Which Smbs Are The Most Confident In Their Security?

As a company that specializes in serving “the little guy,” it piques our interest to note which elements of cybersecurity are of most concern to different SMB sectors. What’s even more interesting is what they plan to do about it.
However, honest and effective security can’t happen without honest and accurate assessment, so making sure small business security perceptions are honed in on reality is step number one.

SMB Cyber Concerns by Sector

Each area has its fair share of security concerns, but those get even more specific when you take several hundred employees (and a good amount of infrastructure) out of the picture. Per research from ESET, here are a few examples of the things small businesses worry about every day, by sector:


Compared to other sectors, Manufacturing had the highest “slight to no confidence” vote regarding their employees’ knowledge about cyber threats – a whopping 40% harbored serious doubts about employee risk comprehension. Perhaps this apprehension is caused a higher likelihood of IoT and difficult-to-secure legacy devices in this sector?

That being said, only 30% worried that they’d struggle to find the root cause of a cyberattack.

Financial Services

Here, too, we see a slight discrepancy between confidence in employee knowledge and confidence in employee results. FinServ SMBs reported a 36% “slight to no confidence” vote in employee threat understanding and a 29% vote of the same for their in-house security expertise.

Yet, only 26% expressed similar doubts about their ability to accurately investigate attacks. This could be due to their higher-than-average security outsourcing rate (65%, compared to the 59% SMB average).

Professional Services

Numbers are flipped for Business and Professional Services, with slightly less (26%) doubting in-house security abilities and slightly more (33%) anticipating struggles in determining attack cause.

Over half prefer to outsource cybersecurity operations, with 26% favoring a single provider and 40% outsourcing to multiple providers.


Retail boasts the strongest sense of its in-house operations: 80% have “moderate or high confidence in their in-house cybersecurity expertise”, the most of any SMB sector. Three quarters share that same confidence for employee threat know-how, and nearly as many (79%) are comfortable in their ability to determine threat origins – again, record highs per the ESET research. At the risk of sounding snarky, sounds like smaller Retail businesses might be a little overconfident.

Perhaps not surprisingly, Retail is the most likely to manage security assets in-house (41%), although 6% are looking to go external next year.


What’s noteworthy here is that while the faith in in-house expertise is about on-par (24%), more SMBs in the technology sector feel their employees have a grasp on security threats than any other sector (78%). More also feel they can successfully determine the root cause of an attack (77%).

Not surprising – you’d hope a “Technology” business would be more confident in their understanding of basic cybersecurity risks and how to mitigate them.


While this sector wasn’t investigated under the same ESET research as above, this is the sector we have the most experience with. We work with our customers constantly through their budget cycles, and there are countless stories of overworked rural municipalities struggling to find funding to shore up cybersecurity defenses … Just look at the fallout in Oldsmar, FL, when a relatively unknown water utility made national headlines after receiving an almost fatal dose of chemicals from a successful cyberattack.

We don’t have the numbers, but anecdotally, we can tell you that smaller government organizations would not rate their expertise “high”, nor would they be confident in their ability to track down a threat’s origins. That, of course, is where managed services can step in and fill the gap.


SC Magazine reports that most medical groups are overly optimistic when it comes to how safe their digital data is in the cloud. Says the article, “64% of C-suite [security] leaders say their cloud maturity level has reached an advanced level compared with 20% to 28% of vice presidents, directors and managers at these firms…

However, few organizations said they practice vital risk reduction basics such as data backups, multi-factor authentication and secure password management. Even fewer respondents admitted to implementing more advanced measures, such as simplifying technology infrastructure or creating a hierarchical cybersecurity policy.

Is it Security Overconfidence?

Is Healthcare’s specific call-out an isolated scenario or indicative of what may lay under the surface for more SMB sectors at large? In our strictly anecdotal opinion, it’s the latter.

Most of the SMBs we meet don’t present with a sense of bravado or overconfidence, and yet they admit that what they can do is only a fraction of what they want to do. What we hear a lot is, “We can only do so much.” And it’s true. These SMBs are just doing what they can do, and sometimes they need help.

Look, breaches and ransomware incidents can happen to anybody, large or small. We know that, perhaps more than anybody. Every day we deal with small businesses in similar situations and with similar high-stakes roles in larger supply chains. This is perhaps where small businesses do the most good (and have arguably the most opportunity for big-time damage). As a hub connected to many enterprise spokes, SMBs have a particular responsibility to maintain above-average security stacks and not leave anything to chance – or over-estimation.

Nomic Means SMB Security

Nomic Networks is devoted to shoring up defenses and visibility for the smaller organizations, the local municipalities, the school districts, the city medical groups, and the regional plants that service clients around the world. We know how important it is to get an accurate assessment of your security capabilities, and we do what it takes to get you from wherever that is to where you need to be.

The Outpost cuts risk – before it even gets to the firewall. Insight force-multiplies your internal team by leveraging an archive of network flows and ML/AI-based signals between the endpoints, and our global network of devices gathers the most recent threat intel and feeds them back to your machine in real time. Our team of award-winning support specialists and security analysts are ready to walk you through the platform and even spot threats before you do.

Get in touch with someone on the team and find out more about what Nomic can do for your SMB.

Put Us In Your Corner.

We back you up with managed threat protection, visibility, and support, 24/7.