2015 state of smb cybersecurity report
DESCRIPTION
The 2015 State of SMB Cybersecurity report overviews an industry evolving in the wake of the cloud as businesses rely more and more on web-based services and consumer tech empowering employees to bring their personal devices to and use their choice of web services at work. CloudEntr's inaugural study surveyed 430+ IT professionals to uncover IT professionals' security challenges and just how they plan to tackle cybersecurity for their companies in 2015. The results? Our study reveals as usage of the cloud rises within businesses, the IT pros that work for them are feeling the impact of increasing security breaches. The cause and solution according to the survey? Employees, as 80% of IT pros see employees as the weakest link in their IT security.TRANSCRIPT
Primary research conducted by Spiceworks Voice of IT on behalf of CloudEntr. September, 2014
Abstract SMBs are relying more and more on web and cloud-based services to scale their businesses, reduce costs,
enable mobility and increase employee satisfaction. At the same time, the consumerization of IT has
empowered SMB employees to bring their preferred IT devices and applications to work. IT professionals are
left balancing the need for convenience – to move fast, to scale quickly and to empower employees – critical for
a growing business, when one breach could close the door. This report provides detailed insight into how IT
pros in SMB organizations are handling timely cybersecurity issues.
Methodology • CloudEntr conducted research in an online survey in conjunction with the Spiceworks Voice of IT* market
insights program to determine where the SMB industry currently stands on the issue.
• Data was collected in September, 2014.
• A total of 438 surveys were collected.
Demographic Representation • The IT pros were located in the US and represented six industry segments:
• Financial services
• Public
• Professional services
• Manufacturing
• Non-profit
• Other
About Spiceworks Voice of IT®
The Spiceworks Voice of IT® market insights program publishes stats, trends and opinions collected from small and medium business technology professionals who are among the more
than 5M users of Spiceworks. Survey panelists opt-in to answer questions on technology trends important to them. 2
Background & Methodology
Table of Contents
3
In This Report
Summary of Findings 4
Security Practices 8
Cloud Practices 17
Budget Profiling 24
Respondent Profile 26
As cloud usage grows within SMBs, the IT pros that work for them are feeling the impact of increasing security breaches. The cause – and solution – according to our survey of SMB IT pros? Employees.
The current cybersecurity landscape
• Of IT pros surveyed, 60% say recent security breaches have no actionable impact on security policies. Those in financial services are most likely to re-evaluate or change policies (49% vs. 40% on average).
• Across organizations surveyed, roughly three-quarters of IT pros (77%) said employees are the single weakest link in their security infrastructure, and this is especially true among larger organizations (83%) with more users and risk factors.
• Employees are perceived as most problematic in financial services (81%) and non-profit organizations (84%).
• The top challenges organizations face with their IT security are employee focused, including social engineering (48%) and managing BYOD (42%).
• Regulated industries (e.g., finance, government, healthcare, etc.) have greater challenges than non-regulated industries with compliance (51% vs. 28%) and access management (37% vs. 23%).
• Authentication (71%), password management (52%) and access management (50%) are the top technologies used to secure company access to the web and/or cloud.
Summary of Findings
5
Cloud and security
• One-third of IT pros (29%) reported that they have no plans to use the cloud, and of that group, 80% said they have no formal policy or regulations against cloud use.
• Nearly half of IT pros not currently using cloud (43%) actively know of departments or individuals within their company that use cloud without company approval.
• Unsanctioned employee use of cloud services is more of an issue in non-regulated industries (45% vs. 37%) as they are not required to comply with industry regulatory laws.
• SMBs deploy the cloud evenly as company-wide and point solutions.
• Deployment of cloud applications as point solutions increases to 62% among in companies with 250-499 employees.
• When weighing security versus convenience in cloud-based applications, 63% of all respondents ranked security as the higher priority. Even so, the majority of IT pros surveyed (89%) are concerned with cloud security, and 53% report that employee use of cloud-based applications makes their company less secure.
• Not surprisingly, security is a considerably higher priority for regulated industries (77%) vs. other organizations (57%).
Summary of Findings
6
Cloud and security, continued
• As with overall security, the top cloud security concern (75%) is employees—specifically fear of employees unintentionally exposing data.
• IT pros at larger organizations are more concerned with hackers getting in using employee credentials and employees stealing data than their smaller counterparts.
• Regulated organizations (e.g., healthcare, finance, government etc.) are also more concerned with compliance in the cloud than others (56% vs. 25%).
