Cyber security: What will consumers pay for?

More connected lives, more cyber risks

The extent to which people live their lives online today can be summed up in LocaliQ’s internet minute statistics. Nine million searches happen on Google every minute. Facebook is the world’s third most visited website with three billion monthly active users spending 38 minutes per day on the site and clicking on an average of 12 ads per month. 251 million apps are downloaded per day and more than six million people are shopping online every minute with $4,722 spent every second on Amazon.

STL Partners highlighted the growing dominance of Wi-Fi in the home in Consumer Wi-Fi: Faster, smarter and near-impossible to replace, and the operator strategies to improve Wi-Fi experience with smart Wi-Fi apps and partnerships with value add players such as Plume. Connectivity in the home has become even more important since the COVID-19 pandemic as customers took on entertainment subscriptions (TV and gaming) and added smart TVs, cameras, doorbells, lights, and speakers (with voice assistants) to their home. According to Plume, smartphones (including “guest” phones) are the most prevalent devices in the home with an average of six per household. This is followed by computers (2.6 per household), tablets (1.3), smart TVs (1.1) and set-top boxes (1).

The graphic below highlights the growth in smart home IoT devices between the first half of 2021 and 2022 with 55% more cameras, 43% more doorbells, and 25% more smart bulbs as customers invest in making their homes more comfortable and secure. The average number of connected devices across Plume’s customer base of 41 million homes has grown to 17.1 in the first half of 2022 up from 15.5 in the first half of 2021. This figure is likely higher than the average household, as those with more devices are more likely to want a premium smart home Wi-Fi management set-up but is still indicative of growth trends.

Growth in devices between H1 2021 and H1 2022

plume-smart-home-device-in-home

Source: Plume smarthome market report – August 2022

With 40% of EU workers switching to working from home during COVID-19, the take up of digital technology has had a permanent effect on every-day life. IoT devices and digital technologies are projected to increasingly embed themselves in various aspects of our daily lives in coming years. Estimates on the number of connected devices by 2025 have ranged from 25 billion (GSMA) to 42 billion (IDC). The increasing volume and wide range of connected devices of varying hardware and software standards increases the attack surface for malicious actors who can inflict significant emotional and financial damage on consumers, their families and their employers.complex cybersecurity threat landscape

Enter your details below to download an extract of the report

A complex cybersecurity threat landscape

Cybersecurity Ventures – a leading researcher on the global cyber economy and publisher of Cybercrime Magazine – estimates that organisations suffered a ransomware attack every 11 seconds in 2021. It has also forecast that attacks on a consumer or business will happen every two seconds by 2031. It is believed the majority of cybercrimes go underreported by victims due to embarrassment, potential reputational harm and a perception that legal authorities cannot help. Even in a gaming community, a micro payment of less than $1 for a prize or item that doesn’t appear could go unreported due to the low cost of the transaction, but can be very lucrative for cybercriminals should enough games fall victim to the trick.

Cybersecurity Ventures forecasts this rise global cybercrime to inflict damages of $10.5 trillion annually by 2025. The cybersecurity specialists highlight that, if measured as a country, cybercrime would have the third largest GDP after USA and China.

The European Union Agency for Cybersecurity, ENISA, reports on the current cyber threats facing European consumers and businesses. In its latest 2022 threat landscape report (covering July 2021 to June 2022) it identified eight prime threats shown in the graphic below. These include:

  • Ransomware where bad actors take control of an organisation’s or individual’s assets and demand ransom in exchange for return of the assets and confidentiality of the information. The attack could involve locking out the user, encrypting, deleting or stealing the data. The most common attack vectors are phishingemails and brute-forcing on Remote Desktop Protocol (RDP). Cybersecurity Ventures estimates ransomware will cost victims $265bn annually by 2031.
  • Malware is commonly defined as “software, firmware or code intended to perform a malicious unauthorised process that will have an adverse impact on the confidentiality, integrity, or availability of a system”. Malware comes in the form of virus, worm, trojan, or software code that can negatively impact a host computer or mobile device. Spyware and adwareare considered subsets in this category. This malware could allow actors to take remote control of a system, denial skimmers, or steal information or enable botnets to carry out nefarious attacks such as distributed denial of service (DDoS). According to ENISA, malware attacks are on the rise in 2022 after a decline in the previous reporting period (2020 and 2021). The decline had been linked to increased working from home during the pandemic. While the rise could be attributed to workers returning to the office, ENISA also point out that there has been simply more malware.

