ESG Research: How Small and Midsize Enterprises Can Fix Breach Unpreparedness

Despite our best efforts across the cybersecurity industry, it's clear that breaches are still inevitable, but they simply aren't limited to the biggest companies in the world anymore.

During a recent conversation between Forrester senior analyst David Holmes and Illumio CTO PJ Kirner, it was shared that in 2021, 63 percent of enterprise firms were breached over a 12-month period, costing them $2.4 million on average to find and recover a breach.

That number is alarming, and enterprise breaches make global headlines. But it is actually small and midsize businesses (SMBs) that are the most targeted market segment for ransomware attacks, with 82 percent of ransomware operations targeted against companies with less than 1,000 employees, according to Gartner.

Breaches aren't nightmares for just the enterprise anymore

Small and midsize organizations don't just have targets on their backs — they've been successfully breached with major consequences.

A new report from analyst firm Enterprise Strategy Group (ESG) surveyed cybersecurity professionals in organizations across the globe, revealing that among the small enterprise (500-2,499 employees) and midsize enterprise (2,500-4,999 employees) segments, respondents have significant uncertainty about their organization's ability to withstand more breaches without incurring significant losses:

• 85 percent of small and midsize enterprises that have had data and systems held hostage by a ransomware attack were forced to pay the ransom, either directly or through a cyber insurance provider.
• The average ransom paid by small enterprises was more than $333,000, while the average among midsize enterprises was more than $513,000.
• Only 17 percent of small enterprise respondents feel their business is prepared to handle a breach, with 57 percent believing a breach is likely to become a disaster. By comparison, 21 percent of midsize enterprise respondents feel prepared to handle a breach.

Based on these responses, it is clear that organizations recognize their unpreparedness for breaches, the potential for those breaches to become even larger disasters, and that the consequences of attacks such as ransomware will likely result in substantial financial losses.

Read ESG's full report here.

Operating under a false sense of security?

While these findings are consistent with what industry analysts have been saying, one statistic from ESG's report stands out: 41 percent of midsize enterprises and 44 percent of small enterprises do not operate under the assumption that they will be breached. This is an unsettling disconnect between what businesses say they are doing and how they are actually operating.

If SMBs are highly targeted and feel unprepared for breaches, why don't they operate accordingly?

After all, SMBs face the same security threats as their enterprise counterparts — but they have far fewer IT resources in staff and budget to design and execute their security strategy.

Fortunately, to combat this, SMBs are turning to Managed Service Providers (MSPs) as trusted advisors to provide robust security without the overhead of self-management. SMBs are also adopting security frameworks like NIST CSF, CIS, and CMMC to define roadmaps for their security strategy.

Benefits of Zero Trust Segmentation maturity

In another revealing statistic from ESG, small and midsize enterprises are prioritizing Zero Trust, with 92 percent of small enterprise respondents and 90 percent of midsize enterprise respondents indicating that it is a top three cybersecurity priority.

Additionally, research respondents were grouped into three categories based on their progress towards Zero Trust Segmentation (ZTS). Only 7 percent of small and midsize enterprises were included in the Pioneers category, indicating that they had advanced ZTS implementation. Although many organizations recognize the importance of segmentation, this statistic shows that there is still a lot of progress to be made in most SMBs' security maturity.

Tellingly, businesses that identified as Pioneers saw significant security and business advantages compared to their peers who weren't as far along in implementing ZTS.

According to ESG, Pioneers gain the following benefits:

• 4.3x more likely to have comprehensive visibility into traffic across their environment
• 5x more likely to have comprehensive visibility across all types of application architectures
• Lower annual downtime costs
• 68 percent faster mean time to recover (MTTR) from security incidents
• Twice as likely to feel prepared to handle cyberattacks.

An easy way to realize the benefits of Zero Trust Segmentation

With smaller teams and less budget, the path to segmentation‚ and ultimately breach preparedness‚ can be much faster and simpler than many realize.

Illumio provides SMBs with a fast, easy-to-use tool to gain visibility into their networks, contain breach spread with a few clicks, and segment endpoints so that attacks have nowhere to go.

Breach risk reduction with Illumio can instantly stop the spread of breaches by cutting off all protocols used by malware to propagate, including Remote Desktop Protocol (RDP) exploitation, which accounted for nearly half of attacks in Q3 2021.

IT and security leaders in SMBs may be well-intentioned in wanting to implement Zero Trust Segmentation, but Illumio offers a simple path forward in delivering more confidence and readiness in the face of inevitable breaches.

Read ESG's full report here.

Learn more about how Illumio Zero Trust Segmentation helps proactively protect small and midsize businesses: illumio.com/solutions/smb