Risky Business: The Cybersecurity Poverty Trap

By Nils Puhlmann

It goes without saying that cybersecurity is a strategic priority for business leaders. Cyber threats are a persistent business risk that mature enterprises seek to address at all levels of operations.

This increased focus is not theoretical but is tangibly evident in the growing budgets for cybersecurity expertise and products. Worldwide revenue for security products totaled $106.8 billion in 2023, and double-digit growth is expected to continue, with total revenue reaching $200 billion in 2028.

While the unending onslaught of attacks and breaches leads one to wonder whether all of this effort is making an impact, there are positive indications that cybersecurity programs are growing more mature, professional and innovative within large enterprises.

Cybersecurity planning has moved from the server room to the boardroom. Corporate governance structures are evolving to better address cyber risks. Innovation in processes and models, such as increased adoption of zero-trust principles, demonstrates a growing understanding of the holistic nature of cyber defense. New technology innovations—notably in artificial intelligence (AI) and machine learning—are increasing capabilities and speed in threat intelligence and attack detection and response.

However, as large enterprises make progress in the race to stay ahead of attackers, we are in danger of leaving smaller businesses behind—and, in doing so, creating new vulnerabilities across the economic landscape.

Why Small-Business Vulnerabilities Are Everyone’s Vulnerabilities

The digital infrastructure that powers business and the products and services corporations and consumers rely upon is interconnected. A breach in a small-business system can have a cascading impact or provide a pathway for attackers to access more critical systems in what is commonly referred to as a third-party or supply chain attack.

Furthermore, many small businesses provide products or services that support even the most critical infrastructure sectors such as energy, healthcare, finance and transportation. Successful cyberattacks on these small businesses can disrupt or compromise vital supply chains, introducing vulnerabilities across the technology infrastructure. This makes small businesses a prime target for cybercriminals.

Small businesses also play an essential role in economic growth and innovation, employing nearly half of the American workforce and representing 43.5% of the U.S. GDP. But, while their smaller size does not shield them from cyber threats, it does make it harder for them to recover from successful attacks. Significant or public incidents that erode trust can be especially difficult for earlier-stage companies to overcome.

The Cybersecurity Poverty Trap

Small-business leaders understand all of this. Small business leaders understand all of this. However, understanding cybersecurity risk and being able to effectively manage it are two very different things. A recent Sapio Research survey on small business cybersecurity readiness, sponsored by Endari, perfectly illustrates this disconnect:

1. Nine in 10 technology startups (90%) say cybersecurity is a top priority for their business—yet only 2% plan to develop a comprehensive cybersecurity strategy and road map, and less than 1% plan to hire a dedicated cybersecurity team member.

2. Sixty-three percent of startups say they feel comfortable with the amount of risk they are exposed to around cybersecurity—but more than half (54%) have experienced at least one cybersecurity incident or breach.

3. To understand these apparent contradictions, it is important to acknowledge the existence of the cybersecurity poverty trap impacting small businesses. The increasing complexity of cybersecurity and the operational realities of early-stage companies have created a vicious cycle where small businesses find themselves continually falling behind the demands of today’s threat environment despite good intentions and outsized risks.

They struggle with a lack of awareness and knowledge about cybersecurity, limited resources, competing priorities and the challenge of navigating a crowded cybersecurity marketplace.

As cybersecurity innovation continues to accelerate, small businesses risk falling even further behind.

Breaking The Cycle

While seeking out a mix of products that promise to close the gap is tempting, more technology does not necessarily equal more protection. A product-centric approach to cybersecurity often leads to a complex patchwork security program that leaves companies vulnerable and overconfident.

Similarly, the high upfront costs of many consulting and strategic planning services—typical of the large enterprise approach—are impractical for small businesses given their limited resources and rapidly changing, growth-oriented operational environment.

Even though companies with fewer than 500 employees account for 99% of all firms in the U.S., most cybersecurity consulting frameworks and maturity models were seemingly built for large enterprises. However, the approaches that work for large, well-resourced corporations cannot be simply repackaged and remarketed to small businesses.

Startups require a different approach to planning that puts them on the path to cybersecurity maturity through a scalable, resource-aware program that balances tactical execution with strategic support. The goal should be to build cybersecurity into the company’s DNA from the start and then nurture that culture with an agile cybersecurity program that grows alongside the business.

Small businesses also need more support from the cybersecurity community. As supply chain challenges and third-party attacks continue to plague our cybersecurity defenses, the industry needs an increased focus on better meeting the cybersecurity needs of small businesses.

While it is exciting to see all the recent advancements in cybersecurity, to stay ahead of attackers, we must keep small businesses in the race to defend the digital infrastructure.