One of the most known malware threats is Pegasus malware a WhatsApp exploit which can affect both iPhone and Android phones and can be used to access messages, photos and emails, record calls and activate the microphone.

  • Most mobile malware comes from malicious applications downloaded and installed by users. In 2021 fake adblockers or adware were common for Android. These adblocking apps can look for extensive permissions when being installed from downloads on third-party app stores and online forums.

ENISA reported a rise in malware from crypto-jacking (the unauthorised use of devices to mine for cryptocurrency – further described below) and IoT malware. In the first six months of 2022, the malware attack volume on IoT was higher than had been recorded over the previous four years with Mirai botnets responsible for most (seven million) attacks. ENISA reported in 2021 and 2022 the most common IoT targets were networking devices such as Netgear (DGN), D-Link339 (HNAP), and Dasan (GPON).

  • In 2021 Flubot (a banking Trojan delivered via fake SMS messages claiming to be from banks or government organisations) was a prevalent form of phone malware, and) lured many Android phone customers into downloading nefarious applications.

ENISA Threat Landscape 2022 – prime threats

ENISA-Threat-landscape-2022

Source: ENISA Threat Landscape report 2022

  • Social engineering attacks target weaknesses in human behaviour, where false actors exploit an individual’s trust in communication and in their online habits. These attacks consistently rank high according to ENISA. The most common threat vectors for social engineering attacks include phishing, spear-phishing (targeting specific individuals/businesses), whaling(attacking individuals in high positions such as executives and politicians), smishing (a combination of SMS and phishing), vishing (a combination of phishing on a voice call where sensitive information is given over the phone), business e-mail compromise (BEC) and spam. ENISA reported phishing was the most common vector for initial access in 2022. This rise was attributed to more advanced and sophisticated phishing practices, fatigue among users as well as more targeted and context-based phishing practices.
    • E-mail may be used by bad actors to carry out man-in-the-middle-attacks effectively using software to eavesdrop on users by using an innocent link to accessing e-mail and intercept messages between two people in order to steal data. A man-in-the-middle-attack could also take place over an unsecured Wi-Fi network where the attacker intercepts data transmitted from a user’s device over the network.
  • Threats against data refer to data breaches or leaks of sensitive, confidential, or protected information to bad actors / hackers and occur due to cyberattack, insider job, unintentional loss, or exposure of data. This includes data theft or identity theft where personal identifiable information (PII) is stolen and used to impersonate an individual. It also usually results in hack attempts on personal online accounts as well as spam e-mail, spam calls and SMS. Customers can check if their personal data has been exposed on the dark web due to a breach using the free online service Have I Been Pwned. Similar resources are also offered by consumer cyber safety players.
  • Threats against availability occur when users of a system or service cannot access the relevant datafrom that service or system. This is often commonly achieved through Distributed denial-of-service DdoS attacks which prevent users from accessing a website or system by overloading the website or network with requests resulting in decreased service performance, loss of data and outages. The attack has been in use for over 20 years now with many criminals using it to extort ransoms on organisations. It is also increasingly being used as part of a state-sponsored attack. ENISA highlighted that traditional DdoS attacks are increasingly moving towards mobile networks and IoT where such (IoT) devices have limited resources and poor security protection. Threats against the availability of the internet was cited in the context of the Russian invasion of Ukraine where access to the internet and websites have been curtailed in certain captured cities where internet infrastructure has been captured leading to re-routing internet traffic over Russian networks, censoring of (western) websites and shutting down of Ukrainian mobile networks.
  • Disinformation – includes creation and sharing of false information, usually by social media. In recent years there are number of websites and digital platforms that present false or erroneous information for their particular agenda and these sites are generally spurred through sharing of information through social media channels. ENISA pointed to the war between Russia and Ukraine as one example of current disinformation to target people’s perception of the status of the war. Wrong and purposely falsified information can often be mistakenly shared. This is where the definitions of misinformation and disinformation come in. Misinformation is the unintentional sharing or reporting of inaccurate information in good faith. Disinformation is an intentional attack where false or misleading information is intentionally created and shared.
  • Supply-chain attacks refers to the targeting of individuals, groups of individuals or organisations hardware and software resources including cloud storage, web applications, online stores and management software. The supply chain attack is usually a combination of at least two attacks; the first on the supplier to access their assets and from there access the suppliers’ own network of customers and suppliers. The most recent high-profile attack was Solar Winds in 2020.
    • Cryptojacking or hidden crypto-mining occurs when a hacker secretly uses a victim’s computing power to generate cryptocurrency after the victim mistakenly and unwittingly downloads malicious software. Cryptocurrency is popular due to its ability to offer anonymity and its use as payment in ransomware attacks. Crypto-crime – i.e. crimes involving cryptocurrencies – is predicted to cost the global economy $30bn in 2025 according to Cybersecurity Ventures, while Chainalysis estimated crypto-scams (i.e. rug pulls on fake crypto projects) generated revenue of more than $7.7bn in 2021 and is one of the largest types of cryptocurrency-based scams.

