There are about 32 million SMBs in the US. These present a large pool of potential clients for cybersecurity solutions. Global cybersecurity spend for these companies is estimated to be over $40 billion. This spending will increase as smaller businesses begin to recognize the need for security. The pandemic saw a rise of 600% in cybercrimes with 61% of all SMBs experiencing a breach in 2021. The more SMBs get attacked, the more they are going to seek out security solutions.

Many companies won’t invest in solutions until they see cyberattacks for themselves. For example, 60% of companies are most likely to seek cyber insurance after they experience a cyberattack or hear about a company experiencing a cyberattack. SMBs do not have the same time or resources as CISOs at large enterprises to understand and seek out solutions. Difficulties surrounding these issues can arise when trying to pitch to SMBs so sales strategies should change when pitching these companies. In this article, we will look at the ways pitching solutions to SMBs differs from pitching to enterprises and the ways in which vendors can adjust to these differences.

#1 SMB cybersecurity owners will not have as defined of a strategy as enterprise CISOs

CISOs will have a defined security strategy or will be in the process of defining a strategy. This makes them likely to know exactly what kinds of solutions they need. While there are ways to successfully pitch to a CISO, they often will be the ones who seek out vendors. 

Darren Desmond, CISO at The AA, says “Right-click and block most of the cold callers. It’s quite frustrating that the sales people think a CISO wouldn’t know their market sector, be capable of doing their own research, or already have a trusted network on which to fall back on.”

         IT teams at SMBs will likely have a less defined security strategy. Even if they do, they also will often not have the time to go searching for vendors or to do in-depth analyses on them. This can be a good thing for vendors as it means that your outreach can have more of an impact on SMBs.

When pitching to SMBs it can help to know what SMBs may consider when creating their tech stack. First and foremost, these companies will be looking for solutions that require little resources – in terms of costs, time, and expertise needed to integrate the solutions. While outreach to SMBs may not seem as good of a use of time as outreach to enterprises, SMBs are more likely to need vendors to come to them than enterprises are.

#2 SMBs may not understand the severity of cyber threats

While doing outreach to potential clients you may come across SMBs that don’t think they need security solutions at all. SMBs may think they don’t have anything of value to hackers. They inaccurately assume that enterprises receive the vast majority of cyberattacks.

A 2021 survey from CNBC and Momentive shows that 56% of small businesses are not concerned with being a victim of a hack in the next year. Even though many are not concerned, the numbers show that 43% of all attacks target SMBs. The majority of ransomware attacks target SMBs. These companies are more likely to pay ransoms due to not having adequate backups. SMBs also often have PII of customers. Even if they do not have customer PII, they do have employee credentials that hackers can use or sell on the dark web.

SMBs also may not be up to date on cyberattack trends. The cyber landscape looks much different now than it did just a few years ago. In the past, companies could be relatively safe with minimal security tools. Cybersecurity could be far in the back of the mind of these companies as they were exposed to much less risk.

The times have, indeed, changed. 60% of SMBs that are victims of a cyberattack go out of business within 6 months. Remote work has increased attack surfaces drastically. The rate of almost every kind of cyberattack has risen. Cyberattacks increased by 600% during the pandemic. Even as the pandemic winds down cyberattacks show no sign of stopping. Between 2020 and 2021 encrypted threats grew by 167%, ransomware by 105%, cryptojacking by 19%, intrusion attempts by 11%, and IoT malware by 6%.

Sourced from Security Boulevard

Both the impact and frequency of attacks have risen. SMBs who were founded years ago, or who don’t have IT members who are up to date on security threats, may not have any idea of the severity of the threat that exists. It might be necessary to first provide education to these businesses for them to be interested in your solution. More details on how to achieve this and why it can help sales can be found in our recent article on vendor education.

#3 SMBs are more likely to be reactive than proactive

Many business behaviors demonstrated by top-performing CISOs are proactive measures they take to improve security before an attack occurs. Not all CISOs take as many proactive measures as others and certainly not all heads of IT do.

In an interview PeerWise had with Rick Mischka, Senior Manager in cybersecurity business development and strategy at BluVector, Rick discussed the tendency for security to be reactive. “I think today’s cybersecurity is very reactive. It’s all about ‘I know I’m going to be breached. So when I’m breached, what do I need to do?’ And I think you should have that mentality at a time. But if you’re proactive about what you’re doing, what you’re learning about, what questions you’re asking, then you truly have cyber resilience. And with cyber resilience, it doesn’t matter if you get breached because you have both the proactive and the reactive sides covered.”

Proactive measures are often the most secure route to take to minimize vulnerabilities. It is still good to try to educate SMBs on why they need security and how to create an incident response plan. But in practice IT departments- and those who assign their budgets- may not be swayed by vendors until after they have suffered their first breach. As discussed, this is demonstrated by the fact that 60% of companies are most likely to seek insurance after they experience a cyberattack or hear about another company experiencing a cyberattack.

