Executive Summary

Professionals in their field, not in security

It turns out there is a huge opportunity for Communication Service Providers (CSPs) to provide broadband security to their small business customers. Small business owners and managers are lawyers, doctors, accountants, financial advisors, and shop owners at your favorite store or café.

They are professionals in their field, supporting communities and driving innovation.

But they are not security professionals.

Yet, according to an Allot-sponsored Coleman Parkes Research survey of 1000 small businesses, small business leaders hold prime responsibility for securing their businesses.

In today’s world, security threats are everywhere. If a small business is a house or small store, the structure is threatened by a storm of security threats, and it’s critical to keep the storm away and keep the structure from leaking.

But business owners are confused about the myriad array of choices and they don’t have complete trust in their security solutions.

There are holes in their current security posture, made up of a patchwork of solutions.

Business owners are looking for a holistic solution, providing safe data, insights, and security and they would like to get this from their CSP – their trusted partner.

Dive deep into the survey data and discover how to stay safe in the storm.

CSPs will discover:

  • Small businesses' concerns about security
  • Barriers faced by small businesses when looking to secure their business
  • Where businesses currently obtain network security and who they think should supply it
  • The potential role of the CSP in securing small businesses

Business owners are in charge

While business owners are experts in their field, according to most respondents, they are also the default “in charge of security” for their company.

More than half of all respondents noted that they were the lead decision maker, and another 35% are part of the decision-making team.

Decision making role

Few companies had an external consultant or in-house security professional. 65% said the business owner was responsible and another 18% left security in the hands of another in-house employee whose main role was not security related. Larger companies are more likely to have someone other than the business owner in charge of security.

Who is responsible for security

Preparing for the storm

Business owners are trying to prepare for the storm. They know that there are threats out there that risk the foundation of their business, and they are looking to block them. Business owners are concerned about employees’ personal devices and home networks introducing vulnerabilities.

Biggest concerns of business owners

There is more awareness of threats than last year (compared to the Telco Security Trends Q4 2021 report)

Awareness of threats

64% of employees are also “quite” or “very” concerned about users using risky applications.

It’s noteworthy that risky cloud applications are only a small part of a business’s security threats. Even if a business is using only legitimate and secure cloud apps, they are at risk from phishing and smishing attacks.

For example, an employee may receive an SMS or an email purporting to be from a legitimate application, such as their office suite, HR software, or payroll app. The authentic cloud vendor may have strong data security policies and practices. But the bigger risk is that the employee clicks on the phishing link to go to an impersonated site that spoofs the legitimate site.

Recovering from the storm

If you were attacked once already, then the damage is already done, and businesses need to recover.42% of companies had an incident in the past year.

Companies in North America were more likely to report that they had an incident in the past year, with 27% reporting that they experienced a cyber security incident. However, this may reflect more sophisticated security awareness rather than more threats.

Companies in North America and Asia that reported they definitely experienced a cybersecurity incident reported an average of 2 cyber incidents last year, with those in Europe experiencing 3 incidents.

Cybersecurity incidents faced by SMBs

One disturbing point is that many businesses are unaware if they were victims or not. Some businesses had incidents, but they are not able to identify that they were attacked. Other businesses may have fallen victim to an attack, but remain unaware.

An example of a threat that some small businesses faced this past year was infected routers. These routers were host to a RAT – Remote Access Trojan – known as ZuoRAT. While its discovery was revealed in late June 2022, attacks started almost two years earlier, in October 2020, and many businesses were unknowingly victimized.

Types of attacks

The most common types of attacks that businesses have been victims of include viruses and malware but 22% (31% in APAC) have been a victim of some form of ransomware.

Types of attacks faced by SMBs

Priority vs. Reality

Small businesses use an array of tools to protect their business. But are they the right tools and do they allow threats to leak into their network?

72% of small businesses claim that blocking cyber threats are among their top three priorities, yet only 46% of respondents state that they have a solution or service in place to block cyber threats.

Security priorities vs. Security realities

The protection arsenal

So, what tools do small businesses have in place to protect their network? Most businesses report having enterprise-grade tools such as firewalls, but it is a real mixed bag, with a myriad of solutions in place.

While all the security solutions are important and have a unique role to play, many of the tools are aimed at larger enterprises rather than small businesses.

Tools currently in place

Insuring against cyber threats

70% of small businesses carry cybersecurity insurance. In 2021, only 30% reported carrying a specific cyber insurance policy, although more believed that their policy covered cyber attacks. This is good news if a business experiences a ransomware attack, as some insurance policies do cover ransomware payments. However, they do not cover the cost of diverting employee time away from strategic operations nor do they cover their salary cost for unproductive time.

