Datto Report Shows Lack of Security Awareness Training Among SMBs

A new Datto ransomware report shows many SMBs aren’t conducting security awareness training. At the same time, they are blaming their cybersecurity issues on lack of training.

For its 2022 state of ransomware report, Datto surveyed nearly 3,000 IT professionals in SMBs across eight countries. That includes the United States, Canada, the United Kingdom, Germany, the Netherlands, Australia, New Zealand and Singapore.

The report shows SMBs are aware of increasing cyber threats, and allocating resources and investing in areas such as network and cloud security.

Datto Report Points Out a ‘Huge’ Issue

Chris McKie is Datto‘s vice president of product marketing for security and networking solutions.

Datto’s Chris McKie

“The report details a lot of great findings and data points, such as how SMBs plan to spend more on cybersecurity, or the related concerns about being hit with a ransomware attack,” he said. “But what stood out came from two unrelated questions. When asked what security solutions are implemented, only 43% of respondents conduct security awareness training. Then later, small businesses were asked about their security woes and where they had cybersecurity issues. Here, around 43% of SMBs blame their security issues on lack of training.”

This points out a “huge issue” that many take for granted — security awareness training, McKie said.

“Forget about firewalls or deploying the latest in antivirus (AV),” he said. “SMBs are looking for help with security awareness training. This is a huge opportunity for MSPs, and one that frankly many overlook.”

Other Key Takeaways

Other key takeaways from the latest Datto report include:

• About one-fifth of IT budget is dedicated to security. And many are seeing increases in budgets. Forty-seven percent of SMBs plan to invest in network security in the next year.
• More than one-half of SMBs have implemented AV and email/spam protection, with network and cloud security as the top areas planned for investment in the next year.
• Thirty-seven percent of respondents run IT security vulnerability assessments three or more times a year. And 62% run them at least twice a year.
• Sixty-nine percent of SMBs currently have cyber insurance. And 34% of those without cyber insurance are highly likely to get it in the next year.
• Forty-two percent of SMBs with cyber insurance think it’s extremely likely that a ransomware attack will happen in the next year. Only 16% of SMBs without cyber insurance think the same.

Good News and Encouraging Findings

“The good news is that SMBs are looking to spend more on cybersecurity in 2023,” McKie said. “In fact, 42% stated that they plan to increase their IT budget. Adding to this, the data supports that the cybersecurity talent shortage continues to drive SMBs to outsource and engage with MSPs and MSSPs to help manage security. Specific to security solutions, security awareness training and phishing simulation stand to be a great opportunity as many SMBs have yet to deploy it. Related to this is the fact that phishing is the No. 1 threat vector. And SMBs are looking to invest in email security (29% say so). This makes email and phishing security a natural winner for MSPs.”

There are some encouraging findings, McKie said.

“First, SMBs see the value in cybersecurity, and many report conducting vulnerability assessments, with at least 25% conducting them twice per year or more,” he said. “Related, and this is very encouraging, is the fact that most businesses have recovery plans in place. This demonstrates a significant mindset shift, and acceptance that despite all the protective measures put in place, timely recovery from a breach is critical.”

Organizations with cyber insurance are more actively engaged in their cybersecurity. They have more IT support, more cybersecurity frameworks (CSFs), and more security solutions. They’re also more likely to have experienced a cybersecurity incident in the past.