A study by the Ponemon Institute shows insights into IT security’s tendency to be reactive.  69 percent of the respondents say their organization’s security approach is reactive and incident-driven. 63 percent of respondents say their IT security leadership needs better monitoring tools to improve their ability to communicate the effectiveness of security infrastructure and potential gaps to the C-suite and board. 56 percent of respondents say their IT security infrastructure has gaps in coverage that allow attackers to penetrate its defenses

For vendors, this unfortunately means SMBs are currently less likely to seek detection and prevention tools as compared to larger businesses. That is, at least until after they have already been hit with a cyberattack. Vendors of proactive solutions may need to adjust their sales strategies when pitching to SMBs.

It may be necessary to provide more education on your tools – even your market or key issue – to pitch your solution. These educational resources also allow IT leaders to have factual sources to show executives to justify the need for your solution. It also may be a good idea to introduce yourself to the head of IT while knowing when to cut your losses. Not everyone will be a willing buyer at the moment of the sales pitch. But as attacks rise and more and more SMBs become affected, it is likely they will begin to start taking a more proactive approach as larger businesses have.

#4 Many SMBs outsource to MSPs and MSSPs

      A difficulty in pitching to SMBs stems from the fact that many don’t have in-house teams relying instead on MS(S)Ps. A big advantage of these services for SMBs is that they provide a one-stop-shop that saves them from having to spend on staff and resources needed to manage their own security. Understanding how the market maturity of SMBs will affect their likelihood of using MSPs can help vendors know the likelihood a SMB will be in the market for security solutions at all.

         Different maturity segments will have different security needs. These segments can be broken down into three categories – limited maturity, semi-mature, and high maturity. McKinsey defines these segments as follows:

• Limited maturity segments can be defined as having no in-house IT resources and often are very small businesses having fewer than ten full-time employees (though some have up to 100).
• Semi-mature businesses have minimal in-house IT staff.
• High maturity businesses are in more tech-reliant industries (finance, retail, telecom, etc.) and have a dedicated IT team. These companies most often have between 10-500 full-time employees.

Information sourced from McKinsey

McKinsey found only 20-30% of limited maturity companies utilize MSPs. This may seem surprising, but where MSPs are not utilized these companies often either use free consumer cybersecurity tools or have no security measures implemented at all. About 50% of semi-mature businesses use MSPs. About 30-40% of these MSPs then outsource security to an MSSP. Another 30-40% of semimature companies use a value-added reseller (VAR). That leaves only 10-20% of these companies buying direct from vendors. High maturity companies buy directly from vendors more often, at about 20-30%.

         Vendors pitching directly to SMBs will therefore most often be successful when reaching out to high maturity companies. The good news here is that more companies are moving into the high maturity segment. 2 years ago 16% of small businesses were in the advanced IT segment. That number is now 24%. Vendors selling simple and inexpensive endpoint solutions may find success selling to limited maturity businesses and some semi-mature businesses.

The reliance of market segments on MSPs and MSSPs suggests a desire for solutions to fill multiple security needs. This allows companies to reduce complexity and resources necessary to integrate solutions. When possible, partnering with MSPs and MSSPs as a vendor allows their tools to reach the majority of the SMB market that are not buying solutions directly from vendors.

#5 Due to limited time to do vendor research SMBs are more likely to rely on articles to hear about vendors

A CISO’s sole job is security and part of that job involves keeping up to date on trends. While the position holds many responsibilities that require attention, top-performing CISOs are found to keep up to date with new technology more so than bottom-performing CISOs. Allan Alford, CISO at TrustMAPP, ran an experiment where he set aside two hours a week to talk with vendors. While this is more time than most CISOs will schedule for vendor meetings, many CISOs make some time in their schedule to find out about new tech.

IT leaders have many responsibilities, but, unlike CISOs, security is not their only role. That means many IT leaders have little time for researching vendors. A study by Untangle found that 36% of respondents state the main barrier when it comes to IT security is limited time to research and understand new threats.

Due to limited time for researching vendors, media becomes more influential to these SMBs. Magazines, newsletters, and media sites are often the only source of new information IT leaders are getting regarding security trends. Since they are exposed to fewer tools each one they see has a larger impact.

In an interview PeerWise had with Yoran Brondsema, cofounder of Curvo and cofounder and CTO of Sutori, he discusses where he learns about security in his busy schedule. “I probably visit the Hacker News at least once a day. There’s stuff there that’s more like the higher level, bigger impact things. And the news generally doesn’t concern me directly, because they’re like ‘CloudFlare is being attacked.’ And well, what am I gonna do? Nothing. It’s not directly relevant to me. But then I subscribed to a couple of newsletters…So a weekly Ruby newsletter and JavaScript newsletter and React Native as well. It’s basically newsletters based around technologies that I use. Then if something’s big enough in terms of security, it will show up there. At least that’s what I trust. And so far that has been the case.”

PeerWise is here to build connections

         PeerWise is building a community filled with IT leaders as well as cybersecurity vendors. Our site acts as a hub where connections can be built and cybersecurity solutions can be explored – including breaking down vendor tools. Our aim is to make it quick and easy for SMBs to learn what tools are out there. If top-performing CISOs can do it, we want SMBs to be able to as well even with their limited time. By joining, you can become a part of this community and interact with leaders as we provide education on the most up-to-date trends and technologies.