Attacks affecting customers identity, privacy, financial and emotional wellbeing

Threats such as ransomware, malware, phishing, man-in-the-middle and social engineering have given rise to fears of identity theft and financial losses as a result of hacked bank accounts, e-mail, and social media accounts. In the US for example, the Identity Theft Resource Center (ITRC) reported a sharp rise (1,000% in a year) in social media account take overs with criminals using stolen information not only to take over existing bank accounts but to set up new bank and credit accounts using information stolen in data breaches and phishing attacks. In a snap survey of 97 people who contacted the IRTC over a social media account take over, 66% reported strong emotional reactions to losing access to their social media account.

Snap Survey of social media account takeover victims in 2021

ITRC-social-media-account-takeover-victims-2021

Source: Identity Theft Resource Centre

Table of Contents

  • Executive Summary
    • The threat landscape in an increasingly connected life
    • How to build successful cyber security services
    • A digital life security opportunity
  • More connected lives, more cyber risks
    • A complex cybersecurity threat landscape
    • Are consumers willing to pay for cybersecurity?
  • Operator cybersecurity propositions
    • Vodafone’s Secure Net
    • Telia Security package
    • Telefónica – Secure Connection
    • NOS Portugal
    • MEO Portugal
    • Safe Net
    • Deutsche Telekom
    • AT&T USA
    • Comcast
    • MTS Russia
    • SmarTone Hong Kong
    • A1 Austria
  • Conclusions

Related research

 

Enter your details below to download an extract of the report

IoT security: The foundation for growth beyond connectivity

Introduction

The European Union Agency for Cybersecurity (ENISA) defines the IoT as “a cyber-physical ecosystem of interconnected sensors and actuators, which enable intelligent decision making.” In this ecosystem, the information or data flows among the various components of the IoT enable informed decision making for machines, objects, and the spaces in which they operate. Through this web of tightly interconnected cyber-physical systems, the IoT underpins a variety of applications such as smart cities, smart factories, smart agriculture and so forth.

While these applications touch all the areas of our living and working activities, bringing enormous benefits and possibilities, they also exacerbate system complexities and, in turn, significantly enlarge the domain of threats and risks. As a result, securing the IoT is a very complex task, involving the implementation of highly specialised security measures. In market terms, this complexity translates into rich ecosystems of skills and expertise, where there is not one player in charge of securing the IoT, but it is both a responsibility and an opportunity for all players in the value chain.

