How SMBs are navigating the cyber-security landscape: insights from Microsoft

21 November 2024 | Consulting | Cyber Security

Welcome to our cyber-security podcast series. Each episode features business leaders from across the technology, media and telecoms industry who discuss what cyber security means to them, their organisation and the industry as a whole. 

In this episode, Analysys Mason’s Mary Wack, Manager, and Stela Bokun, Partner, talk with Binil Pillai, Business Strategy Leader for SMB Security at Microsoft, Worldwide.

They discuss:

  • cyber-security trends in the small and medium-sized business (SMB) market
  • Microsoft’s approach to SMB cyber security
  • AI’s role in cyber security
  • strategic partnerships and channels for cyber security
  • essential cyber-security practices for SMBs

Find out more about how Analysys Mason supports clients throughout the technology, media and telecoms industry to be protected and resilient against cyber threats

Hear from:

Stela Bokun

Partner, expert in strategy

Mary Wack

Manager, expert in cyber security

Binil Pillai

Business Strategy Leader for SMB Security at Microsoft, Worldwide

Mary Wack

Welcome to the Analysys Mason podcast. My name is Mary Wack, and I'm a manager and expert in cyber security at Analysys Mason.

During this series of podcasts, we will be joined by business leaders from across the technology, media and telecoms landscape to hear their thoughts and gather their insights on cyber security, what it means to them, their organisations and the wider industry. 

Today, I'm delighted to be joined by Binil Pillai, Business Strategy Lead for SMB Cyber Security at Microsoft, and Stela Bokun, a partner at the Analysys Mason London office. Stela oversees vendor and tech strategy proposition and leads most of our small and medium business-related management consulting engagements. 

Welcome, Binil and Stela. Lovely to speak to you both today.

Stela Bokun

Thanks so much, Mary. It's always great to get involved in these podcasts. We tend to have very interesting guests, and we talk about relevant, very hot topics. So, on that note, today I have the pleasure to talk to Microsoft's Binil Pillai, as Mary said. We'll talk about cyber-security trends, but specifically focusing on small and medium business markets. As most of my clients and colleagues know, I am very passionate about the work that we do in the SMB space, particularly any work related to tech market acceleration, so this is going to be an interesting conversation. 

Hi, Binil. It's great to talk to you again. How have you been?

Binil Pillai

Thank you, Mary and Stela. It's really exciting to be here talking about cyber security for SMB customers. Thank you.

SMB cybersecurity market trends

Stela Bokun

Great. So, let's kick off. As we know, the cyber-security market for SMBs is fairly large. In fact, in Analysys Mason, we are projecting that it will grow at 8% CAGR to reach over USD50 billion in 2028, more specifically, USD53 billion. Related to that, or as the main driver of this growth, is that many SMBs are beginning to realise how unbelievably important cyber security can be for their survival. So, we see that the number of cyber-attacks, particularly aimed at the SMB market, is growing rapidly. Many of these businesses, particularly the smaller ones, have limited budgets and even more limited cyber-security skills. So today, we'll talk a little bit about the key market trends. Then, we'll talk about Microsoft's position in this market and what Microsoft is doing to address this market and help with some of the challenges that I mentioned. And then, we'll turn our attention towards the channel to market for big cyber-security vendors.

So, all that being said, Binil, let's start by hearing your perspective on the cyber-security market for SMBs. What are you seeing and what are you hearing from your SMB-facing sales colleagues and channel partners?

Binil Pillai

Yes, I think that's a really good one. If you look at the SMB IT spending worldwide, the forecast is to increase by 6% year-on-year, reaching USD2.1 trillion in 2028. The focus of SMB IT investment is shifting from reactive measures in response to needs that emerged during the pandemic to proactive strategies planning for long-term growth and efficiency gains. These proactive strategies include investing in technologies that secure their IT infrastructure, enhance productivity and streamline processes to improve overall business performance and revenue. 

SMBs also face intense competition, pricing pressures and the imperative to enhance customer satisfaction. In response to this, they're realigning their strategies to help them refine their process and accelerate revenue growth. Therefore, they're investing in strengthening their infrastructure and managed services and cyber security as top priorities. So, as you notice, the SMBs are going in this direction, moving their highest spend on security. If you compare that trend to maybe 3 or 4 years ago, cyber security was one of the top five or six items, today, SMB has made a decision to put the money on cyber security as a top investment priority from an all-of-IT standpoint.

