Security News

Most SMBs Not Taking Key Precautions Against Cyberthreats: Survey

Jay Fitzgerald

‘Many (firms) are using the ostrich approach to the problem, burying their heads in the sand and hoping it will go away,’ says one MSP chief executive.

Tony Anscombe, chief security evangelist at ESET

Most SMBs are failing to take the most basic steps to secure their systems even though they know their firms are vulnerable to potentially devastating cyberattacks, according to a new survey conducted by security vendor ESET.

The survey of more than 1,200 decision-makers at small- to medium-sized firms in North America and Europe found that 74 percent of respondents believe that they’re more vulnerable to cyberattacks than enterprises – and yet 70 percent of respondents admitted that their security investments have not kept pace with recent workplace changes, such as the rise of remote working since the onset of COVID-19.

In North America, 54 percent of SMB respondents said they were unable to keep up with the latest cybersecurity threats, while 49 percent identified budget limitations and lack of investments for their falling behind on their security needs, according to survey data provided by ESET, which is headquartered in Bratislava, Slovakia and has North American offices in San Diego and Toronto.

[RELATED STORY: The 10 Biggest Data Breaches of 2022 (So Far)]

In an interview with CRN, Tony Anscombe, chief security evangelist at ESET, said that a dive into the survey stats show that 75 percent of companies identify remote desktop protocol (RDP) as a top risk for them – and yet 77 percent of respondents will keep using their current RDPs despite the vulnerabilities.

“It’s an easy win for them to make a change (to RDPs), but they’re not doing it,” said Anscombe.

ESET survey data points to a variety of other steps not taken by SMBs to protect their businesses, such as 49 percent of respondents saying they haven’t gotten a risk audit within the past 12 months, said Anscombe.

“To me, that’s somewhat shocking,” said Anscombe of firms not getting audits to determine the extent of their security vulnerabilities and needs.

There were some encouraging signs that many SMBs are indeed seeking help and spending more on security, such as 27 percent of respondents saying they’ve gotten some form of EDR, XDR or MDR coverage, according to ESET data.

Nonetheless, survey results show most SMBs know they need to do more on the security front – and yet they won’t or can’t.

“There‘s still some disconnect between what you want to do as a business and what you need to spend to make it secure,” said Anscombe.

“I think we‘re still in a transition phase. If you have (implemented new) cybersecurity over the last two to three years. I think it’s significantly changed” the risk outlook for firms, he said. “But if you go back to pre-pandemic (protectons), the security team was the office down the corridor with geeky guys that kind of said no to everything.”

Mark Wiener, CEO of BizCom Global, a Raleigh, N.C.-based MSP, said he’s “absolutely” seeing a reluctance on the part of SMBs to beef up their security.

“People are starting to appreciate the problem a little better,” he said. “But many are also using the ostrich approach to the problem, burying their heads in the sand and hoping it will go away.”

For many SMBs, it all comes down to available money and affordable cybersecurity solutions, Wiener said.

Some businesses are closing some, but not all, of their vulnerability holes – while others are sticking with their current and oftentimes antiquated security tools, he said.

“They’re doing nothing to protect their company,” said Wiener, adding that “so many” SMBs don’t even have cyber-insurance at this point.

ESET’s Anscombe told CRN said the survey results indicate there’s some “low hanging fruit” for channel players in terms of new business opportunities with SMBs, such as helping businesses address RDP problems.

“There‘s some things that MSPs and channel partners can be pursuing, in my view,” he said.




Jay Fitzgerald

Jay Fitzgerald is a senior editor covering cybersecurity for CRN. Jay previously freelanced for the Boston Globe, Boston Business Journal, Boston magazine, Banker & Tradesman,, Harvard Business School’s Working Knowledge, the National Bureau of Economic Research and other entities. He can be reached at

Sponsored Post