New ESET study on SMB digital security shows danger and concern high, but better in Canada than in the US

One factor in the somewhat better Canadian numbers is that fewer American SMBs employ an MSP for their security, compared to SMBs in Canada.

Tony Anscombe, global security evangelist at ESET

Cybersecurity vendor ESET has released their 2022 SMB Digital Security Sentiment Report. Unsurprisingly, it revealed considerable trepidation, with 74% of SMBs in North America and Europe believing that they are more vulnerable to cyberattacks than enterprises. 70% also acknowledged that their investment in cybersecurity has not kept pace with recent changes to their operational models. The data, however, was somewhat better for Canadian SMBs than those in the U.S. The study surveyed over 1,200 cybersecurity decision makers from SMBs in Europe and North America.

Approximately half of North American SMBs surveyed identified themselves as falling short in three key areas: an inability to keep up with the latest cybersecurity threats (54%); keeping up with the latest cybersecurity approaches and technologies (50%); and budget limitations or general unwillingness to invest in cybersecurity (49%).

“This all has to be viewed within the context of the growing security threat of cybercrime,” said Tony Anscombe, global security evangelist at ESET. “In 2018, the cost of cybercrime was $1.5 trillion dollars. In 2020, it was $6 billion. Cybersecurity Ventures now says it will be $20 billion by 2025.

Given this exponential rate of increase, SMBs are well aware the danger has grown and they are having issues keeping up

“74% believe they are more vulnerable to an attack,” Anscombe said. “They don’t have the resources and skillsets internally that an enterprise would have, so they are comparatively more vulnerable.”

Similarly,70% of businesses surveyed admitted that their cybersecurity investments have not kept pace with recent changes to their operational models.

“It’s challenging to run a small business, but they still aren’t investing in the same way,” Anscombe stated.  It’s challenging to run a small business.”

Some SMBs have dealt with this issue by outsourcing to experts – hiring an MSP. Anscombe said not enough of them are doing this however, even though it is a wise strategy. It’s also less widely done in the U.S. than in Canada. In the U.S., 42% of SMBs keep their cybersecurity management in house, while only 25% do so in Canada

“If I was a small business without an internal cybersecurity skillset, I would look seriously at moving to an outsourcer,” Anscombe said. “I think one factor why many have not done this is because many SMBs have always bought their IT from a ‘mom and pop’ provider, and they may not even be aware that managed services are an option. The difference between the use of MSPs in Canada and the U.S. could also be a factor in the better numbers in Canada.”

Those numbers indicate that 74% of U.S. SMB respondents have experienced or acted on strong indications of a data security incident or breach in the last 12 months, compared to 56% of Canadian respondents. 43% of U.S. respondents also noted they had more than one incident in the same time period compared to 28% of Canadian respondents.

“Canada generally has better privacy legislation requiring encryption of data, and  understanding where your data is,” Anscombe said. “It also restricts what you can collect, and defines retention policies. This aggregation of factors is another reason why Canada is less of a target.”

The study indicated that both American and Canadian MSPs need to take audits more seriously. Only 49% of companies surveyed in the United States have conducted a cybersecurity risk audit in the last 12 months, compared to 60% of Canadian SMBs. Surprisingly, 7% of U.S. and 18% of Canada respondents admitted that they have never conducted an audit.

“Privacy legacy has a requirement for audits, which is not being met,” Anscombe said. “An audit is typically necessary as well if you want to obtain cyberinsurance. Working with an MSP also makes it less difficult to obtain cyberinsurance. The shocking part to me here is that 51% of companies haven’t done a recent audit at all. Until you do an audit, you can’t really draw up an action plan, because you don’t know what’s already there.”

SMBs are not taking proper steps to protect against Remote Desktop Protocol (RDP) security concerns. Even though 75% of North American respondents view RDP as a top factor impacting the risk of cyberattacks in the next 12 months, 77% say they will continue to use it despite the security risks. And not enough of these businesses are taking basic security steps to harden the use of remote access tools. Almost 50% (49%) of respondents are not protecting logins with multifactor authentication (MFA) and only 52% keep remote access tools up to date.

“RDP has created a huge attack surface for cybercriminals, which in 2020-21, 8led to an 894% increase in attacks,” Anscombe noted. “One of the easiest ways to secure RDP is MFA [Multi-Factor Authentication. Yet 54% in Canada aren’t doing this, even though it is very simple to do.”

Until recently, SMB adoption of EDR, XDR and MDR and other more advanced cybersecurity technologies was comparatively slow, in part because they deemed the cost to be beyond their means. Now 27% of SMBs in North America say that they currently use EDR, XDR or MDR solutions. For those don’t, 25% say its because they don’t know enough about EDR, XDR or MDR to consider using them 31% say they plan to use them in the next twelve months, while 13% would consider using them in the next two years and the remaining 4% are not considering these solutions yet.

“I think the view on that has been changing over the last two or three years,” Anscombe said. “In 2019, a big ransomware payout would be half a million dollars, and then in 2021 Colonial paid $4.1 million. SMBs see these costs escalating, and that’s important because they see themselves as even more vulnerable.”