The role of AI in cyber security

Stela Bokun

Great. Thank you for that perspective. And it's interesting that you mentioned that SMBs are investing more in technology to address the increased competitiveness in the market. Several months ago, I conducted a similar podcast with another colleague of yours, Aileen Hannah, and Aileen was talking about the importance of AI for SMBs. Her main message was that for SMBs, AI will provide a completely new opportunity to now compete more effectively with large businesses. So, I would imagine that AI also has a really big importance in the cyber-security market. I am keen to hear your perspective.

Binil Pillai

Absolutely. So, SMBs are keen to explore the possibilities that AI can bring for accelerating their growth beyond what could significantly add value from a cyber-security perspective. As you know, AI technologies have become more perversive across various domains, ensuring their security becomes a very crucial step for every organisation. Without the proper tools in place to secure company data, AI can lead to sensitive or confidential information gathering or getting into the wrong hands. Fortunately, more than half of companies are currently not using AI security tools and intend to implement them within the next 6 months for more advanced security. I believe AI-powered security solutions offer cost-effective alternatives for SMBs, like you mentioned, with limited budgets and resources. And the reality is AI can be crucial in SMB cyber security by providing advanced capabilities to detect, analyse and respond to potential threats. So, putting aside the risk, AI offers an outstanding opportunity to change the balance between attackers and defenders, especially for SMBs that lack skilled cyber-security resources.

Stela Bokun

And yet, the adoption of some of these solutions is a bit patchy, as you implied. So, what needs to happen, Binil? Do these SMBs need to get burnt first and then become more interested in adopting some of these more advanced solutions? Or are there other drivers or other ways of incentivising SMBs to invest earlier before they get burnt?

Binil Pillai

I think that's a very important question because that's a viable decision every SMB and organisation has to make. So fundamentally, they have to understand the foundational principle, like zero trust, for example. From there, understand what they need in terms of improving security posture and what they need from an AI perspective to improve efficiency and reduce cost. This can be achieved through a channel partner, for example. I think that's an important piece we need to bring in. From an SMB perspective, we don't expect them to be a security expert within the organisation's capacity point of view, but they have to rely heavily on channel partners like MSPs to understand what solutions are available, what is more efficient and productive for SMBs, and then make a right decision to apply the AI-powered cyber-security solutions to protect their assets as well as intellectual properties.

Channel partnerships in cyber security

Stela Bokun

I fully agree. One can't expect a 75- or 50-person company to have all the technical expertise in their IT teams. In many cases, these companies would have an IT manager or three-person team. So, they need to rely on technology partners to help them navigate through this very complex technology ecosystem. I was planning to talk first about the supply, about Microsoft and the competitors. But now that you mentioned the channel partners, let's go into the channel first, and then we'll talk a bit about Microsoft. 

So, let's start with trying to understand your overall channel strategy for cyber-security solutions for SMBs. I am particularly interested in understanding what your ideal partner looks like. So, is it about skill set, reach, track record? Or is it something else?

Binil Pillai

Absolutely. Maybe I will start with the channel landscape first, and then I will answer your question about the partner strategy or what a partner landscape looks like from a Microsoft perspective. So, let's start with the overall channel landscape for cyber security for SMB clients. 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. And less than 30% of SMBs manage security in-house and rely on security consultants, or, like you mentioned, service providers, to manage security needs. These security professionals provide crucial support in researching, selecting and implementing cyber-security solutions, ensuring that SMBs are protected from new threats. Here is where MSPs play an important role in securing businesses. These MSPs can enhance their support for SMB customers by leveraging AI-based cyber-security products. This is especially important for resellers or small MSPs who also face a shortage of skilled personnel in cyber-security practice. 

From the MSP bottom-line perspective, AI platforms reduce manual tasks and free up a team's time to focus on higher-value activities. It can also offer scalability and cost efficiency to allow MSPs to better manage and secure a growing number of clients without adding headcount. Our goal is to help grow our partners' security businesses. Our technology enables MSPs enhance their existing service offering, enable the rapid deployment of cloud services and improve their customer security posture. We have indirect and direct cloud solution providers that include telcos, indirect partners that reach out to customers through their resellers and direct partners that engage with customers directly. So, if I look at what are the top priorities that we want our partners to focus on. Number one, a good channel partner is someone who listens to customer feedback and adapts strategies accordingly to serve them better and offer the best solution for their needs. And the other thing is the value and goals. We want to make sure our partners carry similar values and goals, Microsoft values, and have the ability to align with business goals. It helps coverage and turns sales motion towards a single goal. The third one I would put is the ability to collaborate with a growth mindset to navigate market complexities. I think there are many, but I think if I look at the top three from my perspective that a channel partner should bring value and work together, these are the three.

