Skills gap hitting SME cyber resilience

A lack of expertise is the issue having the greatest negative impact on cyber resilience within small businesses, according to a poll run by  Infosecurity Europe.

More than 41.5 percent of respondents to Infosecurity Europe’s poll were worried about the skills gap with the surge in remote workers driven by COVID-19 lockdowns is the second biggest stumbling block, cited by 34 percent of respondents.

The findings suggest that the need for SMBs to adopt digital ways of working at pace may have significantly increased their cybersecurity risk and vulnerabilities.

The impacts felt by small businesses across the UK as a result of the coronavirus pandemic are estimated to be six times larger than they were during the 2008 recession, according to analysis undertaken by O2 Business and the Centre for Economic Business Research (Cebr). Infosecurity Europe’s poll set out to find out how SMBs are managing to build and invest in cyber resilience – their ability to prepare for, respond to and recover from cyberattacks – and the obstacles they face.

Maxine Holt, Senior Research Director at Omdia said that companies found the need for home workers a problem.

“These organisations typically don’t have a dedicated cybersecurity function, and it’s part of someone’s job to oversee it. There was a sticking plaster placed over security during the shift to remote working, which isn’t sustainable. Companies must now peel the sticking plaster back, and put longer term security approaches in place.”

The skills deficit is of particular concern as half of poll respondents believe small companies bear primary responsibility for educating and supporting themselves in becoming cyber resilient. This was followed by government bodies (32.3 percent) and large tech companies (18.1 percent).

Holt said: “Government bodies certainly have a role to play in educating and supporting SMBs, such as the NCSC in the UK,” she says, “but protecting the business is the companies’ own responsibility. There are plenty of free resources available, not only from government bodies but also standards bodies, management consultancies, technology vendors, and service providers. This is one way of keeping up with the ever-widening skills gap.”

Independent researcher David Edwards said governments need to drive the initiative more visibly, through financial incentives. “A direct link to small business tax relief for attaining certain cyber essentials would mean there’s a motivation to learn and investigate cybersecurity”, he said. “The mindset then shifts to missing out on a benefit as opposed to increasing costs.”

The outbreak of COVID-19 has squeezed the budgets of many small businesses, making it more difficult for them to find the funds to invest in the areas of cybersecurity that need bolstering. When asked how the pandemic has impacted their spending on cyber resilience, a quarter of small businesses (24 percent) have had to spend less. Only 18 percent have spent significantly more, while 43 percent say that ‘little has changed’.

Heidi Shey, Principal Analyst serving Security and Risk Professionals with Forrester Research said: “For many small businesses, the focus was on making sure they could still operate, and concerns like cyber resilience weren’t necessarily a priority. If business is down, cuts have to come from somewhere. Harder-hit sectors like retail or travel had to make different choices than those in a more fortunate position. Most spending was reactive; to support remote work, many had to make investments in things like laptops, VPNs and collaboration applications.”

Nicole Mills, Senior Exhibition Director at Infosecurity Group said: “Human skill and expertise was singled out as the most important element of a cyber resilience approach in our November poll. Lack of skills, combined with a rise in remote working and shrinking budgets, could prove to be a ‘perfect storm’ for smaller businesses. If they are ultimately responsible for their own cyber resilience maturity, as most believe, achieving this without the relevant expertise and resources will be nigh-on impossible. The constraints SMBs are operating under won’t be going anywhere – but enhancing their resilience must be a key priority for 2021.”

Cyber resilience will form a core theme for Infosecurity Europe 2021 (8-10 June, Olympia, London) and will be covered extensively as part of the Conference programme. To register your interest in exhibiting or attending in 2021, visit:  https://www.infosecurityeurope.com/en-gb/enquire.html

Infosecurity Europe, now in its 25th year, takes place at Olympia, Hammersmith, London, from 8-10 June 2021.