• The extent to which IT pros said they use various methods to improve security for cloud-based applications differs, but roughly three-quarters are relying on employee/end-user education.
Future plans
• When considering their overall security strategy, recent security breaches won't impact 2015 security purchases for 64% of IT pros surveyed.
• Those most impacted by recent security breaches primarily plan to provide more employee education in the next year (89%). Other goals are to provide stronger network perimeter security (62%) and stronger server security (46%).
• Approximately half of the IT pros did not know or preferred not to say if their 2015 budget allocates for cloud security, but this may be a factor of certain respondents role/limited involvement in budget planning.
Summary of Findings
7
• Eighty-nine percent of IT pros surveyed reported some impact from recent security breaches. For approximately half, these
recent security breaches simply raised concerns, and only 40% were actually re-evaluating or changing policies based on
recent security breaches.
• Those in financial services reported the most actionable impact with 49% indicating some or significant impact.
9
60% say recent security breaches have no actionable impact on security policies
11%
49%
34%
6% 9%
61%
28%
1%
10%
39% 44%
8%
16%
46%
29%
9% 9%
49%
37%
4%
0%
20%
40%
60%
80%
100%
No impact Minimal impact (e.g., raised concern, but didn’t change policies)
Some impact (e.g., lead us to re-evaluate policies)
Significant impact (e.g., lead us to change policies)
Impact of Recent News Coverage around Security Breaches on Security Policies (e.g., Heartbleed, Adobe, Target, eBay, iCloud)
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
Impact Net (Total) = 40%
49% 39% 41% 36% 34% 44%
Financial Svcs
Public Professional Svcs
Mfg Non-Profit Other
Key Differences by Industry: Impact Net
• Those reporting some or significant impact to their organization primarily plan to better educate employees regarding security.
• IT pros at organizations with less than 50 employees are the least likely to invest in security software tools (14%), and those at
organizations with 250-499 employees are the least likely to strengthen server security (29%).
10
Overwhelmingly, those impacted are turning to employee security education in 2015 to prevent breaches
89%
62%
46%
37%
86%
68%
55%
14%
88%
55% 53%
43%
90%
70%
50% 47%
90%
58%
29%
36%
0%
20%
40%
60%
80%
100%
More employee education Stronger network perimeter security
Stronger server security Investing more in security software tools
New Security Plans in 2015 to Prevent Breaches (Asked of those reporting some or significant impact. Multiple selections permitted.)
Total Co Size 20-49^ Co Size 50-99 Co Size 100-249^ Co Size 250-499
• While 76% of IT pros reported varying levels of impact on 2015 security purchases from recent security breaches, 44% have
raised concerns. Only 32% will re-evaluate or adjust planned security purchases for 2015.
11
Recent security breaches won't impact 2015 security purchases for 64% of IT pros surveyed
20%
44%
29%
3% 4%
27%
44%
25%
3% 1%
19%
39% 35%
4% 4%
19%
45%
26%
5% 5%
16%
48%
31%
1% 4%
0%
20%
40%
60%
80%
100%
No impact Minimal impact (e.g., raised concern, but won’t change
2015 purchases)
Some impact (e.g., will re-evaluate 2015 purchases)
Significant impact (e.g., will change 2015 purchases)
Don't know
Impact of Recent News Coverage around Security Breaches on Planned Security Purchases in 2015
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
Impact Net (Total) = 32%
• End users are perceived as the single weakest link in security infrastructure by 77% of IT pros surveyed.
• This is especially true among IT pros at larger organizations (83%) with more users/risk factors.
12
Weakest link in security infrastructure? Employees.
77%
8% 7% 5%
2%
72%
13%
8%
1% 4%
74%
4%
14%
5% 3%
78%
11%
3% 6%
1%
83%
4% 4% 8%
1%
0%
20%
40%
60%
80%
100%
Employees/Users Passwords Mobile devices Third-party vendors’ data treatment
The technology we use internally for security
Weakest Link in Organization’s Security Infrastructure (Single selection permitted)
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
• While employees are perceived as the single weakest link across all industries, they are perceived as most problematic in
financial services and non-profit organizations.
• Mobile devices are also considered more problematic in financial services and professional services.
• Third-party vendors’ data treatment is considered a weaker link in financial services and “other” organizations.
