SMBs’ Cloud Security Struggles Exposed

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• Of the 4,984 IT professionals queried in a recent Sophos cloud security survey, 56% report a surge in attack volume and 53% say the negative effect of security incidents has been more severe in 2022 than 2021.

• Nearly two-thirds admit limited vantage point into their cloud assets and configurations was cited as a major contributor to their security woes.

The migration to the cloud has been especially challenging for small and mid-sized businesses that often lack the internal expertise necessary to make the transition successfully. Cloud security is one of the most vexing issues, with SMBs too often lacking the resources to consistently monitor what are often complex cloud environments. In a recent Sophos survey of 4,984 IT staffers in 31 countries, the security vendor has found a sharp increase in the volume, complexity, and negative impact of attacks in the last year. An alarming 67% report that their organizations have been subject to a ransomware demand.

Asset misconfigurations and unpatched vulnerabilities provide cybercriminals with an easy route into organizations. The lack of insight into these two areas are major contributors to SMB security headaches. Just 37% of the surveyed organizations check resource configurations on a consistent basis for potential issues. Only 47% scan their cloud environments for security flaws. The survey has found that the level of cloud expertise had little to do with how effective organizations are in consistently monitoring their cloud assets.

However, organizations with more lengthy cloud expertise report a decrease in the volume, complexity, and impact of attacks in the last year at twice the rate of novice SMBs. Thirty-eight percent (38%) of the more cloud-experienced SMBs say the effect of security incidents have declined in 2022 versus 2021. Just 19% of newer to the cloud organizations saw a decline in incident impact in 2022.

The scarcity of IT security resources is a common refrain among all organizations, but even more so within SMBs where lacking the specialization necessary to protect IaaS assets and workloads is an overwhelming challenge. Only one-third of SMBs have the means to identify and mitigate threats in their cloud environments. In the event of a cloud security incident, just 40% have the ability to respond at any hour of the day, seven days a week.

Unfortunately, it appears that knowledge of which organizations have gathered in securing conventional, on-premises environments is not being brought to the cloud. Fewer than half – 40% – have an incident prevention system (IPS) in place for their cloud environment. Only 44% are currently using a web application firewall to safeguard their IaaS applications and APIs. This is one area where SMBs with more cloud experience are ahead of the game. Forty-nine percent (49%) of organizations identified as having advanced cloud experience are using an IPS, and 53% have a web application firewall. This compares to 34% of novice cloud users having an IPS and 40% of organizations with less IaaS experience employing a web application firewall.

But even with experience, the gaps in SMB technology resources and best cloud security practices are jarring. Both lack of resources and a lengthy learning curve need to be quickly overcome, or the impact for many of these organizations could be devastating.

What do you think?

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.