Small and mid-sized organizations face an average dwell time for confirmed, persistent malware of well over two years (798 days), far in excess of reported dwell times for large enterprises, according to a recent Infocyte report.
Average dwell time for ransomware attacks at SMBs is much shorter at 43 days between infection and remediation, likely due to the attacker notifying the victim. Twenty-two percent of small and mid-sized organizations' networks have been hit by a ransomware attack that bypassed their security controls.
"There is still a lot of work to be done to improve detection [and] response readiness of small and mid-market organizations to modern cyber threats," Infocyte CEO Curtis Hutcheson said in a statement.
"However, armed with the right detection and incident response program including tooling, staffing and empowerment, security teams can close gaps in their defenses, proactively identifying and responding to hidden threats and vulnerabilities before they cause damage," Hutcheson added.
A Wake-up Call
Seventy-two percent of SMB networks have low priority threats or riskware (such as adware, Web trackers, dangerous utilities and unwanted applications) in their environments, with the dwell time for riskware at SMBs averaging 869 days.
"Infocyte's findings should be a wake-up call for SMBs that are overly confident in their organization's cyber security posture," 451 Research senior analyst Aaron Sherrill said in a statement. "The reality is that many lack the resources, technology, expertise and visibility to protect their organizations, let alone their customers' and partners' data."
A separate Alert Logic report based on an analysis of 2.8 billion intrusion detection events and 8.2 million verified security incidents found that 75 percent of unpatched vulnerabilities in the SMB space are more than a year old, and more than 30 percent of SMB email servers operate on Exchange 2000, which has been unsupported for almost a decade.
Even more striking, the study found that fully two thirds of SMB devices run on versions of Microsoft OS that are either currently expired or will expire by January 2020 – the majority of devices scanned were running Windows versions that were more than 10 years old.
"The continued lack of skilled cyber security professionals affects organizations of all sizes, and small and midsize businesses are at greater disadvantage because they can't scale like large organizations can," Alert Logic senior vice president of product strategy and engineering Onkar Birk said in a statement.
A recent SolarWinds survey of 307 technology professionals found that 49 percent of small business tech pros are somewhat to completely unconfident in their ability to manage their IT environments into the near future, compared to just 27 percent of enterprise tech pros.
Over the next three to five years, small business respondents said they plan to prioritize IT security protocol and processes as their number one career development goal, followed by technology innovation and management/leadership skills.
"Recent history has proven that there is a direct correlation between technology and business performance … businesses need to focus even more on developing these professionals charged with running and pioneering technologies," SolarWinds executive vice president Joe Kim said in a statement.