A lack of IT expertise is damaging the cyber resilience of SMB’s. Worryingly, around 25% of small businesses are spending less on cyber resilience. It creates an increased risk of data breaches. The details come from a three-question Twitter survey run by Infosecurity Europe.
“Lack of skills, combined with a rise in remote working and shrinking budgets, could prove to be a ‘perfect storm’ for smaller businesses. If they are ultimately responsible for their own cyber resilience maturity, as most believe, achieving this without the relevant expertise and resources will be nigh-on impossible. The constraints SMBs are operating under won’t be going anywhere – but enhancing their resilience must be a key priority for 2021.”
What did Infosecurity ask?
There were three questions in the Twitter poll. The questions and responses were:
How has the impact of the pandemic fuelled your spending on cyber resilience in your small business this year?
- Spent significantly more 17.9%
- It’s made little impact 43.1%
- We have had to spend less 24.2%
- Spend was relocated 14.8%
Total 1086 votes
Who should be responsible for educating and supporting smaller businesses in cyber resilience?
- Government bodies 32.3%
- Large tech companies 18.1%
- The companies themselves 49.7%
What has had the biggest negative impact on cyber resilience within small businesses this year?
- Scaling up within budget 14.7%
- Lack of expertise 41.5%
- Surge in remote workers 34%
- Prioritising cyber tasks 9.9%
A need for investment and training in cyber resilience
Cyber resilience is about dealing with everything related to a cyberattack. It starts with planning and then covers response to and recovery from an attack.
For many organisations, particularly smaller SMBs, there is rarely enough money or experience to do more than just focus on the prevention of an attack. This includes malware protection, creating effective security policies and training staff. Larger SMBs will deploy encryption to protect data, although cloud services are making this affordable to all. One area that is often missed off
With so many staff working at home, that protection has created other pressures. 39% reducing or relocating budget raises questions over the impact on security. What corners are being cut? What systems are no longer being protected? More important, with many employees working from home on personal devices, how are companies protecting these?
Cybersecurity education is a key part of protecting employees at home, but effective training takes time, money and effort. The good news is that almost half of the SMBs are willing to train their own staff. What is strange is that 32% think the government should do this, and 18% believe that large tech companies, presumably partners, should do the training.
It is a view that is not as far-fetched as it sounds. There have been calls for larger enterprises to invest more in securing their supply chain for years. Helping smaller companies improve their cyber resiliency would improve the cyber resilience of larger businesses.
Enterprise Times: What does this mean?
Reducing investment in cybersecurity seems madness at a time when cyberattacks are on the increase. However, in the current economic climate, organisations have other priorities, such as simply surviving. The results of the survey also show two other reasons why cyber resiliency has been impacted.
One of those is the surge in remote workers, already covered above. The second is the shortage of skills or, to be more precise, the shortage of affordable skills. Whenever there is a shortage of skills, the price goes up. SMBs find themselves competing with larger companies with deeper pockets. Many of those can afford to offer not just high salaries but also help with getting professional qualifications.
If SMBs are to improve their cyber resiliency, they need to rethink their approach. At present, they are too focused on prevention rather than how to respond and recover from an attack. As their security levels drop, it makes them easy targets for attackers.
It’s not an easy problem to solve. Working with larger partners to take advantage of the training they have developed is one solution. Offering cybersecurity staff more than just a pay packet is another. A third is to talk to managed security service providers (MSSPs). These can work with existing staff and outsource more technical problems.