Though there’s a strong tendency (and it’s not unfounded) to think of small companies as less security-driven, many of those which participated in our research were just as on-the-ball, if not more so, than larger companies.
In the information age, it’s difficult to think of any organisation, no matter how small, which can truly say it’s not at risk from cyberattacks. Hiscox’s 2019 Cyber Readiness Report found that attacks on small and medium sized companies have grown at a much faster rate than those on larger organisations (though perhaps the actual difference is in the company’s awareness levels, rather than in the number of attacks).
According to Hiscox, almost half of small companies (1-49 employees) were targeted in 2018, up from a third in 2017, while there was an even more significant increase in companies with 50-249 employees, with the percentage of firms targeted almost doubling from 36% in 2017 to 63% in 2018.
But their commitment to cybersecurity has also increased: Hiscox found that three quarters of small businesses had at least one person or a third-party supplier explicitly responsible for cybersecurity (up from 56% in the previous year).
Our own study found that companies with fewer than 100 employees reported some of the smallest infosec teams (almost 40% had just 1-2 members in their infosec team) but most commonly had 3-5, with a maximum of 15 and a mean of 3.8. Considering total employee count that’s not bad.
We can compare this to the situation in medium to large companies (500-1000 employees). In these companies, the largest team had 25 members, bringing the average up to 5.1, but only 13% of participants reported a team of more than 5 members. For medium-sized companies (100-500 employees) the figures were similar to those at small companies: 1-2 or 3-5 member teams were most common (each with approximately two fifths of the ‘vote’), though 11% reported a team of more than 20 members.
We see something similar with participants’ confidence in the board’s appreciation for CISOs’ knowledge of operational risk, and in the adequacy of board-level support for the infosec team. Participants at small companies with fewer than 100 employees were reasonably confident, reporting figures reasonably close to overall results: 69% felt that CISOs’ risk knowledge was somewhat (58%) or fully (11%) appreciated and 53% felt that the support they received was mostly (42%) or completely (11%) adequate.
For contrast, companies with 500-1000 employees were much less confident: only 40% felt that CISOs’ risk knowledge was somewhat (33%) or fully (7%) appreciated, while 50% felt the support they received was mostly adequate.
It’s also worth noting that participants at small companies also reported using a number of solutions consistent with participants overall: almost two thirds said they used more than 5, with a fifth saying they used more than 20. None said they used fewer than three. While a large security stack doesn’t equate to a strong cybersecurity posture, it does imply a not-inconsiderable budget.
As discussed elsewhere in our commentary on this project, responses came from AKJ Associates’ network of senior information security professionals, most if not all of whom were attendees at our conferences. Just over a third of participants from companies with <100 employees had security-specific roles; the others were mostly in IT roles or C-level positions such as CIO or CTO. However, almost half had more than 10 years’ experience in cybersecurity, and only 5% said it had been part of their remit for less than a year.
This means that even if cybersecurity at these companies is one of the IT department’s many responsibilities, rather than necessarily having its own division, it is at least being prioritised reasonably highly. These participants’ attendance at our events also means that they were granted, or were able to grant themselves, approval to take a day out of the office to attend the event – indicating that they are reasonably senior, that the company is invested in staying abreast of the latest cybersecurity developments, and that they have enough support to stay reasonably on top of their workload.
While all that may seem fairly basic, for small companies in particular it’s not a given. This should of course be kept in mind before extrapolating our findings to all small companies.
Despite that, these statistics indicate that when a small company does decide to invest in information security, the ease of communicating its real business importance across all levels of the company may mean that a mature cybersecurity posture may be easier for them to accomplish than for their peers at more complex organisations.