as well. SMBs are striving to gain visibility into user activity around data to become more proactive and successful in dealing with cyber threats.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba