SMBs at Work 2024: How are SMBs implementing security? We have answers.
Small and midsize businesses (aka SMBs) are the young, scrappy, and hungry companies that drive business change, leading the way in embracing new technologies. We know that's true for engineering, automation, and AI. But what about security?
In our report, SMBs at Work 2024, we explore the dynamic digital landscape of SMBs today. Powered by anonymized data from over 18,000 companies about how they adopt thousands of applications in the Okta Integration Network, the report details how today’s growing companies are using applications and setting trends.
In our first blog about the report, we covered overarching trends. Today, we’ll dig into the data to answer two intricate questions: Are SMBs investing in security? And, if yes, how?
So, are SMBs investing in security?
TL;DR: Yes. Even the smallest companies, those with 50 or fewer employees, saw big numbers in unique user growth — 61% YoY growth compared to 18% among all businesses. This year, SMBs are strongly investing in keeping their businesses compliant and secure.
Of the fastest-growing tools this year, a full 50% are in the compliance and security space, including top-ranked compliance tools like Drata (which grew 91% year-over-year growth) and Vanta, returning Top 10 password manager Keeper (87% YoY growth), and network security solutions Tailscale (72% YoY) and Perimeter 81 (64% YoY growth).
Why are SMBs investing in security?
We believe SMBs are spending more on security for two key reasons. The most widely publicized is the emergence of more sophisticated cyberthreats enhanced or created with advanced generative AI technology, which lowers the bar — and costs — for targeting SMBs with sophisticated social engineering and phishing attacks.
With generative AI, even rookie criminals can access advanced attack methods and tools, from easy code generation to voice cloning. SMBs, often lacking the infrastructure, budget, or specialized cybersecurity staff of larger enterprises, can be perceived as easy targets by bad actors.
But overall, security is an ever-growing concern for any modern business, including SMBs who find themselves squarely in the crosshairs. As data breach costs — financial, reputational, and regulatory — continue rising, SMBs must deploy additional protection.
How are SMBs bulking up on security?
Our research indicates SMBs are investing in security in three key ways.
- Adding layers of security through diversification
- Adopting better multi-factor authentication (MFA)
- Retiring passwords
In each of these areas, SMBs are moving at a much faster pace than larger organizations.
Diversifying security
MFA is important, but it’s not enough. According to our data, SMBs are supporting MFA with diverse security investments. By adopting a holistic, multi-pronged security strategy (adopting defense-in-depth approaches like Zero Trust and BeyondCorp), SMBs are enhancing their overall cyber resilience and helping lower risk on multiple fronts.
Led by tools like Drata and Vanta, the security sector with the most investment growth is compliance automation, with 143% YoY growth among SMBs, compared to 63% growth across all business sizes. SMBs’ network security usage, including virtual private networks (VPNs) and firewall solutions, was high enough to affect the market average.
Network security use grew 12% YoY by the number of customers looking at all companies. But, broken down by company size, SMBs (14% growth YoY) and small businesses (25% growth YoY) are driving that growth. Looking at companies with more than 500 employees, the growth is only 9% YoY.
Overall, network safety continues to be the most popular security tool — a position it has held since 2020. VPNs hold particular value for SMBs embracing remote work arrangements — where secure, encrypted connections between workers and the company’s network remain a high priority. Firewalls bulk up defenses from malicious traffic and cyberthreats like malware, viruses, and those attempting to break into or compromise the network.
But it’s not just about tools: Education and security training solutions are the fastest-growing security category this year. This suggests that SMBs recognize the value of investing in their workforce and their infrastructure.
Adopting MFA (and moving away from low-assurance factors)
Use of MFA and higher-assurance factors is up by double digits YoY nearly everywhere. But when it comes to strong authentication factors, SMBs are agile trailblazers, pivoting from less secure to more secure factors at a faster rate than their larger counterparts.
Biometric factors lead the way with robust YoY growth in nonprofits (40% YoY growth), retail (36%), professional services ( 32%), and healthcare and pharmaceuticals (26%). This shift might be partially thanks to the expanding availability of built-in fingerprint scanning tech in devices. In any case, SMBs have been quick to take advantage of the improvement in factor assurance availability to enhance their authentication strength.
Going passwordless
If you’re reading this you already know, almost instinctively: Passwords are problematic. They’re a hassle, they’re expensive, and the only people who seem to like them are the ones using compromised credentials to break into your accounts.
Security keys and biometrics grew 158% by unique users this past year, with 25% YoY customer growth. Not all authenticators are created equal, and as industries shift toward more secure options, this means moving away from solely “something you know” to a combination of "something you know, have, and are.”
When we look at passwordless adoption by sector, we may see hints at the how and why of adoption rates.
Most passwordless authentications were in tech or finance
Technology companies lead the use of passwordless, followed by finance and banking. For tech, 32% of these authentications overall employed biometrics (still higher than the rate among tech users in organizations of all sizes, at 27%). Perhaps these high numbers are not surprising. Both sectors possess valuable and sensitive data, making them prime targets. They also tend to be heavily regulated, with stringent compliance rules requiring high-assurance authentication as part of their cybersecurity strategy.
Retail also boasts a high number of biometric authentications
Retail needs seamless and secure high-factor authentication to manage high volumes of cash, sensitive financial and personal information, and payments at point-of-sale (POS) systems. So it makes sense that the sector’s percentage of biometric authentications reaches 37%. Eliminating passwords and password resets is also an asset for businesses with high turnover rates and quick onboarding processes.
The sector with the greatest percentage of accounts using biometrics is nonprofit
Though they have fewer users overall, the rate of nonprofits going passwordless is admirably high, at 45%. Again, this may point to biometric authentication systems becoming increasingly affordable and available, making them a cost-effective security measure for SMBs that need to enhance protection without adding extensive ongoing expenses.
What we can learn from SMBs
By looking at trends from businesses agile enough to leverage changing markets and technologies, we gain potential insights into innovative practices that could become tomorrow’s standards. What can we take away from SMBs?
- They’re finding success by diversifying their security investments with a multi-pronged strategy following Zero Trust principles.
- They’re growing security across multiple domains including education, compliance, and network security.
- They’re ditching the passwords and knowledge-based factors for high-assurance (and passwordless) factors like biometrics.
Where to learn more
So, how do you stack up with the SMB security strategy? Read the full SMBs at Work 2024 report, available to read online now.
No matter where your security or Identity journey takes your business, knowledge is your strength. To save time and get up to speed on more SMB topics, visit our SMB Okta homepage.