Stela Bokun

Thanks, Binil. You mentioned, obviously, MSPs. It's a really fragmented market, and we see at Analysys Mason a lot of consolidation happening in that market. Do you think that AI will differentiate winners from losers in this market? If I'm an investor assessing various MSPs, those that rely more on AI-enabled tools are potentially a better target. Or am I maybe reading too much into what you said?

Binil Pillai

I think you're spot on. Absolutely. I think, like any other industry, the consolidation is a natural process. So, it's reasonable to expect that the cyber-security market may follow a similar course. Most of the security vendors continue expanding the breadth of their offerings and adding modules to address new threats. However, the key architectural guiding principle, like zero trust, is likely to stay on at the foundational level. That's an important one. And the pace of evolution is so fast that there is constant demand for a new cyber-security tool. AI is a great example of that; it is revolutionising the cyber-security threat landscape from a vendor perspective. At the end of the day, simplification of the security stack and seamless integration become a key priority for customers to make decisions from the fragmented cyber-security vendor market.

Telco opportunities in cyber security

Stela Bokun

Great, thanks. What about telcos, Binil? We are projecting that the telco channel is currently accounting for anywhere between 18–20% of the total SMB cyber-related spending. But then, when you look at those that have been successful in this space, most of them had to make really large investments into this market. Generally speaking, it's a bit difficult for telcos to sell IT, and of course, cyber-security solutions are not their bread-and-butter business. And yet, there is a great opportunity for them. What are some of the key barriers that you think telcos need to overcome to address this opportunity? How do you see telcos as potential partners?

Binil Pillai

Yes, absolutely. I think telcos are important partners for Microsoft. More than a challenge, I see huge market potential for telcos to approach small and medium business customers. The addressable opportunity for telco will be nearly USD800 billion in 2022, according to your own research and data. And the cyber-security services will account for almost 20% of telco's incremental revenue from SMBs worldwide. We know telcos selling cyber-security services to SMBs are at different stages of offering solutions to SMBs. Some have advanced offerings scaled down from their enterprise division, while some are beginning to significantly develop their portfolio for SMBs. In Microsoft, we have constantly been hearing from our telco partners that managed detection and response and endpoint protection are the top priority services that they want to offer to their SMB clients. And telcos have an advantage in that way because they can build their connectivity services alongside security services to form a combined, comprehensive bundle that can easily be managed by SMBs. The question is, what percent of SMBs do not take security services from their telco provider, and how are telcos going to address that gap? We know offering IT services can sometimes be difficult for telcos, however, the cyber-security market has some unique characteristics for telcos. Network security and some mobile security solutions are closer to telcos' core competencies, giving telcos a logical starting point to enter a big market.

Microsoft's position in cyber security

Stela Bokun

Great. OK, I think we covered the channel. Now, let's go back to talking about Microsoft. It's a really busy market. There is a great abundance of companies of different sizes that are participating in this market. I wanted to hear your honest perspective on Microsoft's strengths and weaknesses vis-a-vis competition in this market. But let's talk about both, please. Nobody's perfect.

Binil Pillai

I like that question. So, let's start with how we position ourselves in the market. I think then we can also touch base on some of the areas that we could do even better. I think you said clearly Microsoft has many differentiation factors when it comes to SMB customers' preferences. Maybe let me pick the top two. 

First, we provide an end-to-end solution for our customers. Whether it is productivity, communication, or cloud platform services, security is incorporated by design. Customers get a robust solution that they can trust. We should also not undermine the value of vendor consolidation here. 

The second differentiation is our massive AI investment. We do have AI capabilities such as automated attack disruption and automated investigation remediation in our productivity and security solutions. We are embracing our partners to evangelise AI security for SMB customers. The other key investment is Security Copilot, which is the first generative AI security product designed to defend our customers at machine speed and scale. Security Copilot is designed to help security operations centre analysts be more effective and efficient at all the roles they play across security. Our customers see huge value in the natural language model we use because, with Security Copilot, their analysts don't have to write complex script. They can simply ask questions in English, and Security Copilot understands the context, sets the plan in motion and provides prescriptive guidance, resulting in significant productivity gains. 

