10 New Cybersecurity Trends at Small Businesses
The state of security among small and growing organizations.
In the last two years, hybrid workplaces have emerged as “the future of work.” In this new model, employees have more flexibility about the way they work, while employers can boost business resilience. But this work evolution also changes how organizations approach cybersecurity—they can no longer afford to push security to the sidelines or keep it disconnected from their business goals.
We wanted to understand how the future of work impacts the way small and medium-sized organizations in the private and public sectors view cybersecurity and password management. To learn about cybersecurity trends, we conducted separate surveys of workers and IT decision-makers, along with supplemental interviews with a select group of IT leaders. Here’s what we learned.
Finding #1: Awareness increased for organizations, but only some took action
Antennas are up for most organizations. Among all our survey participants, 83% noticed an increased level of security awareness and importance at their organization. This means small and medium-sized organizations realize the stakes are high in the digital era.
This increased awareness translated into action, but only for a small group of organizations. Overall:
- 38% increased usage of their existing password manager
- 36% adopted new security policies
- 37% increased cybersecurity training
- 23% said their organizations started using a password manager
Finding #2: Leaders and employees view their organization’s cybersecurity posture differently
Throughout our two separate surveys, we noticed that leaders’ perceptions differ from employees’ perceptions in many areas. For example:
- 98% of leaders and 88% of employees feel their organization pays attention to security more after recent large-scale data breaches
- 97% of leaders and 75% of employees reported an increase in the levels of security awareness and importance at their organization
- 65% of leaders and 25% of employees reported increased usage in their existing password manager
- 31% of leaders and 43% of employees said their organizations adopted new security policies
- 23% of leaders and 40% of employees noted increased cybersecurity training
- 32% of leaders and 20% of employees said their organizations started using a password manager
These differences are not unexpected because individual roles influence people’s view of their organization’s inner workings. And since leaders drive many of the security initiatives, they see the changes in awareness and security practices through a different lens than most employees.
Finding #3: Larger organizations are more enthused about cybersecurity
Our survey found many differences between larger and smaller organizations. Those with more than 300 employees were more likely to note heightened cybersecurity awareness, changes in security practices, and even higher passion for cybersecurity among employees.
- The increase in employee awareness grew with the organization’s size: 82% at companies with 401-500 employees and 72% at companies with 51-100 employees
- The smallest organizations (51-100 employees) were the least likely to adopt new security policies or increase cybersecurity training as a result of increased remote work
- Within organizations with more than 300 workers, employees and leaders were more likely to characterize their co-workers as passionate about cybersecurity
Some of these differences may be attributed to the smaller proportion of remote workers at the smallest organizations. However, the more significant reasons are likely the lack of cybersecurity resources and the illusion that cybercriminals don’t target smaller companies. Yet the past few years have demonstrated that size doesn’t matter to cybercriminals—smaller companies are just as much at risk of cyberattacks, if not more.
Finding #4: Using a password manager is the #1 change organizations implemented to strengthen security
Increased password manager usage was the top change that organizations made as a result of remote work, with 38% of employees and leaders identifying this shift. Increased cybersecurity training and new policy adoption weren’t far behind (37% and 36%, respectively).
This indicates that organizations understand that people and policies are equally important to maintaining a strong security posture. Changing behaviors and improving the security culture also requires human-centric security, and these findings show that many organizations are well on their way to adopting this mindset. We also found that:
Finding #5: Employees now want a password manager—and leaders agree
While the employees and the leaders in our two surveys have varying sentiments about different areas of cybersecurity, they’re on the same page when it comes to the need for a password management solution. But leaders feel much more strongly about it.
About half (52%) of employees believe their organization needs a password manager; among leaders, a resounding 97% feel the same. This tells us that employees want digital security tools that help them practice better cybersecurity to keep their organization safe—and leaders are fully behind employees’ desire to have better tools.
Many employers are already making strides here: 41% of organizations represented in our surveys require a password manager for everyone, with another 18% adopting it for some, and 13% offering it as an option. The cohort requiring this digital security tool the most is employers with 301–400 workers (51%), followed by those with 401–500 workers (42%).
From our supplemental leader interviews, we also learned that employees want a dedicated resource beyond an office manager or IT admin for managing access to a password manager. They feel they can handle it for a while, but once the company grows bigger, too many things can go wrong. Choosing a password manager that’s simple and comes with great onboarding features can help achieve this—and the simpler the tool, the more likely employees are to adopt it.
52% of employees overall believe their organizations need a password management solution. Opinions varied by industry, though.
