Shopping for cybersecurity as a small business isn’t an easy feat

Listen Download

As a supplier, cracking the small and medium business (SMB) market for cybersecurity isn’t easy. Neither is it easy for a small business to find its way through the myriad of cybersecurity suppliers and solutions, especially in the context of the huge complexity of cybersecurity threats. This article looks at the market from the point of view of a small company.

Putting on my mystery shopper hat

Sorting out cybersecurity as a small company is not easy: according to STL’s recent survey*, only one in six small businesses has an internal cybersecurity expert. In half of the companies, cybersecurity is managed internally by a non-expert: often someone who deals with all IT and is therefore tech-savvy but splits their time between multiple responsibilities, without understanding the intricacies of the cybersecurity, where the environment evolves rapidly.

Cybersecurity is managed by non-experts in almost half of SMBs

Source: STL Partners

I recently visited the Cloud & Cyber Security Expo (part of the Tech Show 2025) in London, and between keynote sessions, I went to shop around, wearing the hat of a small business employee. I didn’t deceive anybody: as a small business itself, STL has around 50 employees, all of them keen on technology, but only one dedicated IT manager who is responsible for all our connectivity, devices, web properties, internal systems, software and solutions. So, the “hat” of a small business employee fitted me very well.

This wasn’t a huge cybersecurity event, but with over 60 cybersecurity companies exhibiting and looking for clients, I felt it represented a real-world environment for a small business looking for a supplier. Here are my first-hand observations and learnings.

The sheer fragmentation of the market is quite daunting

Some of the best-known cybersecurity players weren’t participating at this show, so as a buyer I couldn’t use brand to distinguish between providers. This is consistent with the decision criteria used by the majority of SMBs though, as brand plays a less critical role for them. For a non-technical-expert like me, the most important criterion is the assurance that my company should be cyber secure – and on this front, the propositions on offer sounded somewhat similar. As a non-technical shopper, I wouldn’t engage in technical discussions on points of distinction and the relative strengths of supplier solutions were not volunteered on this level, especially once I’d identified my interest as that of a small business. As a result, I found it difficult to figure out why one supplier might be better suited for my case than another.

SMBs are not seen as a very attractive market

It is understandable why most propositions out there are for large enterprises: it’s much more lucrative to work with big organisations that have cyber teams, experience, an understanding of the risks, and not least a clear and sizeable budget. In contrast, only 50% of small businesses have a cybersecurity budget, and their spending on cybersecurity is such a big part of their total IT spending (more than 40%!) that stretching it further is challenging. Serving small businesses from a go-to-market perspective is difficult and costly, and in absolute terms the return is small.

Still, most cyber specialists I spoke to cater to smaller businesses with an entry-level package. Some offer services for companies with more than 20 or 50 employees, although for others a small client starts at 200 employees. One solution provider had a starting threshold based on the potential client’s revenue, which I felt was odd- small companies wouldn’t necessarily want to disclose their revenue to a potential supplier.

Few cybersecurity solution providers “speak the language” of SMBs

Out of the 60+ exhibitors at the show, there was only one company, focusing specifically on the SMB segment. I could tell that its targeting was genuine: the representative at the stand spoke to me about business benefits like simplicity and about practicalities like the fact that they offer to set up the solution for the client. This is key: the quality of service is a very important selection criterion for SMBs, and 61% have at least partial external party involvement in the installation or the management of the solution.

I did consistently ask about the flexibility of the solution, as the number of employees in a small business can go up and down, for example with seasonality. Moving the license number up in a flexible way is always an option, but down- less so. Some offer this flexibility with transparent tiered pricing options, for example the first 20 licences are at one price, the next 30 at a slightly lower price, the next 50 at an even lower price and so on, which I believe would appeal to an SMB.

The SMB market will grow and players who want to participate have an opportunity

According to our survey, 64% of SMBs expect to increase their spending on cybersecurity this year. My first-hand mystery shopping experience suggests that most cybersecurity providers are unlikely to actively pursue the SMB market at this point. Our survey confirms this: only one in four SMBs have bought their largest cybersecurity solution directly from a specialist provider- although twice as many consulted them in the purchasing journey.

The majority of SMBs buy cybersecurity from IT companies that sell them other software or from managed service providers. Only a small share of SMBs buy from telcos.

But telcos have an opportunity here:

1. They enjoy high awareness among SMBs.

2. They are already in touch with SMBs that they supply connectivity to – even if they supply it via channel partners.

3. They can “speak the language” of SMBs.

The growing SMB market will be open to solution providers who have the right product, the right service level and the right approach to reassuring SMBs that their cybersecurity is in safe hands, removing complexity from their minds and leaving them to focus on growing their core business.

*STL’s ‘Cybersecurity in SMB’ survey was conducted in the period from 14 November to 4 December 2024 among 826 IT decision-makers in small and medium businesses across seven markets (Australia, Canada, France, Germany, Spain, the UK, the US). This was followed by a survey of 104 respondents in Saudi Arabia between 17 January 2025 and 7 February 2025. The data in this article refers to the original survey of seven markets. Full results are available to our Cybersecurity clients here and a global summary is available to our Executive Briefing Service clients here.