How the Channel Can Help to Solve SMEs' Security Woes

Small and midsize enterprises (SMEs) have a problem with security. Some small business owners believe their organisation is too insignificant to be a target for cybercriminals. Then there are those who might be more inclined to see cyber as a threat to their business, but who aren't prepared to do more than the bare minimum to protect it. Both are unwittingly contributing to a security crisis among the UK's SMEs.

The good news for them, and the channel, is that managed security services (MSS) offer an increasingly popular alternative to traditional in-house security. By outsourcing the heavy lifting, SMEs can enhance cyber-resilience without breaking the bank. And for channel businesses, it offers a profitable pathway to becoming a successful managed service security provider (MSSP).

SMEs Under Fire

There might once have been a time when smaller businesses were ignored by cybercriminals in favour of large enterprises that could generate a bigger payout. But today, that's certainly not the case. According to an October 2023 report from Sage, nearly half (48%) of global SMEs experienced at least one "cyber-incident" in the previous year. And a quarter suffered multiple incidents over the period. Separate research (PDF) from UK ISP Beaming finds that two-fifths (39%) of UK firms with 2-250 employees fell victim to cybercrime in 2019, rising to 61% last year. Small businesses (11-50 employees) experienced the steepest rise in victims (42%) and costs (396%) between 2019 and 2023.

In fact, there's little to choose between small and large businesses today in terms of threat frequency, attack patterns, actor motives and the kind of data at risk, according to Verizon. "This phenomenon began several years ago, and by now there is so little difference based on organizational size that we were hard-pressed to make any distinctions whatsoever," the vendor says in its most recent Data Breach Investigations Report (registration required).

Digital Transformation Means Digital Risk

Another similarity between large enterprises and SMEs noticed by Verizon is that both are increasingly spending on digital transformation to drive the same efficiencies and competitive advantage. "Both SMBs and large companies are using similar services and infrastructure, and that means that their attack surfaces share more in common than ever before. This has led to a convergence of attack profiles regardless of the size of the organisation," the Verizon report notes.

The challenge with this expanding attack surface is that SMEs usually have fewer resources and expertise to manage related risk. Any security strategy needs to cover endpoints, networks, email inboxes, hybrid cloud environments, identity, operational technology and beyond. It needs to include traditional protective security controls such as anti-malware and intrusion detection systems (IDS) as well as detection and response capabilities, which help organisations to rapidly respond to and contain breaches before they spread.

For SMEs, the stakes couldn't be higher. Unlike larger counterparts with deeper pockets, small businesses can find themselves in serious trouble following a breach. A prolonged period of service disruption — combined with the cost of hiring third-party experts to help with incident response, and the potential legal and regulatory fall out — can be enough to tip some into bankruptcy. Those compliance pressures will only increase in Europe as the mandatory cybersecurity directive, NIS 2, subjects more SMEs to stricter security rules — with potentially major fines for those who displease regulators.

The Channel Opportunity

All of which is why SMEs are increasingly prepared to spend to build cyber-resilience and mitigate the risk of a serious breach. According to one estimate, the worldwide market for SME cybersecurity will grow to $90 billion by 2025, with managed security services (MSS) making up one-third of this spend. Another, the market intelligence company Context's ChannelWatch Survey, reveals that 45% of over 4,300 European resellers say their main area of investment in the next 12 months will be cybersecurity services.

This is clearly good news for channel businesses, which can help customers to navigate a tricky and crowded vendor market where marketing hyperbole can make life tough for time-poor IT leaders. In doing so, they should look for solution providers capable of delivering comprehensive capabilities to manage risk across the attack surface, from a single platform. Point solutions add cost and complexity and increase the management burden on IT teams — the last thing SMEs need. If they don't integrate properly, they can also create visibility gaps, which might increase the chances of a serious breach.

Channel players can also go one stage further — by meeting a growing need for managed security services (MSS). Managed detection and response (MDR) is a good example. According to Context, MDR sales grew 350% year-on-year in 2023, and another 30% annually in Q1 2024. With the right vendor, MSSPs can build their service on top of an existing platform or use a co-managed solution which makes use of the vendor's own specialist security analysts. A multitenancy solution will enable the MSSP to support multiple clients with ease.

Time to Grow

Cybersecurity is nonnegotiable for today's SMEs, but with a continuing global skills shortage, the best way many have of building cyber-resilience is by outsourcing much of the burden to third-party experts. That creates a clear pathway to growth for MSSPs. A vendor with a proven track-record of delivering industry-leading technology should be a given. But other important questions to ask are how quickly can you get to market? What kind of margins and upfront investment are likely? And how much support will the vendor provide to streamline onboarding and procurement?

For those that ask the right questions, and get the right answers, there's a tremendous business opportunity. It's time to get started.