Small businesses are facing a growing threat from cyberattacks. So why are security features still being sold at a premium?
July 25,2024
Small and medium businesses are increasingly vulnerable to cyberattacks due to the practice of charging extra for essential security features that should be standard across all service tiers. Software companies, cloud providers, and tech makers often either impose additional costs for basic safety features or fail to provide them altogether.
For example, earlier this year, at least 165 Snowflake customers were compromised because Snowflake did not offer an easy way to mandate multi-factor authentication (MFA) for all users, according to cybersecurity experts. Similarly, last year, a non-profit organization couldn’t detect an attack because its Microsoft 365 ‘E3’ plan lacked the logging features available only to ‘E5’ plan holders.
Efforts to secure smaller organizations, which often lack dedicated IT and security resources, have become crucial. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) committed to aiding the smallest organizations, which typically cannot afford robust IT or security budgets. Security breaches can lead to business failures and significant stress for small business owners.
Saeed Abbasi, product manager of vulnerability research at Qualys, emphasizes the importance of bolstering cybersecurity in SMBs. “Strengthening cybersecurity in SMBs is essential for protecting their assets and safeguarding larger business ecosystems, as these small businesses often serve as links in broader supply chains. Moreover, proactive cybersecurity costs are typically lower than the potential losses from data breaches.”
Determining what should be a standard security feature versus a premium product is complex. While innovations that revolutionize security may justify additional charges, many current features are akin to backup cameras in cars—once a luxury, now a standard offering.
Price advocates for essential security features to be included in every tier: the ability to mandate and monitor MFA, single sign-on integration, role-based access controls, audit trails, and user access revocation should be standard. For instance, Snowflake’s platform now allows admins to enforce MFA by default, and Microsoft has adjusted its logging policy following feedback.
Narayana Pappu, CEO at Zendata, stresses the need for basic, user-friendly security for small and medium businesses, which often lack the expertise and resources to manage complex security systems. “SMBs usually lack security expertise in-house, don’t have the resources to implement or maintain solutions, and face risks that can jeopardize their business if a security incident occurs.”
While advanced technologies like generative AI may offer additional security, they are often expensive and not included in basic service tiers. Price believes that basic security should be integrated into every product at the base level, though some costs for advanced features may be justified. “There’s no version of a car that does not include seatbelts on the market today,” she notes. “Similarly, we’re not saying that all security should be free, but it should be baked into the cost of the product.”