Thinking about IoT security, the fundamental objective is ensuring the trust between the provider of an IoT solution and the IoT solution adopter. Microsoft IoT Signals, a well-known survey of 3,000 organisations adopting the IoT, emphasizes this in its 2021 edition, where 91% of the organisations surveyed have security concerns about adopting the IoT. 29% of those organisations do not scale their IoT solution due to security concerns. These concerns hamper the benefits enterprises can gain from IoT solutions. For instance, in the same survey, more than 55% of organisations said they were becoming more efficient adopting the IoT, and 23% claimed that their IoT solution has a direct impact on revenue growth. These benefits come from the variety and volume of data gathered through the IoT to drive better informed operational decisions. The result is that IoT data becomes a fundamental and necessary asset that must be protected.

While managing security risks in IoT is often perceived as a necessary burden, this report will instead highlight securing the IoT as an opportunity. For telecoms operators, this opportunity may not always be directly evident in new revenues, but it is fundamental to the creation of trust between provider and the adopter of IoT services. That trust, built through IoT security services, provides a stronger foundation from which to develop new revenue-generating services beyond connectivity.

This report also argues that by building more comprehensive data insights services into their existing IoT platforms mobile network operators are in a strong position to bring that trust to enterprises. As operators expand their security offers from well-known security functions provided at connectivity level – almost embedded in an operator – to more sophisticated security services across the IoT architecture, they can position themselves as a partner and guide to enterprises as they likewise become more sophisticated in their security needs.

The report is structured in three main parts:

  1. Discussion of the key vulnerabilities in the IoT and responses to those defined by regulators and security bodies such as ENISA, NIST, IoT Security Foundation and others.
  2. Analysis of the roles mobile network operators are playing in the IoTsecurity services market.
  3. Analysis of the opportunities for mobile network operators in security services for the IoT.

The research is based on the author’s extensive experience in IoT security, and enriched by interviews with IoT security experts close to the world of mobile network operators. Finally, an understanding of the most authoritative guidelines and analysis (ENISA, NIST, IoTSF, GSMA, OWASP) on IoT security supports the research.

Enter your details below to download an extract of the report

Why IoT security is rising up the agenda

In the fervent debates on the development of the IoT, the security aspect is often hidden or avoided. This stems from a common view among IoT solution companies and end-users that security is a heavy point of discussion that hampers business enthusiasm. This perspective is both unhelpful and dangerous, actively hindering greater scale and trust in the IoT. We strongly believe the argument should be flipped around. Although IoT security is a fundamental risk for the development of the IoT, it is also the means through which to develop robust, reliable, and lucrative IoT solutions. Therefore, IoT security should become a priority in IoT strategy and project development.

There are three considerations that are driving a fundamental shift in perceptions of security from a barrier to an enabler of IoT solutions, both among providers and adopters:

  1. Rising frequency and prevalence of avoidable large scale IoT security breaches.  There are plenty of examples of hacking of connected devices and large IoT systems that have dramatically compromised IoT solutions’ functioning, the business case linked to them, and relationships with customers. Recent examples include:
    • In May 2021, Colonial Pipe suffered a ransomware attack that impacted the computerised equipment monitoring the entire pipeline system from Texas to New Jersey, carrying 2.5 million barrel of oil a day. The entire system, based on a vast IoT solution of several sensors along the pipeline, was blocked. To re-boot the system, Colonial Pipeline paid 75 Bitcoin (the equivalent of $4.4 million at the time). (The solution to this type of breach is implementation of a remediation strategy.)
    • Consumer IoT devices are no less attractive than big corporations to hackers. In June 2021, the McAfee Advanced Threat Research identified a potential security vulnerability in the Peleton Bike+: “The ATR team recently disclosed a vulnerability (CVE-2021-3387) in the Peloton Bike+, which would allow a hacker with either physical access to the Bike+ or access during any point in the supply chain (from construction to delivery), to gain remote root access to the Peloton’s tablet. The hacker could install malicious software, intercept traffic and user’s personal data, and even gain control of the Bike’s camera and microphone over the internet.” The Peleton Bike+ vulnerability almost become a matter of national security in the US, considering that President Jo Biden is, apparently, a Peleton Bike+ user. (The security solution to this type of breach is software and system updates.)