Finding #6: Most employees wrangle at least five passwords
The majority of our participants said they handle more than five passwords for their work accounts regularly, with 6–10 as the most common amount (identified by 41% of respondents). Not surprisingly, given their role, leaders juggle a lot more—72% have more than five passwords, and 53% have 6–10. Education, finance, and healthcare workers are particularly likely to be in the 6–10 accounts range.
Across sectors, employees in banking have the highest access fatigue (with 34% of employees juggling 10 or more passwords), followed by education (25%). Retail and finance tied for the third spot (23%). Access fatigue could lead employees to look for shortcuts, such as reusing passwords or resorting to simple, easy-to-remember ones. Such shortcuts are highly risky for organizations because malicious actors commonly use compromised and weak passwords to break in.
Finding #7: Employee usage of password managers remains a challenge
Despite their jumble of logins, employees are not confident that their co-workers use password managers widely. Although 41% of surveyed organizations require a password manager, only one-fifth of employees believe the adoption rate among their co-workers is 95–100%. Worse yet, close to one-third (29%) believe the adoption rate is 50% or less.
Here, too, leaders have a different view—employees are much more skeptical than IT teams. Nearly 40% of our IT leaders believe the adoption rate at their organization is 95–100%, and only 20% believe the rate is 50% or lower.
Since leaders have a closer view of their companies’ security tools than other employees, it’s likely that their understanding of the adoption rates better reflects reality. Even so, it’s clear that organizations struggle with employee buy-in.
Finding #8: Lack of security tool trust and understanding are the top adoption barriers
Even when organizations invest in security tools, employees may not use them if they don’t trust those tools or learn how to use them. Our survey found that both employees and leaders believe the main barrier to password manager adoption is a lack of knowledge about the features.
Given that so many IT leaders don’t understand their password manager’s features, find the tool difficult to set up, or don’t feel they’re getting good ROI, this helps explain the low adoption rates discussed earlier. It would be challenging for leaders to “evangelize” the use of the tool to their organization if they don’t understand how the password manager works and don’t feel it’s easy to use.
For effective onboarding, employees need to know not only why they need a password manager but also what features are relevant to them and how these features improve security. Take advantage of the resources that many vendors offer as part of their onboarding.
- Lack of understanding about the features is a much greater barrier for leaders than employees—with 58% of the former citing “unsure of features” as the top barrier, compared to 31% of the latter
- Lack of trust in their vendors is the second biggest reason employees don’t use a password manager (with 30% expressing this view), followed by difficulty setting up (25%). On the other hand, leaders cite difficult setup as the second biggest barrier (51%), followed by return on investment (46%)
Finding #9: Organizations with a password manager feel less at risk of a cyberattack than those without one
For organizations that have overcome barriers to adoption, the outcomes are positive. Among our survey participants, both employees and leaders in workplaces that require a password manager believe their organization has a lower risk of being hacked or breached.
Leaders are much more convinced that this is the case—90% expressed that their organization is either “not at risk” or “not at all at risk” for being hacked or breached, compared to 59% of employees.
Leaked passwords are abundant in the criminal underground due to the massive number of data breaches. With automated tools, cybercriminals can check the validity of these passwords quickly and at scale. A password manager lowers the risk of compromised and weak passwords, and our study shows that organizations see the results.
Finding #10: Cybersecurity sentiments and practices differ among sectors
Insurance, finance, and banking stood out as the sectors embracing security tools the most—perhaps because stricter regulations lead to broader mandates for improving security.
Cybersecurity best practices may vary slightly from sector to sector, but many are foundational regardless of the industry. Understanding these best practices and adopting the fundamentals will help organizations of all sizes improve their cybersecurity preparedness.
- Insurance by far requires a password manager the most (80%), compared to 41% overall
- Manufacturing employees noted the highest concern about large-scale data breaches, an astounding 96%
- Education is the sector that has the highest number of responses with a password manager as optional to use (26%)
- Although government employees are among the least convinced they need a password manager, government agencies are one of the top sectors that require it the most
Our latest research found that remote and hybrid work is going mainstream: only 10% of all our surveyed employees and leaders reported no remote workers at their organizations. With remote work commonplace, the pace of online tool adoption will continue to accelerate—which means that cybersecurity will be an increasingly bigger priority for small businesses.
Protecting sensitive data in this new environment requires behavioral change through a strong, human-centric security culture.
Discover more cybersecurity trend insights, along with key predictions and our recommendations, in our 2022 Future of Secure Work for People + Organizations report.