10 things to know about the state of small business cybersecurity

We take a look at our top ten findings of how small and medium-sized businesses are managing their security, what threats they’re facing, and what can be done in the future to meet these challenges.

1. 76% of cybersecurity professionals believe small business cybersecurity isn’t up to snuff

In our recent survey, we found that 76% of small business cybersecurity professionals don’t feel that their security protections are adequate. A gap in security defenses can leave a business exposed to all sorts of cybersecurity threats. So if they know there’s a gap, why haven’t they fixed it?

2. Security teams are spread thin

The main reason: They’re being pulled in too many conflicting directions – with 57% of security professionals admitting to feeling this way. Small business employees are no stranger to wearing many hats. But having to manage multiple priorities means that sometimes security is put on the back-burner. More than two-thirds of security pros at small businesses (69%) admit that they’re at least partly reactive when it comes to security, meaning they’re not proactively working to protect against threats.

3. Top cybersecurity threat: Shadow IT

Sometimes it’s the threats you know about that can end up causing the most damage. Applications and devices employees use that haven’t been explicitly approved or secured by IT are called shadow IT. More than 35% of small business security pros acknowledge that internal threats, like shadow IT, are the biggest risk to their business. When IT doesn’t have visibility into what apps employees are using, it leaves a gap in knowledge about where company and client information is saved. If those applications get caught up in a data breach, the business is left blind to how exposed they are. With nearly half of small business employees (47%) using shadow IT, it’s not a risk that can be ignored.

4. Perpetual password failure

The risk of shadow IT accounts being protected by weak passwords is high – meaning those accounts could face an even bigger risk of falling victim to a data breach. 60% of small business employees have poor password practices, like reusing passwords or neglecting to reset the IT-selected defaults.

5. Employees are lax on overall security

It’s not just passwords employees are slacking on. More than half of surveyed employees (58%) admit to being lax about their company’s security policies. Reasons include a desire to get things done quickly and be productive (26%), the belief that security policies are inconvenient (11%), or that they’re too stringent and unreasonable (11%).

6. Device security isn’t guaranteed when 28% of employees never use their work devices

Employees are trying to get their work done as efficiently as possible, and sometimes that means working from personal devices. Whether that’s on the go using their personal mobile phone, or a personal laptop, we found that a quarter of surveyed employees (28%) admit to never working on their work provided devices, opting solely for personal or public computers. That’s a lot of unmanaged devices that security might not know about, let alone be securing, which could expose the company to cyberattacks.

7. Employees want convenience

While looking for security software, only one in 10 security pros we surveyed (10%) say that employee convenience is their top consideration. With two in five employees (41%) motivated by convenience, security professionals set on protecting their business would benefit from finding a solution that meets both the security needs of their business and also the usability needs of their user base.

8. AI is top of mind in small business cybersecurity

Generative AI has been top of the news cycle for awhile, and security teams are taking notice with more than 90% of surveyed security pros having security concerns about generative AI. Among their top worries: Employees falling for AI-enhanced phishing attempts (45%), entering sensitive company data into an AI tool (41%), or using AI systems trained with incorrect or malicious data (39%).

9. Single sign-on (SSO) is not enough

While many businesses adopted SSO to protect their information, more than two-thirds of small business security pros (73%) are now saying single sign-on (SSO) tools are not a complete solution for securing employees’ identity. While SSO helps protect businesses by limiting the number of entry points, it does not protect against shadow IT.

10. Complete security solutions are preferred

With so much to do, and not enough time, small business IT teams are looking for a one-stop-shop solution when it comes to security. Nearly one in three teams (30%) have switched security tools or vendors in the past year to ones that provide more complete end-to-end solutions. Reducing the number of security tools needed helps streamline workflows and make reporting more digestible and easier to act on.

Small business cybersecurity professionals are tasked with securing their business against known, and unknown threats. They’re often expected to do so with fewer resources than their enterprise counterparts while actually being a bigger target for criminals. Expected to keep employees secure who are focused on productivity over security, it can feel like an insurmountable challenge.

There are a multitude of solutions on the market, but finding one that not only works, but is also convenient enough to make employees want to use it, is the struggle.

1Password: More than a password manager

1Password not only encourages strong, unique passwords for every account so critical business data is secure, but it does so in a way that improves employee workflows.

With features like autofill and built-in multi-factor authentication, 1Password Enterprise Password Manager makes it easier than ever to help employees sign in and start working faster – no password resets required. It also encourages secure collaboration across teams and with contractors through secure sharing. And even if employees choose to use shadow IT, a password manager helps make sure that those accounts are secure behind a strong password. And reporting features like Watchtower and 1Password Insights, give IT teams visibility into how secure their teams really are – and advice on how to reduce identified risks.

But there’s still the Access-Trust Gap – the gap between the users, apps, and devices a business trusts to access sensitive data, and those that can actually access it in practice – to contend with. 1PasswordⓇ Extended Access Management gives businesses more control over identities, applications, and devices – so their team can securely use the tools they need without exposing sensitive information.

To learn more about securing your team with 1Password, you can check out our 1Password Business demo.

Stacey Harris

Content Marketing Manager