2. Regulatory bodies are responding to the increasing incidence of IoT attacks with guidelines and regulations. Realising the danger of connected devices and systems developed with inappropriate security features, regulators worldwide are issuing specific procedures and policies in IoT security. In some cases these are mandatory and in other cases function as guidance and support.

    • Australia has created a voluntary code of practice, Securing the Internet of Things for Consumers, focussing on issues of authorisation, authentication, and access of IoTdata in consumer devices.
    • Singapore has issued the IoT Cyber Security Guide to support enterprises to develop secure IoT systems. Enterprises should also comply to IoT-related standards in sensors, sensor networks, and devices.
    • The United Kingdom has focussed on security around IoT devices with the first Code of Practice for Consumer IoT Security published in 2018.
    • The European Union is focussing on the development of an “IoT Trust” label for IoT consumer devices.
    • The United States launched legislation in 2020 – IoT Cybersecurity Improvements Act – which, through a combination of subsidies and project grants, incentivises companies that build and sell IoT solutions to develop them with a security-by-design

These initiatives are all specifically designed around IoT devices and systems. However, it is important to highlight that the relevant legal framework is wider. For example, in the European Union, the three key regulations applying to the sale and use of IoT devices and ecosystems are CE Marking (health and safety of products sold in the EU), GDPR, and the Network and Information Security Directive (NIS Directive). It is well known, but important to stress it, that violation of GDPR – data breaches and misuses of data – can cost up to EUR20 million. A similar legal framework exists in the United States, in which there are three Acts relevant for IoT devices: Federal Trade Commission Act (FTC Act), the Cyber Security Information Sharing Act (CISA), and the Children’s Online Privacy Protection Act (COPPA). Those who violate America’s Federal Trade Commission Act could face fines of $41,484 per violation, per day.

It is also worth noting that many of these regulations focus on the consumer IoT because it has been the weakest in terms of attention to security features, there is a direct link to data privacy (i.e. by hacking into IoT devices malicious actors can gain access to other digital profile data), and most consumers do not have the skill or resources to protect themselves.

3. The increasing business and economic impact of IoT data. Organisations of all kinds are increasingly relying on data for their strategy development, optimisation of processes, increasing engagement with customers and innovating their business models. The data needed for all these activities is increasingly machine generated by an IoT solution. To illustrate this value, there have been several studies on understanding the economic impact of IoT data. For example, in April 2019, GSMA Intelligence estimated that the economic impact of IoT on business productivity was in the order of $175bn, 0.2% of the global GDP. GSMA Intelligence also forecasted that by 2025 the economic impact would increase to $371bn, 0.34% of the global GDP, with IoT companies generating almost a trillion dollar in revenues. Ultimately, if a competitor or malicious actors gets hold of an organisation’s data, then they have accessed one of its most important assets. Therefore, as organisations become ever more data-driven in their strategic decision making, the importance of securing the systems gathering and storing that data will rise.

Defining IoT Security

The US NIST (National Institute for Standards and Technology) defines cyber-risk as “a function of the probability of a given threat source’s exercising any potential vulnerability and the resulting impact of that adverse event on the organisation.” The IoT security risk is one of many cyber-risks to any organisation and refers to the unforeseen exploitation of IoT system vulnerabilities to gain access to assets with the intent to cause harm.

A major challenge in assessing the IoT system vulnerabilities and threats comes from the technological complexity of an IoT solution and the diversity of applications and environments the IoT solution serves. Therefore, IoT security can be assessed in two levels. The first level regards the IoT architectural stack, which is common to different domains and applications. The second level is solution-specific and requires specialised services depending on the domain of applications.

The starting point of the analysis is a model of IoT architecture, illustrated in a simplified format in the diagram below.