13
Weakest link in security infrastructure varies slightly by industry
74%
3%
11% 9%
0%
81%
9%
5% 2%
5%
77%
7%
12%
3% 2%
74%
12%
7% 3% 5%
84%
9%
3% 3% 0%
73%
7% 6%
13%
0% 0%
20%
40%
60%
80%
100%
Employees/Users Passwords Mobile devices Third-party vendors’ data treatment
The technology we use internally for security
Weakest Link in Organization’s Security Infrastructure: By Industry (Single selection permitted)
Financial Services Public Professional Services Manufacturing Non-Profit Other
14
Top IT security challenges are employee-focused: Social engineering and BYOD management
2%
3%
3%
8%
11%
26%
27%
33%
34%
42%
48%
0% 20% 40% 60%
Don't know
None
Other
Controlling SaaS apps
Outages and remediation after a security incident
Preventing breaches
Access management
Enforcing password policy
Compliance
Managing BYOD
Social engineering
Top IT Security Challenges
• Top IT security challenges vary by industry type:
• Those in regulated industries (e.g., finance, government, healthcare, etc.), have greater challenges with compliance and
access management.
• Those in non-regulated industries have greater challenges with social engineering, managing BYOD and controlling SaaS
apps.
15
Social engineering and managing BYOD are greater IT security challenges for those in non-regulated industries
40%
31%
51%
35% 37%
31%
11%
3% 4% 0%
2%
52%
47%
28% 31%
23% 25%
11% 11%
2% 4% 2%
0%
20%
40%
60%
80%
100%
Social engineering
Managing BYOD
Compliance Enforcing password
policy
Access management
Preventing breaches
Outages and remediation
after a security incident
Controlling SaaS apps
Other None Don't know
Top IT Security Challenges: By Industry Type
Regulated Industries (E.g., Healthcare, Finance, etc.) Non-Regulated Industries
• Authentication, password management and access management are the top technologies currently used to secure company
access to the web and/or cloud across for organizations using the cloud.
• IT pros at companies with 50-99 employees (80%) are taking stronger action than others around authentication.
16
Primary technology used for Internet security? Authentication.
71%
52%
50%
42%
25%
6%
64%
51% 47% 47%
21%
8%
80%
60%
54% 50%
37%
0%
65%
50%
43%
35%
19%
10%
75%
47%
59%
36%
24%
7%
0%
20%
40%
60%
80%
100%
Authentication Password management Access management Secure file sharing Single sign-on tools None
Technologies Used to Secure Company Access to the Web and/or Cloud
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
• Among organizations with no plans to use cloud, the majority (80%) do not have a formal policy prohibiting cloud-based services.
• Just under half of the organizations with no cloud plans have employees/departments that use cloud-based services
regardless of company policy.
• Unsanctioned employee use of cloud services is more of an issue in non-regulated industries as they are generally less
concerned about security threats.
18
Many employees use cloud services regardless of company usage or policy
Incidence of a Formal Policy to Prohibit Cloud-based
Services Usage
(Asked of those with no plans to use cloud)
Incidence of Employees/Departments Using
Cloud-based Services
(Asked of those with no plans to use cloud)
6%
80%
5%
10% Yes, company policy prohibits cloud-based services
Yes, abide by industry standards/ regulations that prohibit cloud-based services
No formal policy or regulations
Don't know
Yes Net: 15%
13%
45%
43%
Yes
No
Don't know
Regulated Industries = 37%
Non-Regulated Industries = 45%
• Most participating organizations are nearly evenly split between deploying cloud-based services company-wide and as point
solutions.
• Smaller organizations (<100 employees) have slightly higher rates (61%) of company-wide cloud deployments, while larger
organizations (250-499 employees) have higher rates of point solutions (62%), likely due to greater variance in services
needed.
19
SMBs deploy the cloud evenly as company-wide and point solutions
56%
47%
9%
61%
45%
5%
62%
42%
8%
50%
39%
19%
51%
62%
4%
0%
20%
40%
60%
80%
100%
Company-wide Point solution (e.g., employee/ department/ site-specific)
Don't know
How Organizations Currently Deploy or Plan to Deploy Cloud-based Services (Asked of those currently using or planning to use cloud. Multiple selections permitted.)
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
• The top concern with cloud security is employees exposing data.
• IT pros at smaller organizations are more concerned with hackers getting in through servers than those at larger
organizations, which aligns with their plans to strengthen server security. Further, IT pros at larger organizations are more
concerned with hackers getting in using employee credentials and employees stealing data.
• Regulated organizations (e.g., healthcare, finance, government, etc.) are also more concerned with compliance than others.
20
The top concern with cloud security? Employees exposing data.