Most companies that have cybersecurity insurance do so because it was part of a larger liability package, recommended by their insurance broker, or required by an investor or partner. This reflects greater awareness of the importance of cybersecurity insurance.

Cybersecurity insurance

Cybersecurity insurance pays off when it’s too late – after a business has been attacked. An organization’s cybersecurity strategy should be focused on preventing attacks from happening.  Even with an insurance policy in place, recovering from significant attacks from ransomware is time-consuming and diverts business owners and employees from engaging in revenue-generating activities. Small businesses often do not have the luxury of time or significant cash reserves to recover from threats rather than engage in revenue-generating work.

Holes in the network

Many businesses think that endpoint security is sufficient. If they have endpoint protection on their computer, they think they are safe. However, a modern business network is made up of many connected devices (such as smart TVs, connected cameras, doorbells, IP-connected phone systems, and smart assistants such as Amazon Alexa) which are not covered by endpoints.

The average business reports having 3 connected devices, with 41% reporting having 4 or more devices. These are not covered by endpoint security solutions.

However, even when just looking at endpoint devices, there are lots of holes where security threats can enter the network.

Only about a third of businesses have endpoint protection across both all mobile and personal computers. Another third has endpoint protection against all their personal computers, but not all mobile devices. This means that 35% of businesses have unprotected computers and 65% of businesses have unprotected corporate-owned mobile devices. And, of course, employees are also using their personal devices on the corporate network, hence even more businesses are at risk.

Devices with endpoint devices

Popular suppliers of security solutions

More businesses are going to suppliers that specialize in security as well as their service provider, as compared to last year.

Security solution suppliers

Yet, business owners don’t have a high degree of trust in their existing solutions. Only 22% of respondents report a high degree of trust that their existing solutions will protect their business

1 in 4 businesses purchase security solutions from their service provider

Cost of security

Spending time on security is costly for resource-strapped small businesses.

The average small business owner spends 5 hours per month on security matters (such as maintenance, configuration, updates of security solutions, deployment, etc.).  14% of respondents even spend between 10-20 hours a month on security matters.

According to data released in October 2022 from The Paychex | IHS Markit Small Business Employment Watch, the average hourly wage in US small businesses is $30.77 per hour.

Hours per month dedicated to cyber security

Barriers to improving IT security

While businesses know that protecting their business is important, numerous barriers are preventing them from improving their current IT security position.

As we can see, there is more confusion than before with an increase in respondents saying that there are too many products and services to secure and a lack of knowledge to understand what is needed. Cost is also a significant concern, with significantly more respondents citing cost as a barrier.

Barriers to improving IT security

The potential role of the CSP

Businesses look to a variety of vendors to secure them and expect security to be provided by multiple vendors. This is in line with security best practices of defense-in-depth and a layered approach, which places multiple security controls throughout the IT environment.

Responsibility for providing security services

A surprising result is that while only 27% of respondents currently purchase security solutions from their service provider, 47% of respondents believe that their service provider is responsible for providing security solutions.

It turns out that small business owners have high expectations from their service providers.

 

When asked a series of questions on a scale of 1 (strongly disagree) to 5 (strongly agree), here are the statements that respondents agreed (ranking 4 or 5 in the survey).

Willingness to pay

SMBs are willing to pay their ISP to protect their network from threats. Given the large number of SMB customers, this can add up to significant revenue for ISPs.

SMBs are willing to pay for security services

It is worth noting that with a router-based security solution offered by their service provider, they pay per site and not per user, leading to lower costs. This is particularly noteworthy since cost is a significant concern of small business owners.

Willingness to switch

Security is a core differentiator. Not only are businesses willing to pay service providers for security, but they are also even willing to switch to a service provider that positions security at the center.

It’s also worth noting that as the business size increases, the willingness to switch increases.

SMBs are willing to switch to other service providers that

Working together to keep the storm away

Security is critical to every small business. Recovering from a ransomware attack can cripple a small business and even drive it to bankruptcy.

Perhaps because businesses know that security is important, even the smallest of businesses use a variety of security tools. However, each tool serves different purposes, and they are not centrally managed. This is like patching your roof with different types of tiles. When a storm comes, you will get wet.

Companies need to protect themselves at the point of entry – where the traffic enters the network – and keep dangerous data out of their network.

But small business owners cannot be expected to be security experts or CISOs. They are lawyers, doctors, accountants, financial advisors, and shop owners at your favorite store or café.