Simplified IoT  architecture

Simplified-IoT-architecture-STL-Partners

Source: STL Partners

 

Table of contents

  • Executive Summary
    • Security can enable MNOs to build beyond connectivity in IoT
    • Next steps: Building on security in the Coordination Age
  • Introduction
    • Why IoT security is rising up the agenda
  • Defining IoT security
    • Key IoT vulnerabilities
    • Enterprises’ view on securing IoT
    • How to meet enterprise needs: Delivering security across three dimensions
  • Mobile operators’ roles in IoT security
    • Telco strategy comparison: IoT security offers vs dedicated business units
    • Assessing operators’ security services by function
    • Takeaways
  • Future growth trends for operators to capitalise on
    • eSIM and integrated eSIM (iSIM) capabilities
    • 5G private network security services
    • Managing encryption requirements
    • Blockchain in telecommunications
    • Secure communication through quantum information and communication technology

Related research

Enter your details below to download an extract of the report

The changing consumer landscape: Telco strategies for success

Winning in the evolving “in home” consumer market

COVID-19 is accelerating significant and lasting changes in consumer behaviours as the majority of the population is being implored to stay at home. As a result, most people now work remotely and stay connected with colleagues, friends, and family via video conferencing. Consumer broadband and telco core services are therefore in extremely high demand and, coupled with the higher burden on the network, consumers have high expectations and dependencies on quality connectivity.

Furthermore, we found that people of all ages (including non-digital natives) are becoming more technically aware. This means they may be willing to purchase more services beyond core connectivity from their broadband provider. At the same time, their expectations on performance are rising. Consumers have a better understanding of the products on offer and, for example, expect Wi-Fi to deliver quoted broadband speeds throughout the house and not just in proximity to the router.

As a result of this changing landscape, there are opportunities, but also challenges that operators must overcome to better address consumers, stay relevant in the market, and win “in the home”.

This report looks at the different strategies telcos can pursue to win “in the home” and address the changing demands of consumers. It draws on an interview programme with eight operators, as well as a survey of more than 1100+ consumers globally . As well as canvassing consumers’ high level views of telcos and their services, the survey explores consumer willingness to buy cybersecurity services from telcos in some depth.

Enter your details below to download an extract of the report

With increasing technical maturity comes an increasingly demanding market

Consumers are increasing in technical maturity

The consumer market as a whole is becoming much more digital. Over the past decade there has been a big shift towards online and self-service models for B2C services (e.g. ecommerce, online banking, automated chatbots, video streaming). This reflects the advent of the Coordination Age – connecting people to machines, information, and things – and the growing technical maturity of the consumer market.

COVID-19 has been a recent, but significant, driver in pushing consumers towards a more digital age, forcing the use of video conferencing and contactless interactions. Even people who are not considered digitally native are becoming increasingly tech savvy and tech capable customers.

Cisco forecasts that, between 2018 and 2023, the number of Internet users globally will increase from 51% to 66% . It has also forecast an increase in data volumes per capita per month from 1.5GB in 2017 to 9.7GB in 2022 . Depending on the roll out of 5G in different markets, this number may increase significantly as demand for mobile data increases to meet the potential increases in supply.

Furthermore, in our survey of 1,100+ consumers globally, 33% of respondents considered themselves avid users and 51% considered themselves moderate users of technology. Only 16% of the population felt they were light users, using technology only when essential for a limited number of use cases and needing significant support when purchasing and implementing new technology-based solutions.

Though this did not vary significantly by region or existing spend, it did vary (as would be expected) by age – 51% of respondents aged between 25 and 30 considered themselves avid users of technology, while only 18% of respondents over 50 said the same. Nevertheless, even within the 50+ segment, 55% considered themselves moderate users of technology.

Self-proclaimed technical maturity varies significantly by age

Source: STL Partners consumer survey analysis (n=1,131)

The growing technical maturity of consumers suggests a larger slice of the market will be ready and willing to adopt digital solutions from a telco, providing an opportunity for potential growth in the consumer market.

Consumers have higher expectations on telco services

Coupled with the increasing technical maturity comes an increase in consumer expectations. This makes the increasing technical maturity a double edged sword – more consumers will be ready to adopt more digital solutions but, with a better understanding of what’s on offer, they can also be more picky about what they receive and more demanding about performance levels that can be achieved.