75%
49% 48%
34%
23%
10%
75%
55%
43%
29%
13% 12%
74%
53%
45% 44%
23%
12%
73%
49% 46%
28% 26%
6%
78%
38%
57%
35%
30%
8%
0%
20%
40%
60%
80%
100%
Employees unintentionally exposing
data
Hackers getting in on the server side
Hackers getting in using employee credentials
Compliance Employees stealing data Government spying
Top Concerns with Cloud Security (Asked of those currently using or planning to use cloud. Up to 3 selections permitted)
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
Regulated
Industries
Non-
Regulated
Industries
56% 25%
• Security is considered more important than convenience by 63% of the organizations surveyed.
• Security is particularly important for regulated organizations (e.g., healthcare, finance, government, etc.), particularly
financial services.
21
Security wins out over convenience
*Respondents were provided with the following definitions of “security” and “convenience:
Security - making sure that access to cloud apps and vendor treatment of my information is secure.
Convenience - employees having quick, easy access to applications to get their jobs done.
4% 33% 63%
Most Important Factor for Cloud-based Applications (Asked of those currently using or planning to use cloud)
Other Convenience* Security*
Regulated
Industries
Non-Regulated
Industries
77% 57%
Financial Services Public Prof. Services Manufacturing Non-Profit Other
80% 65% 62% 57% 59% 58%
Key Differences by Industry: Importance of Security
• Roughly half of IT pros report that employee use of cloud-based applications makes their company less secure as they may
unknowingly expose data during the process.
22
IT pros believe employee cloud use makes their organization less secure
53%
27%
10% 10%
0%
20%
40%
60%
80%
100%
Less secure No impact More secure Don't know
Impact of Employees Using Cloud-based Applications (Asked of those currently using or planning to use the cloud)
• Companies with 50-99 employees are taking a more proactive stance than other company sizes in educating employees and
implementing processes to improve cloud security.
23
Primary tools used to improve security for cloud-based apps: Education and processes
76%
66%
52%
8%
68%
56%
51%
13%
86% 82%
59%
4%
70%
55%
43%
10%
81%
69%
57%
4%
0%
20%
40%
60%
80%
100%
Education Processes Technology None of the above
Tools Used to Improve Security for Cloud-based Applications (Asked of those currently using or planning to use cloud. Multiple selections permitted)
Total Co Size 20-49 Co Size 50-99 Co Size 100-249 Co Size 250-499
25
2015 IT budgets are trending less than $250K
• More than half of IT pros (60%) indicate their IT budget is less than $250K for 2015.
• Nearly half state they “don’t know of” budget specifically allocated for their organization’s cloud security in 2015, and 18%
don’t have budget allocated. However, 13% plan to spend $1,000 or less, and 19% plan to spend more than $1,000 on
cloud security.
• While many are also unclear on their budgets specifically for cloud services/projects in 2015, 21% report they will spend
less than $5K on cloud-based services/projects, 16% will spend $5K-$15K, and 19% will spend more than $15K.
26%
20%
14% 12%
28%
0%
20%
40%
60%
80%
100%
Less than $50k $50k to $100k $100k-$250k More than $250k
Don't know/ Prefer not to
say
Total IT Budget Planned for 2015
49%
19%
7%
5%
2%
18%
0% 20% 40% 60% 80% 100%
Don’t know
More than $1,000
$501-$1,000
$101-$500
$1-$100
Nothing
Planned Spend on Cloud Security
39%
11%
8%
16%
21%
5%
0% 20% 40% 60% 80% 100%
Don't know More than $25k
$15k-$25k $5k-$15k
Less than $5k Nothing
Planned Spend on Cloud-based Services
Company Size
(# of employees) Industries
Title Purchase Influence
26
Respondent Profile
Use of Cloud
24% 25% 26% 24%
20-49 50-99 100-249 250-499
80%
20%
Currently use
Plan to use net
To get a full perspective of the SMB market's cybersecurity perceptions and practices, respondents were limited to those at
companies with 20 to 500 employees with influence over IT security or cloud purchase decisions. An overview of key
respondent demographics is below.
22% 20% 20%
11% 10%
18%
Public Manufacturing Professional Svcs
Financial Services
Non-Profit Other
91% 95%
75%
16%
Determine the need
Evaluate vendors/ solutions
Make decisions
Approve funds
4%
22%
27%
37%
6%
1% 3% VP IT / CIO
IT Director
IT Manager
Network / Sys. Admin.
Help Desk Tech.
Tech. Consultant
Other IT related
The simple and secure way businesses access the cloud.
For more information, visit www.cloudentr.com.
About