Now, let me also touch base on some of the areas that we could do even better. I think the one area I would say that we need to look at is to address very small customers' needs from a security perspective. That's one area we need to look at from a long-term point of view. Also, we wanted to double down our practice development ability with our partners, which includes indirect, direct and telco partners, from a security practice development point of view. So those are a couple of areas we are putting a lot of focus on, doing more for the successful partner business.

Addressing vendor lock-in concerns

Stela Bokun

Great. Thank you for that. Remember when we were preparing for this conversation, I mentioned that I was going to ask some controversial questions. So here comes one. Brace yourself. You mentioned that you are an end-to-end provider, which is an advantage, a strength that Microsoft has. But doesn't that also imply a vendor lock-in? We interview SMBs fairly often for various projects, and they would say stuff like, oh, we are Microsoft House. Is that good or bad for SMBs?

Binil Pillai

That's a really good question. I will put this from a customer point of view, Stela. Let's understand what SMB customers need. What they need is a simple solution to operate their business with a strong security foundation. And they don't want to work with 10 to 15 security vendors. That's a complex environment. In fact, they do not even have an IT or internal security team. So, with limited resource capacity, SMBs prefer to partner with MSPs that can provide an end-to-end solution that helps to run highly productive businesses with robust security. And that is what Microsoft offers to SMBs through our channel partners.

Best practices for SMB cyber security

Stela Bokun

Great. Thanks for that. I have one final question for you, Binil. Thank you for all the answers so far. Our research suggests that SMBs are often lacking awareness regarding what constitutes adequate protection. So many times, I would talk to SMBs, and I would ask them, do you feel that you're well protected? And they would tell us yes. 80% of them would say, absolutely, we have all the protection in place. And then, you ask them to comment on the solutions that they actually have in place and you get a completely different impression. It can often be really thin. So, it would be great if you could talk directly to SMBs at the end of this podcast and recommend to them what you think is the bare minimum that businesses of different sizes should have in place when it comes to cyber security.

Binil Pillai

That's a great question, Stela. I appreciate that you asked that. Let me start from here. As you know, security is a foundational capability for successful business and operations. With cyber-attacks on the rise, SMBs are increasingly affected. That's the reality. Research shows that 31% of SMBs have been victims of cyber-attacks such as ransomware, phishing and data breaches. Microsoft, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has aligned four simple best practices to create a strong cyber-security foundation. So first, we wanted our SMB customers to take note of these simple best practices to improve their security hygiene. 

Number one, use strong passwords and consider a password manager. Two, turn on multi-factor authentication. Third, learn to recognise and report phishing attempts. And the fourth one, make sure you keep your software always updated. I think those are the four fundamental guidelines for any customer to follow. 

A second one I want to add in addition to those four guidelines is we want our customers to assess their security posture so that you can take the right steps to mitigate their security gaps. We do provide self-service cyber-security assessments to our SMB customers. It's completely free, and MSP can also help perform cyber-security assessments on behalf of the customer. 

A third one I will add to the list for SMBs to focus on is leveraging AI capabilities in their cyber-security solution. Because we believe AI-powered security solutions offer cost-effective alternatives for SMBs with limited budgets and resources. By embracing AI capabilities, SMBs can harness the power of AI to enhance cyber-security resiliency. There are many steps, but I just wanted to bring these three to four steps as a foundation for every SMB to take note of. However, having a strategic partner is key to building a strong cyber-security foundation. So reach out to Microsoft MSP as your strategic partner to deploy AI-based cyber-security solutions and get their managed services to improve efficiency and oversee day-to-day IT activities.

Stela Bokun

Thank you so much, Binil. This has been a really interesting conversation, as I expected. 

Big thanks also to our audience for listening to this podcast. And over to you, Mary. 

Mary Wack

Thanks so much, Binil and Stela. That was a great conversation. Binil, I can say I wholeheartedly agree with the basics you just listed. And I found it particularly interesting to hear your thoughts on the growing role of AI in the SMB cyber-security space. I'm sure listeners will be interested in all of your insights. So, any final thoughts?

Binil Pillai

First of all, thank you for having me here. This is a very interesting conversation. I think the one thing I wanted to say is that security is a journey for every SMB. The question is, shall we start the journey right now? You don't need to wait for something to happen. So make sure you get connected with your MSP strategic partners to begin the conversation and continue improving security day by day.

Mary Wack

Great. Thank you, Binil. 

If you'd like to learn more about how Analysys Mason supports companies with their cyber-security requirements, click the link in the show notes. Thank you so much for listening.