Part 1: Current Cybersecurity Program
SMBs in the DIB face relentless attacks from threat actors seeking to steal intellectual property and are high-value targets for motivated ransomware gangs and other cybercriminals. Yet they’re the backbone of defending our nation, and in this section, they tell how well they’re defending themselves from attack.
77% say enhancing cybersecurity is a very high or high priority
31% of respondents say enhancing their organization’s cybersecurity measures over the next year is a very high priority and 46% say it’s a high priority. 18% say it’s a medium priority. 3% say it’s low and 2% say it’s very low.
Q. How would you rank the priority of enhancing your organization's cybersecurity measures over the next 12 months?
Very High 31%
High 46%
Medium 18%
Low 3%
Very Low 2%
47% meet monthly to discuss cybersecurity
47% say their leadership team meets to discuss security monthly, while 41% convene quarterly to discuss cybersecurity. 11% meet annually, and 1% weren’t sure about the frequency. One respondent (<1%) said their leadership team never meets.
Q. How often does your executive leadership team meet to discuss security?
Never 0%
Monthly 47%
Quarterly 41%
Annually 11%
I'm not sure 1%
66% have three or more people dedicating time to security
37% have four or more people who spend at least a quarter of their time on security, while 29% have three people who do. 26% have two people who spend at least a quarter of their time on security, 8% have one person, and 1% don’t have anyone.
Q. How many people on your team spend more than 25% of their time on security?
4+ 37%
3 29%
2 26%
1 8%
0 1%
80% rate their security skill level as very high or high
29% rate the skill level of their in-house security team very high, while 51% rate their skill level as high. 18% rate their security team skill level as medium, 2% rated them low, and one respondent (<1%) rated them very low.
Q. How would you rate the skill level of your in-house security team on a scale from 1 to 5?
1 - Very Low 0%
2 - Low 2%
3 - Medium 18%
4 - High 51%
5 - Very High 29%
38% would take a week or more to detect a threat in their environment
How quickly would respondents detect a threat that bypassed their defense and was operating from within their IT environment? 26% would detect it in an hour, and 34% would detect it within a day. For 24%, it would take a week, and for 10%, it would take a month. 2% would detect it in a year and 2% would detect it in more than a year. 1% wasn’t sure how long it would take.
Q. If a threat bypassed your defense and was operating from within your IT environment, how quickly would you be able to detect its presence?
54% say it would take two days or longer to respond to ransomware or a breach
How quickly would respondents be able to conduct a full investigation and develop a comprehensive incident response plan if they had a ransomware or data breach incident? For 16%, it would take an hour, and for another 29%, it would take a day. 34% say it would take two to three days, and 14% say it would take four to six days. For 6%, it would take a week or more. 1% wasn’t sure how long it would take.
Q. If you had a ransomware or data breach incident, how quickly would you be able to conduct a full investigation and develop a comprehensive incident response plan?
47% had four or more of their endpoints compromised in the past year
18% say none of their endpoints have had a virus or malware compromise in the past 12 months. However, 10% have had one endpoint compromised, 23% have had two to three, and 23% have had four to ten. 18% say they’ve had eleven to nineteen, and 6% have had twenty or more. 2% weren’t sure how long it would take.
Q. How many of your organization's endpoints have had a virus or malware compromise in the past 12 months?
47% had four or more user accounts or emails compromised in the past year
24% say none of their user accounts or email addresses have been compromised in the past 12 months. However, 8% have had one account compromised, 19% have had two to three, and 23% have had four to ten. 17% say they’ve had eleven to nineteen, and 7% have had twenty or more. 2% weren’t sure how long it would take.
Q. How many of your organization's user accounts or email addresses have been compromised in the past 12 months?
44% would not be surprised to experience an operational disruption or data theft
Our respondents say they would not be surprised to experience the following — in other words, they know they may have vulnerabilities or gaps in security that would result in. Directly correlated, they would be surprised to experience the following — in other words, they believe their security capabilities are sufficient in these areas, so the likelihood of compromise is assumed to be low:
Q. Would you be surprised if you experienced any of the following security incidents in the next 12 months?
37% say cybersecurity-related incidents have cost their company $100,001 or more
How much money have cybersecurity-related incidents cost in lost time, productivity, or cash? For 8%, it was nothing. However, 16% say it was less than $10,000; 19% say $10,001 to $50,000; 21% say $50,001 to $100,000; 24% say $100,001 to $250,000; 9% say $250,001 to $500,000; and 4% say more than $500,001.
Overall, 37% have experienced costs of $100,001 or more in cybersecurity-related incidents.
Q. In economic terms, how much do you estimate cybersecurity-related incidents have cost your company in lost time, productivity, or cash?
Top Five Challenges to Cybersecurity
When it comes to managing and executing an effective cybersecurity program, their greatest challenges today are (they chose all that applied):
- Protecting sensitive data from breaches and leaks (44%)
- Implementing and maintaining compliance with regulations, including Cybersecurity Maturity Model Certification (CMMC) (38%)
- Keeping up with evolving cyber threat landscapes (37%)
- Managing a limited budget and resources for comprehensive cybersecurity measures (29%)
- Ensuring business continuity and disaster recovery planning (25%)
Other challenges include managing third-party or vendor security risks (24%), balancing security needs with operational efficiency (23%), developing a cohesive and integrated cybersecurity strategy (22%), recruiting and retaining skilled cybersecurity personnel (16% tie), educating and training employees on security best practices (16% tie), implementing robust access control and identity management systems (14%), and staying updated with the latest security technologies and tools (12%).
Q. Of the options listed below, what are your top three greatest challenges to cybersecurity today?
Top Functions They’re Managing In-House, Outsourcing, or Combining
When it comes to managing security functions in-house, outsourcing, doing both, or doing neither, respondents are doing the following:
Q. Who is responsible for the following functions at your organization?
Security Program Function Effectiveness
When it comes to how effective they are at executing various security program functions, respondents say the following:
Q. Please rate how effective you are at executing the following functions of your security program?
Summary
The majority of respondents say that their companies are focusing time, energy, and resources on cybersecurity:
- 77% say cybersecurity is a very high or high priority
- 66% have three or more people dedicating time to security
- 80% rate their security skill level as very high or high
- 47% meet monthly to discuss cybersecurity
When compared to last year’s report, we see a noticeable jump in attention paid to cybersecurity. This year:
- 16% more say cybersecurity is a very high or high priority
- 13% more rate their security skill level as very high or high
However, there are still areas of improvement, as 38% would take a week or more to detect a threat in their environment and 54% would take two days or longer to respond to ransomware or a breach. 47% had four or more of their endpoints compromised in the past year and 47% had four or more user accounts or emails compromised in the past year.
The good news is that these percentages are down from last year’s report, reflecting ongoing improvements to security and threat detection. Additionally, 37% say cybersecurity-related incidents have cost their company $100,001 or more — down from 46% last year.
Despite the improving numbers, respondents still have areas to address, including “medium effectiveness” in log analysis and incident response, and “low effectiveness” in log analysis, vulnerability management, security awareness training.
Ultimately, their top challenges to effective cybersecurity today are protecting sensitive data from breaches and leaks and implementing and maintaining compliance with regulations, including CMMC.