Lack of IT expertise is significantly undermining SMBs’ cyber resilience

Risk of data breaches is exacerbated by reduced investment, with a quarter of small businesses spending less on cyber resilience

Posted 26 November 2020 by Christine Horton

A lack of expertise is having the greatest negative impact on cyber resilience within small businesses, according to 41.5 percent of respondents to the latest Twitter poll run by Infosecurity Europe.

The surge in remote workers driven by COVID-19 lockdowns is the second biggest stumbling block, cited by 34 percent of respondents. The findings suggest that the need for SMBs to adopt digital ways of working at pace may have significantly increased their cybersecurity risk and vulnerabilities. 

The impact felt by small businesses across the UK as a result of the coronavirus pandemic are estimated to be six times larger than they were during the 2008 recession, according to analysis undertaken by O2 Business and the Centre for Economic Business Research (Cebr).

“The rapid pivot to remote working was – and continues to be – a huge challenge for SMBs,” said Maxine Holt, Senior Research Director at Omdia. “These organisations typically don’t have a dedicated cybersecurity function, and it’s part of someone’s job to oversee it. There was a sticking plaster placed over security during the shift to remote working, which isn’t sustainable. Companies must now peel the sticking plaster back and put longer term security approaches in place.” 

Government bodies

The skills deficit is of particular concern as half (49.7 percent) of respondents believe small companies bear responsibility for educating and supporting themselves in becoming cyber resilient. This was followed by government bodies (32.3 percent) and large tech companies (18.1 percent).  

Maxine Holt agrees. “Government bodies certainly have a role to play in educating and supporting SMBs, such as the NCSC in the UK,” she says, “but protecting the business is the companies’ own responsibility. There are plenty of free resources available, not only from government bodies but also standards bodies, management consultancies, technology vendors, and service providers. This is one way of keeping up with the ever-widening skills gap.” 

Independent researcher David Edwards believes governments need to drive the initiative more visibly, through financial incentives. “A direct link to small business tax relief for attaining certain cyber essentials would mean there’s a motivation to learn and investigate cybersecurity,” he explains. “The mindset then shifts to missing out on a benefit as opposed to increasing costs.” 

The outbreak of COVID-19 has squeezed the budgets of many small businesses, making it more difficult for them to find the funds to invest in the areas of cybersecurity that need bolstering. When asked how the pandemic has impacted their spending on cyber resilience, a quarter of small businesses (24 percent) have had to spend less. Only 18 percent have spent significantly more, while 43 percent say that ‘little has changed’.

At the Think Cybersecurity for Government event next week, Paul McKay, senior analyst – security and risk at Forrester takes a look at cybersecurity across the public sector from the outside in, comparing it with activity across the private sector and suggesting potential focuses and areas of concern for the years ahead.