Introduction

Small and medium-sized businesses (SMBs) globally are facing a critical shortage of in-house cybersecurity expertise, leaving them increasingly susceptible to cyberattacks. This deficiency not only heightens the risk of attacks but also contributes to talent burnout and provides more opportunities for threat actors.

Description

A significant shortage of in-house cybersecurity expertise in small and medium-sized businesses (SMBs) worldwide is leaving these organizations increasingly vulnerable to attacks, leading to talent burnout and heightened opportunities for threat actors [5]. According to a report by Sophos [3], which surveyed over 5,000 IT and security professionals across various organizations [3], the skills gap is identified as the second most significant cyber challenge for SMBs, just below zero-day vulnerabilities [4]. Smaller organizations [2] [3] [4] [5], particularly those with fewer than 500 employees, face unique vulnerabilities due to this lack of in-house cybersecurity skills, with 96% of SMBs finding basic security tasks [3], such as identifying and prioritizing signals for investigation [3], more challenging than their larger counterparts.

This skills gap results in insufficient expertise and limited capacity to respond to security incidents [1], hampering ongoing learning for teams and making it difficult to adapt to the evolving threat landscape [5]. Alarmingly, 75% of SMBs struggle to respond promptly to malicious alerts, and there are instances where no one is monitoring or responding to security alerts 33% of the time, significantly increasing vulnerability to attacks [1]. This concern is amplified by the fact that 91% of ransomware attacks occur outside of normal business hours, with data indicating that most incidents take place at night and on weekends. The upcoming holiday season may further exacerbate the situation due to reduced staff availability [4].

The skills gap in SMBs may also correlate with poorer outcomes during cyberattacks [5], as threat actors successfully encrypted data in 74% of SMB attacks [5], compared to 66% for larger organizations with 1,001 to 5,000 employees [5]. Chronic burnout among cybersecurity professionals exacerbates this skills gap [3], with a significant percentage of organizations reporting fatigue and burnout among their IT staff [3]. To mitigate these risks [1], engaging third-party cybersecurity specialists is recommended [1], with managed detection and response (MDR) services and managed service providers (MSPs) being the most common solutions [1]. MDR services offer continuous threat detection and response [1], while MSPs provide in-house IT and cybersecurity support [1].

The report emphasizes the urgent need for SMBs to enhance their cybersecurity posture and encourages businesses to assess their security capabilities and seek external expertise to improve their overall cyber resilience, balancing internal strengths with external support [1].

Conclusion

The cybersecurity skills gap in SMBs poses significant risks, including increased vulnerability to attacks and poorer outcomes during incidents. To address these challenges [4], SMBs should consider leveraging third-party cybersecurity services such as MDR and MSPs to bolster their defenses. As cyber threats continue to evolve, it is crucial for SMBs to enhance their cybersecurity strategies, ensuring they are well-prepared to protect their assets and maintain resilience against future threats.

References

[1] https://www.comms-dealer.com/skills-gap/sophos-report-shows-effects-cybersecurity-skills-gap
[2] https://www.fudzilla.com/news/59871-small-businesses-walloped-by-security-skills-shortage
[3] https://www.digit.fyi/cyber-skills-shortage-a-top-security-threat-to-smbs/
[4] https://thenimblenerd.com/article/cybersecurity-crisis-smbs-struggling-with-talent-shortage-and-rising-threats/
[5] https://www.infosecurity-magazine.com/news/skills-shortages-toptwo-security/