An example of this is in home broadband. It is no longer sufficient to deliver quoted throughput speeds only within proximity to the router. A good Wi-Fi connection must now permeate throughout the house, so that high-quality video content and video calls can be streamed from any room without any drop in quality or connection. It must also be able to handle an increasing number of connected devices – Cisco forecasts an increase from a global average of 1.2 to 1.6 connections per person between 2018 and 2023 .

Consumers are also becoming increasingly impatient. In all walks of life, whether it be dating, technology or experiences, consumers want instant gratification. Additionally, with the faster network speeds of 4G+, fibre, and eventually 5G, consumers want (and are used to) continuous video feeds, seamless streaming, and near instant downloads – buffering should be a thing of the past.

One of our interviewees, a Northern European operator, commented: “Consumers are not willing to wait, they want everything here, now, immediately. Whether it is web browsing or video conferencing or video streaming, consumers are increasingly impatient”.

However, these demands extend beyond telco core services and connectivity. In the context of digital maturity, a Mediterranean operator noted “There is increasing demand for more specialized services…there is more of a demand on value-added, rather than core, services”.

This presents new challenges and opportunities for operators seeking growth “in the home”. Telcos need to find a way to address these changing demands to stay relevant and be successful in the consumer market.

Table of Contents

  • Executive summary
  • Introduction
  • Growing demand for core broadband and value-added services
    • COVID-19 is driving significant, and likely lasting, change
    • With increasing technical maturity comes an increasingly demanding market
  • Telcos need new ways to stay relevant in B2C
    • The consumer market is both diverse and difficult to segment
    • Should telcos be looking beyond the triple play?
  • How can telcos differentiate in the consumer market?
    • Differentiate through price
    • Differentiate through new products beyond connectivity
    • Differentiate through reliability of service
  • Conclusions and key recommendations
  • Appendices
    • Appendix 1: Consumer segments used in the survey
    • Appendix 2: Cybersecurity product bundles used in the conjoint analysis

Request STL research insights overview pack

How telcos can win with SMBs: Strategies for success

SMB markets: An elusive opportunity for telcos

SMBs (small-to-medium-sized businesses) have been a challenging market for telcos historically. Despite this, it remains an attractive opportunity thanks to its sheer size and (potential) margins. Our interview programme, across 10 telcos globally and 100 SMBs in Europe and North America, revealed a feeling that telcos could see real rewards by focusing on this previously underserved market.

“SMB is now a high priority as a large part of our B2B strategy. We see it as a very big and growing opportunity,” noted a Western European Operator. A North American operator commented, “medium enterprises are now an area of great focus for us, there’s lots of potential there. We didn’t use to but are now investing lots of resources.” There are several key factors why telcos are looking to pursue this opportunity now:

  • As consumer average revenue per user (ARPUs) continue to decline, there remains a promise of stability and  growth with business customers.
  • SMBs are becoming more technologically mature and are increasingly embracing trends such as remote working and bring your own device, which can reduce their costs of operation. They have increased need and desire for digital and cloud services, which enable employees to access documents from any device, anywhere – they are often looking to their broadband providers to provide this.
  • Security and compliance are a high priority for SMBs. Previously they may have relied upon the belief that small businesses will not be targeted by cyberattacks, but increasingly SMBs will struggle to do business without being able to prove they are compliant. As this report will go on to highlight, security is an area of key potential telcos should be looking to pursue.
  • Technology such as artificial intelligence (AI) and SD-WAN can enable telcos to provide new services to SMBs while keeping cost of acquisition low.

SMB markets are attractive due to sheer size and (potential) margins

For SMBs, the potential untapped revenues, though relatively small per business, are sizeable when aggregated across SMBs. For example, companies with fewer than 250 employees made up 99% of all enterprises in the EU. But why do telcos often struggle in this space, and what should they do to succeed in this market?

