The vast majority of small and medium-sized businesses (SMBs) have gaps in their cyber skills and expertise, according to research from Sophos.
96% SMBs find at least one aspect of investigating suspicious alerts difficult, with specific tasks including identifying which signals to investigate, prioritizing which signals to probe, or keeping accurate records.
Sophos’ survey fielded responses from 5,000 IT and cybersecurity professionals across 14 countries and was conducted in Q1 2024.
The security firm found that organizations with fewer than 500 staff - the definition of SMB for this report - perceive a shortage of in-house cybersecurity skills and expertise to be their second biggest security risk.
By comparison, this factor ranks seventh in cyber threats for organizations with over 500 staff members.
The report noted that smaller teams make it more challenging for IT workers to take time out for security education and means staff have fewer opportunities to benefit from peer-to-peer learning.
The report also found that a third (33%) of the time, no one is actively monitoring, investigating, or responding to security alerts in SMBs.
“SMBs are most acutely impacted by the cyber security skills shortage,” Ben Aung, Sage’s chief risk officer, told ITPro.
“They have neither the budgets nor career opportunities to compete against larger organizations for cybersecurity talent, and often lack the capabilities and resources to bring in new entrants and train them up,” he added.
Simplified solutions are key to SMB cybersecurity
As SMBs are critical to the supply chain of larger organizations, Aung said, it's important that governments, larger firms, and resellers meet the challenge of the SMB cyber skills shortage. The key, he thinks, is simplicity.
“These organizations can significantly reduce SMBs' cyber risks by offering technology and services which are secure, easy to configure and operate right out of the box,” he said.
“SMBs should be able to take advantage of digital tools and the cloud without needing a PhD in cyber security - it should be simple to enable multi-factor authentication (MFA), set user access permissions and important controls like security patching and data backups should just be set up by default,” he added.
Concerns over cyber skills shortages come amid a period of escalating threats for SMBs globally. Research from Kaspersky earlier this year, for example, found the number of cyber infections experienced by small businesses in Q1 rose by 5% compared to the same period in 2023.
Over 2,400 firms encountered malware on their systems, with the most common form of attack being trojans that often find their way into IT systems under the guise of legitimate software.
Similarly, a recent study from Vodafone found nearly half (43%) of all cyber attacks in the UK specifically target SMBs. The impact this has on small businesses cannot be understated, the study found, with around 60% of these leading to business closures within just six months.
