ESET Releases New SMB Research, Finds Cybersecurity Investments Not Keeping Pace with Threat Landscape

Next story

SMBs in the US are more likely to experience a security breach/incident than those in Canada

ESET, a global leader in cybersecurity, today released its 2022 SMB Digital Security Sentiment Report, which surveyed over 1,200 cybersecurity decision makers from small- to medium-sized businesses in Europe and North America. According to the new data, 74% of SMBs in North America and Europe believe that they are more vulnerable to cyberattacks than enterprises. And while these decision makers are concerned about the possible implications of an attack – most notably loss of data, financial impacts and loss of customer confidence and trust – 70% of businesses surveyed admitted that their investment in cybersecurity has not kept pace with recent changes to their operational models (i.e., hybrid working).  

Closer to home, the top three challenges identified by SMBs in North American were:

  • An inability to keep up with the latest cybersecurity threats (54%)
  • Keeping up with the latest cybersecurity approaches and technologies (50%)
  • Budget limitations/lack of investment in cybersecurity (49%)

Given these challenges, it’s no surprise that over half (51%) of the respondents in North America describe themselves as being not at all confident/slightly confident in their cybersecurity resilience over the upcoming 12 months. The top factors impacting the risk of a cyberattack in the next 12 months, in their perspective, were a lack of employee cybersecurity awareness, continued hybrid or home working, and migrating services to the cloud.  

"Earlier this month, it was reported that financial institutions witnessed over $1 billion in potential ransomware-related payments in 2021 — more than double the amount from 2020 and the most ever reported – and yet our research shows that SMBs are not investing enough in cybersecurity solutions, services or employee awareness,” said Ryan Grant, vice president of sales for ESET North America. “Many are not following basic cybersecurity best practices, such as using multifactor authentication, updating software regularly and conducting regular cybersecurity audits. This is why ESET continues to invest in, and make available, foundational cybersecurity awareness resources, the latest threat data and intelligence and a comprehensive suite of security solutions to protect companies.”

While SMBs in the United States and Canada face similar concerns and investment challenges, the cybersecurity landscape has its differences. For instance, 74% of U.S. respondents vs. 56% of Canadian respondents say they have experienced or acted on strong indications of a data security incident or breach in the last 12 months. And 43% of U.S. respondents noted they had more than one incident in the same time period vs. 28% of Canadian respondents.

“What the data suggests is that Canadian businesses are experiencing fewer data breaches, which could be due to good privacy legislation that includes the requirement for cybersecurity,” said Tony Anscombe, Chief Security Evangelist for ESET. “The data provides a clear indication of a disconnect between the cyber threat faced by SMBs and the investment they are making in cybersecurity. With current efforts by enterprises, critical infrastructure and governments to improve their cybersecurity, cybercriminals are likely to shift their efforts to lower-tier targets in order to monetize their activities - making it essential for SMBs to improve their cybersecurity posture.”

Here are some other top highlights from the 2022 SMB Digital Security Sentiment Report:

SMBs are not taking proper steps to protect against RDP security concerns:
Even though 75% of North American respondents view Remote Desktop Protocol (RDP) as a top factor impacting the risk of cyberattacks in the next 12 months, 77% say they will continue to use it despite the security risks. And not enough of these businesses are taking basic security steps to harden the use of remote access tools. Almost 50% (49%) of respondents are not protecting logins with multifactor authentication (MFA) and only 52% keep remote access tools up to date.

Outsourcing vs insourcing:
SMBs in the United States differ in their preferred cybersecurity approach to those in Canada. 42% of U.S. SMBs keep their cybersecurity management inhouse compared to 25% of Canadian SMBs who prefer to outsource to a single cybersecurity provider (35%).

“The differences in legislation, regulation and privacy requirements across countries and continents may serve as motivating factors for Canadian SMBs to outsource, as there is more pressure – and fear of penalty – to get it right,” said Anscombe.

Are companies conducting enough audits?
Under 50% (49%) of companies surveyed in the United States have conducted a cybersecurity risk audit in the last 12 months vs. 60% of Canadian SMBs. Surprisingly, 7% of U.S. and 18% of Canada respondents admitted that they have never conducted an audit. Of those who had conducted an audit in the last two years, 53% used an external IT security company or MSP, 34% conducted the audit themselves and 13% used a combination of the two.

SMB adoption of EDR, XDR and MDR:
27% of SMBs in North America say that they currently use EDR, XDR or MDR solutions. For those not deploying these advanced solutions in North America:

  • 25% say its because they don’t know enough about EDR, XDR or MDR to consider using them
  • 31% plan to use in the next twelve months
  • 13% would consider using in the next two years and the remaining 4% are not considering these solutions yet

How SMBs select a cybersecurity vendor:
In North America, 41% of small businesses are looking for practical steps about how to improve security rather than hearing vendors fear-based tactics. 37% of respondents look for companies that understand small businesses. 35% look for vendors who offer a unified single view across multiple tools and attack vectors. Customer service also matters, with 30% ranking this factor as important.

Conducted by Insight Avenue, the 2022 SMB Digital Security Sentiment Report took place in the United States, Canada, United Kingdom, France, Germany, Spain, Italy, Poland, Sweden, Czech Republic, Netherlands, Denmark, Norway and Finland – focusing on businesses with 25 to 500 employees. Of the 1200+ respondents, 300 were based in North America.

A global overview report, which combines data on the threat landscape, is available here

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit or follow us on LinkedInFacebook, and Twitter.