First, it’s important to define what we mean by SMBs and how we should segment them. There is no one clear definition, and segmentation often differs across markets. For example, one operator we spoke to in Mexico pointed out that what they classify as relatively large enterprises would be considered SMBs by telcos in the United States. The definition varies, often dependent on the difference in average company size for each region.

For the purposes of this report, we define SMBs as enterprises with fewer than 100 employees. We also include the category of firms with 2-7 employees – often called SOHO (single office / home office) or VSE (very small enterprise) – in our definition. However, given their size and needs, telcos sometimes group SOHOs with consumers in their “mass-market” lines of business.

The number of potential SMB customers provides the telco with scale of service and large revenue opportunities. These opportunities come from both the acquisition of new customers, for whom operators provide connectivity and communications services (voice, conferencing, UC), and from upselling additional adjacent services to existing customers. These new services might include:

  • Enterprise mobility: management and security of mobile devices, including scenarios like bringyour-own-device (BYOD) and virtual desktops
  • Software-as-a-service: cloud-hosted enterprise software such as productivity software (e.g. Office 365), CRM software (e.g. Salesforce) or accounting packages (e.g. local accounting software)
  • Infrastructure-as-a-service: compute / storage resources and networking capabilities
  • Cybersecurity and disaster recovery: email backup and security services including firewalls, anti-phishing and DDOS attack prevention
  • IoT connectivity: bespoke connectivity solutions for IoT devices (though not the focus of this report, it is a major new area for telco enterprise services).

For most telcos, moving into new services is a crucial move to combat the commoditisation of connectivity. This move is critical in the SMB market, where cost of acquisition of new customers is relatively high, so telcos must offer value-add services to make it profitable.

Telcos’ key challenges in SMB markets: Fragmentation, heterogeneity, “high-touch” engagement

Disparity characterises the SMB market. The divergence of expectations, needs, and technological maturity of SMBs creates fragmentation. Additionally, SMB needs vary by vertical and region, both of which create additional elements of disparity. This market fragmentation has created two crucial challenges for telcos.

  1. It’s hard to understand the customers’ needs because they vary so greatly from one SMB to another.
  2. It’s expensive to serve them because of the time it takes to understand these needs and develop bespoke solutions to address them.

Both of the above challenges are complicated by SMBs’ relatively limited buying power and often limited understanding of their own IT requirements. Despite their smaller budgets, SMBs traditionally require a relatively large investment to win a sale. In comparison to the highly automated, self-service environment of many telcos’ consumer divisions, SMBs want and expect personalised, often dedicated (even face to face) sales and support. Along with knowledge of their product suite, sellers may need to help solve wider IT problems or offer technical guidance. Successful SMB sales teams require broad knowledge and time, making it a comparatively big investment for telcos.

It is not just the sales process that needs to be personalised and consultative; SMBs may also require bespoke product configuration and integration. This kind of service would be expected within a large enterprise but becomes prohibitively expensive within smaller businesses unless it is provided by channels with wider monetisation models (e.g. IT support or equipment sales). In short, SMBs have the engagement expectations of enterprises, with budgets closer to that of consumers. No wonder that few telcos made the effort with SMBs while their consumer businesses were still growing.

To seize this opportunity, telcos must find a way to bridge the gap between the entirely productised world of consumer, and the bespoke sales and services for larger corporates and enterprises.

Table of contents

  • Executive Summary
  • SMB markets: An elusive opportunity for telcos
    • SMB markets are attractive due to sheer size and (potential) margins
    • Telcos’ key challenges in SMB markets: Fragmentation, heterogeneity, “high-touch” engagement
    • There is a disconnect between what telcos think SMBs need and what they actually want
  • Untapped opportunities: Strategies for SMB market success
  • Channel strategies: Engaging SMBs to provide a “high-touch” experience
    • Short term channel strategies
    • Long term channel strategies
  • Product strategies: Where to win quick in a fragmented market
    • Short term product strategies
    • Long-term product strategies
  • Supporting capabilities: Where telcos should invest for success in the SMB market
    • Short-term supporting capabilities needed
    • Long-term supporting capabilities needed
  • Conclusion