A survey of 612 IT decision-makers working for small-to-medium enterprises (SMEs) in the United Kingdom and the U.S. published this week finds nearly half (45%) have seen their organization fall victim to at least one cyberattack in the first half of this year.

Conducted by JumpCloud, a provider of an IT and cybersecurity management platform, the survey finds that 28% of the respondents who report being victimized have been struck by two cyberattacks, with 17% having experienced three attacks. Half (50%) report being more concerned about their organization’s security posture than they were six months ago.

The most common source for cyberattacks was phishing (43%), followed by shadow IT (37%), stolen or lost credentials (33%), and a breach that involved a third-party organization (30%).

A full 60% of respondents now consider security to be their biggest IT challenge, followed by new service and application rollouts (42%), the cost of solutions necessary to enable remote work (41%), and device management (39%).

IT Teams Lack Resources

Nearly half (49%) said IT teams say that despite their best efforts lack the resources and staffing to secure the organization against cybersecurity threats. The four biggest security concerns are network attacks (40%), followed by software vulnerability exploits (31%), ransomware (31%), and shadow IT (29%).

Chase Doelling, head of strategy at JumpCloud, said that as the overall attack surface that needs to be defended continues to increase many of the IT and cybersecurity professionals who work for SMEs are being overwhelmed. On the plus side, IT teams are now assuming more responsibility for security operations to make up for the ongoing chronic shortage of cybersecurity expertise, he added.

For example, in the wake of the COVID-19 pandemic the number of software-as-a-service (SaaS) and cloud platforms that organizations rely on has increased considerably, noted Doelling. However, much of the usage of those platforms is outside the scope of the IT department.

The survey finds a full 84% of respondents as concerned about Shadow IT applications and 36% said they have more important priorities. Just under a third (31%) said business users move too fast to keep up with their needs. In addition, 32% said they lack the ability to discover all the applications used by employees, while 24% said they don’t have a SaaS management or asset management solution to manage shadow IT.

A total of 29% also admitted they lack partnership and communication with business partners.

The average SME relies on multiple platforms, including Windows (63%), macOS (24%) and Linux platforms (18%). Nearly half of IT admins (45%) as a result require five to 10 tools to manage the worker lifecycle.

Additionally, 76% said their organization relies on a managed service provider (MSP). Over the next 12 months, 67% of SMEs say they’ll increase their MSP investment. When asked about the results of working with an MSP, 56% said MSPs lead to better security. Well over half (57%) said MSPs increased their effectiveness at managing IT, and 37% said they saved money for their organization. Not all IT teams are eager to work with MSPs. For the 24% who don’t use an MSP, nearly half said it’s because they prefer to handle IT themselves (47%), and 39% say it’s because MSPs are too expensive.

Well over a third (39%) also have concerns about how MSPs manage security. The main reason SMEs stopped working with an MSP was cost (28%), followed by outgrowing the services provided (26%), a decision to rely more on internal IT (24%), or a bad customer service or sales team experience (23%).

Finally, the survey suggests opinions on the impact artificial intelligence (AI) will have on the role of IT teams is evolving. When asked how their opinion changed in the last six months about how AI will impact their job, 22% said the impact of AI is much lower than they thought. Just over a third (34%) said the potential impact of AI is the same but it’s moving slower than they thought it would. Conversely, 21% said their opinion hasn’t changed, while 23% said they feel the impact of AI is even greater than they thought it would be. Over one-third of IT admins (35%) did admit they’re worried about the impact with has on their job and 61% said AI is outpacing their organization’s ability to protect against threats.

The best thing most IT and cybersecurity teams do in the face of all these threats is to remain focused on the fundamentals, said Doelling. The challenge is that given the size of that attack surface that needs to be defended there are just too many ways even the simplest of cyberattacks can prove lethal.