They are professionals in their field. Not in security.

Our survey shows there is a compelling case for service providers to deliver secure broadband to their business customers. Business owners expect their data providers to supply clean data. They look to their CSP, their trusted partner, for insights, advice, and solutions about how to stay safe.

They want the CSP to supply secure traffic as a core offering and they are happy to pay for it.

CSPs can be the ones to supply shelter to their small business customers during stormy weather and keep them safe by providing 360-degree security– using Allot’s network-based security solutions.

Allot BusinessSecure

Allot BusinessSecure guarantees a simple, reliable, and secure network for the connected business.

Allot BusinessSecure is a component of Allot Secure, Allot’s security service delivery platform designed for CSPs, that centrally manages and unifies multilayer security for the mass market.

Multiple elements, working in concert, provide unprecedented visibility into the SMB network and block both external and internal attacks. Additionally, the solution provides content filtering capabilities allowing the SMB owner to prevent employees from accessing inappropriate content while working.

This is all carried out via an intuitive user-centric approach, based on policies and reporting per user and group, instead of having to define independent settings for each device in the network.

BENEFITS

BusinessSecure provides CSPs and their business customers with the following benefits:

 

  • Leveraging existing CPE to provide business security and incremental security service revenue.
  • Accentuating brand differentiation and increasing customer loyalty.
  • Protecting end-user and IoT devices while removing the complexity of managing multiple-point products for the end user.
  • When combined with Allot Secure multilayer security, it creates persistent CSP-branded security for the business users’ network and for on the go for business users.

 

Allot NetworkSecure

Zero touch protection across the entire network.

Allot NetworkSecure is a component of Allot Secure, Allot’s security service delivery platform designed for CSPs, that centrally manages and unifies multilayer security for the mass market.

Allot NetworkSecure enables operators to deliver security and content-filtering services to the mass market from within the network.
Allot NetworkSecure enables mobile and fixed operators to protect business devices. It is device independent and does not require users to download, install, or configure any applications or software.
This is all carried out with an intuitive user-centric approach, based on policies and reporting per user and group, instead of defining independent settings for each device in the network.

BENEFITS

NetworkSecure provides CSPs and their business customers with the following benefits:

  • Accentuating brand differentiation and increasing customer loyalty, yielding high
    NPS, with a track record of achieving 50%+ penetration, leading to increased revenue.
  • Cost-effective CSP-grade security, with low operating costs for the operator and
    lower costs for subscribers to protect all devices on the network.
  • Straightforward and zero-touch security, automatically provisioned by the operator, with no need to install any additional applications.
  • Difficult to bypass, ensuring users are protected and business assets secured.

 

Key Takeaways

  • Security is fragmented – There is a multitude of security tools and each of them has a distinct role to play in protecting businesses. A comprehensive security posture should be unified and not just consist of disparate parts. A defense-in-depth approach is the best approach, but it needs to start with guarding the front door – where traffic enters the network.
  • SMBs are confused – Business leaders are confused about how to secure their entire network. They report that there are too many products and services to secure, and they don’t have the necessary knowledge to understand what’s needed.
  • Small business owners are their own CISO - Business leaders are the primary decision maker and are responsible for securing their own businesses. They spend several hours each month dedicated solely to security management. Yet, they are experts in their field, not cyber security.
  • CSPs are trusted business partners – Small businesses look to their CSPs for providing cybersecurity services, are willing to pay for security, and will even switch to a provider that offers cybersecurity services. Security is an expectation. An overwhelming majority want security to be a core offering of their data provider and believe that it is the responsibility of their data provider to provide secure traffic.
  • Providing security for small businesses is a big business opportunity – CSPs that provide comprehensive 360-degree security to micro and small businesses will stand out in a crowded market. Revenue and profit increase while retaining more subscribers.

 

Survey methodology

In August 2022, Coleman Parkes Research spoke to a thousand small businesses in North America, Asia, and Europe to find out their perspective on cybersecurity and discover how they secure their business.

70% of the companies surveyed had less than 10 employees, with 50% being defined as “microbusinesses” with 1-5 employees.

Not surprisingly given the low number of employees, more than 90% of businesses only had one office. An additional 8% of respondents had two offices, with only 2% having three offices and no one reporting more.

It’s also not surprising to discover that their revenue is low, given the size of the businesses, with the average annual revenue in the previous fiscal year averaging $309,925 – ranging from a low of $283,583 in Europe to $330,500 in APAC.

 

 

To learn more, download the report.