• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

Overconfidence and 7 Other Deadly SMB Cyber Security Sins

A gap seems to be forming between what businesses believe about their cyber resiliency and the reality of the situation. Actually, calling it a gap may be underselling it. In its report titled Cyber Security: Can Overconfidence Lead to an Extinction Event?, Solar Winds found 87% of businesses rate their cyber security defenses as “average or better.” At the same time, just shy of three-quarters (71%) of those same businesses admitted to suffering at least one breach in the last year, far higher than the 29% who said the same in the previous year’s study. Those points certainly appear to be at odds with each other. However, overconfidence isn’t the only character trait that could lead businesses down a dangerous path.

Organizations of all sizes must not allow bad habits to creep into their approach to cyber security. This becomes even more critical in the SMB space. Attackers look for the path of least resistance. Most will happily take a handful of small, easier wins over fighting tooth and nail to get a big one. Enterprise-sized businesses, with their large Security Operation Centers and innovative security solutions, don’t make for “easy wins.” SMBs, on the other hand, just might.

Overconfidence is just one cyber security “deadly sin” that could make an SMB an attractive target. Let’s look at seven other shortcomings highlighted by Solar Winds’ and see what SMBs can do to avoid them.

  • Inconsistency – Cyber security policies can be time-consuming to enforce, they’re often unpopular and they are tempting to put off. In fact, the Solar Winds report found 43% of respondents admitted to enforcing policies only occasionally. To remedy this, SMBs should enlist a partner who can assess their needs and limitations and then help craft a suitable security architecture.
  • Negligence – The easiest path into an organization often runs through end users, but few organizations are reinforcing that weakness. Just 16% of businesses have placed an emphasis on increasing user security awareness through regular anti-phishing campaigns, etc. SMB teams struggling to perform end user training should look to an outside organization capable of lending a hand. Particularly, SMBs should look for pre-built, yet customizable, training routines that simulate the types of threats their users are likely to encounter in the wild.
  • Shortsightedness – The argument for security investments boils down to “spend more now, save big later.” This lack of immediate ROI can make it tough to wrangle support for security expenditures. In the report, there’s plenty of diversity among the most common security solutions. SMBs can overcome this by projecting the costs of a breach using similar cases for context.
  • Complacency – This post has already addressed the notion that “good enough is enough.” Remember those nearly nine-in-ten SMBs that rated their cyber defenses as average? If we drill deeper into the idea of cyber defenses, information is one of the best weapons against attackers. However, 51% of those surveyed described their reporting as merely “adequate.” For some SMBs, the idea of building anything greater, such as a truly “robust” reporting capability, in-house can seem daunting – or out of their price range. On the other hand, this could be another example of functionality best offloaded onto a capable outside organization.
  • Inflexibility – A data breach doesn’t have to trigger a total tear down of an organization’s security infrastructure. Instead, it should show organizations where they could stand to improve. Yet, only 44% of organizations took advantage of the learning experience and rolled out a new technology. Meanwhile, just 41% changed their processes. Post-incident is a great time to push for upgrades. SMBs must seize this unfortunate opportunity to understand what went wrong and make a case for improvements.
  • Stagnation – Adoption of widely accepted best practice security techniques also left something to be desired according to the report. Of the top nine most common prevention techniques, not even one was being used by more than half of respondents. Strategies like full disk encryption (43%), restriction of admin rights (42%), and user event logging (41%) had the broadest deployments recorded. If it’s a question of resources, some of the techniques included in the top nine are deployable at no cost, leaving little reason to omit them.
  • Lethargy – Every second counts during a cyber security incident. Obviously, the sooner security personnel can catch, quarantine, and resolve an issue, the better. Yet, across the board, businesses have seen security reaction times slow. Per the report, detection times rose for 40% of those surveyed, response times increased for 44%, and resolution times went up for 46%. This shows far too many organizations are heading in the wrong direction. In cases where there aren’t enough onsite eyes, an SMB may want to work with a Managed Security partner capable of guaranteeing better times as part of a service level agreement.

Next steps: Raising your game regardless of organizational size

Want more of Arraya’s security insights for SMBs? Check out our new whitepaper Simplifying Cyber Security for Small and Midsize Businesses. This document collects Arraya’s experiences plus those of industry thought leaders. The result is a comprehensive look at the strategies and solutions SMBs can count on to stay safe.

If you’d like to discuss how Arraya’s Cyber Security team can address any of the above “deadly sins,” we can be reached by visiting: https://www.arrayasolutions.com//contact-us/. You can also leave us a comment on this or any of our blogs on social media. We can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us so you can keep up with our industry insights and learning opportunities.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}