The security industry has sometimes underestimated small and medium sized businesses. Several myths haunt SMBs, leading to the misconception that they don’t take security as seriously as larger organizations. But thanks to a recent survey, data collected from almost 500 SMBs (defined here as organizations with 250-499 employees) reveals a different story.

In a recent Cisco Chat Live streamcast, Cisco Product Marketing Manager Hazel Burton sits down with Advisory CISO Wolf Goerlich, and co-founder of Elevate Security Masha Sedova to discuss these findings and debunk some SMB security myths.

One of the largest myths surrounding SMBs is that their leadership doesn’t take security and data privacy seriously. Our data shows this is not the case.

In fact, 87% of SMB leaders consider security a high priority. Likewise, 84% of SMBs have mandatory security training programs for employees, and 90% of SMBs have a data privacy program that the business is familiar with. For comparison, 88% of respondents from larger organizations (500+ employees) have a mandatory security training program, showing SMBs are just as serious about security as their larger counterparts.

So what does this mean for SMB leadership? Well, it shows that security is a prevalent boardroom topic. SMBs are taking a top-down approach, using the power of executive buy-in to align their business against the growing threat of cyber-attack.

That’s the good news. But increased awareness may not always reflect effective action.

As Masha Sedova points out, the prevalence of mandatory training programs, in some cases, might only reflect a desire to meet compliance mandates. Ultimately, it’s about building a strong culture of cybersecurity across the business, so that employees really do become SMBs’ first line of defense. Unengaging training programs that discourage employees from caring about security actually do more harm than good. While it’s encouraging to see organizations have security conversations with employees and at the C-level, this is only a first step.

To make action possible, security needs to be reframed. Wolf Goerlich advises that security leaders should engage more directly with business outcomes. For non-security-oriented departments, security can be seen as an inconvenient add-on. Communicating the relevance of security to the needs of specific departments will help get everyone on the same page as to why security matters. Alignment will also ensure that executive leadership continues to prioritize effective security practices, benefitting organizations and the people they serve.

Note: this blog is part of a five part series. Subsequent blogs to follow.

To watch the full streamcast, please visit Cisco Chat Live SMB Myth Busting

If you are interested in unpacking more myths surrounding SMB security, consider reading “Big Security in a Small Business World

To hear more from Wolf Goerlich on this topic, please visit Big Security in a Small Business World: 10 myth busters for SMB cybersecurity


Simone Rittenhouse

Security Product Marketing Intern

Security Marketing