Editor’s Question: How can SMEs fill the cybersecurity skills void?

Editor’s Question: How can SMEs fill the cybersecurity skills void?

The cyberattack threat continues to grow. The latest startling statistics show that more than 80% of UK businesses experienced at least one cyberattack in 2022. This is up by just under 10% compared to the previous annual findings.

To put that into greater context, that number means more than 4,400,000 registered companies were targeted at some point over the last 12 months in the UK. That’s not all.

The same report highlights that IT managers across the UK only spend 11.3% of their budget on security, while a survey recorded between October 2021 and January 2022 showed that 36% of businesses that suffered a cybersecurity breach took no action at all.

According to David Ballard, Director at UK Wi-Fi specialist consultancy, Performance Networks, it’s high time that businesses prioritised implementing more stringent security IT strategies to combat the growing threat.

He said: “The reality is that businesses are easier to target than ever before. Remote working, which was forced upon us by the COVID-19 pandemic and then adopted permanently by millions of companies across multiple sectors, is leaving our networks exposed more than ever before.

“When the pandemic hit, while agility was embraced to quickly enable home/remote working, there wasn’t, in most cases, the time to really look into the security when working from home – or a co-working space for that matter. This remains an issue even now for most companies.

“IT teams had to try and find a way of managing a situation that was once housed under one roof to one that is now in multiple locations.”

Ballard went on to say that what’s clear is that a lot of UK businesses do not have an integrated plan when it comes to security for remote working.

While it is a lot of work, an infrastructure plan needs to be built around it, enabling companies to work on people’s existing home hardware and ensure that whatever is coming through is secure.

There are different standards of security within Wi-Fi. Remote working has made it all too easy for hackers to break the security lines, mainly because so many remote workers do not have enterprise-grade security in place.

Ballard said: “With security comes complexity and the set-up of that, generally, is seen as too complicated for the home environment. How that gets addressed is becoming more and more important but there are simple solutions that businesses can implement to get around this issue.

“Though it comes with a high price point, businesses could implement an all-in-one enterprise grade firewall/router/Virtual Private Network(VPN) endpoint/access point and centrally manage the configuration so it is uniform across the company.

“A cheaper option would be to implement software VPN clients on the user’s laptops with two factor authentication and limit admin-level access, then advise on best practice home Wi-Fi setup, which includes minimum passwords and not using old encryption methods (WEP etc).

“Lastly, change the default admin password to the router, because if a hacker gets access to this, they can redirect you to things like fake sites. Regularly check for firmware updates to ensure no known security holes are exposed.”

Three experts give their response to this question below:

Brian Martin, Head of Product, Strategy and Innovation at Integrity360:

There’s been a cybersecurity skills shortage for years. It’s an issue the industry continues to struggle with and it’s not going away any time soon. According to the (ISC)² Cybersecurity Workforce Study, there is a global cybersecurity workforce gap of 3.4 million people.

For SMEs, the problem is further exacerbated because their cybersecurity budget is often lower and more constrained than their larger counterparts. It can seem daunting as an SME to start tackling cybersecurity, but the costs of a data breach far exceed the investment needed to protect your organisation. For many SMEs, in fact, a serious data breach or ransomware attack can be an existential event. While the costs and time involved in seeking, hiring and training the required cybersecurity professionals to secure their systems is a necessity, there are no guarantees that if they do, then they will stay. 

Not only this, but cybersecurity professionals must be adaptable and have a wide range of skills to keep up. Threats are constantly evolving, and every new piece of technology released has a digital component that also needs a security consideration. 

Organisations need to be more diverse and shun the unconscious bias in terms of what represents a cybersecurity resource, which historically may have excluded an ideal profile based on age, gender or background. Competition for cybertalent is fierce with cybersecurity professionals capable of commanding very high salaries and essentially having their pick of roles.  

One option is for SMEs to utilise an MSSP or MDR provider. This can help avoid these challenges and really benefit SMEs struggling to fill their cybersecurity needs and the worry that comes with acquiring an in-house specialist to cover everything. It’s cost-effective and more flexible too, allowing a business to scale at pace, confident in the knowledge they are protected from cyberthreats. Businesses can make further savings by not having to purchase expensive software or tools due to an MSSP or MDR provider having access to the latest technology already. Service providers can afford to invest in the leading platforms and technology due to economies of scale in delivering services to many customers.

Where skills are in short supply, automation technology can also provide some help in alleviating the issue. In particular, where processes are defined and already exist within the security information centre, it can be useful to look at repetitive tasks; those that have defined inputs and outputs. These tasks are ones that staff are spending inordinate amounts of time on repetitively. 

Knowing which tools to use ensures the right level of automation, leaving other key staff free to undertake the tasks that will give them higher job satisfaction and make it more likely for them to remain in that role and limit the risk of cyber burnout.

MSSPs can cover all security bases by managing firewalls and other security infrastructure, monitoring networks, optimising intrusion detection and prevention solutions, tracking and prioritising vulnerabilities, detecting and responding to threats, and if the worst should happen, carrying out incident response when needed. 

Ram Narayanan, Country Manager at Check Point Software Technologies, Middle East:

The global cyberskills gap grew by more than 25% in 2022. Yet organisations have more complex, distributed networks and cloud deployments than ever before, because of the pandemic. Given the global cybersecurity skills shortage, SMBs are struggling to properly secure their critical assets, making them a growing target for cybercriminals. Research from Analysys Mason uncovers how SMBs are emerging from the pandemic and how their business and technology needs are changing. The survey revealed that, while SMBs understand the need to invest in technology to support growth in the world of hybrid working, unfortunately, many fail to prioritise security. With remote workers using home and office access points, the attack surface has expanded, thereby increasing the risk of cyberattacks. With the increase in supply chain attacks across the industry, cybercriminals are increasingly using more vulnerable SMBs as an entry point into larger enterprises. This approach wreaks havoc on both the SMBs and all the enterprises they interact with.

Although employees are frequently a SME’s greatest asset, they may also be its weakest defence. Many SMEs may have someone in charge of monitoring and maintaining their IT systems who may not have had professional cybersecurity training. This may be a member of the SME’s own staff or perhaps an external IT supplier with expertise in IT but perhaps not cybersecurity. Staff members who are in charge of cybersecurity but who lack the necessary training or expertise in the field risk making mistakes due to ignorance or inexperience. They could even fail to configure a system or device properly for security.

It’s still difficult for SMEs to promote security training and awareness. This shouldn’t come as a surprise because SMEs have long struggled to provide efficient security training. Given that social engineering accounts for the bulk of successful attacks, the move to remote working has further underlined the urgent need for SMEs to train employees in secure home working practices. For individuals in charge of managing cybersecurity within the company, SMEs should make sure there is a proper cybersecurity training programme, with the necessary budgets and resources. They will therefore be equipped with the knowledge and abilities needed to guarantee the organisation’s IT infrastructure is safe, accessible and running smoothly. SMBs should also consider leveraging third party managed service providers to gain access to experienced cybersecurity professionals at an affordable cost. Third party advisors can provide expert advice on the best security solution for each SMB along with training and on-going support.

Alain Penel, Vice President Middle East, Turkey and CIS at Fortinet:

Many SMEs are often unprepared for cybersecurity threats that lurk online and 71% of businesses with less than 500 employees confirmed or believed they had a security incident in 2021, according to Fortinet’s report on the State of Small Business Security. SMEs often have the perception that their small size isn’t attractive to cybercriminals, however, SMEs must understand that cybercrime is a profitable and organised business and where there is financial gain, it’s lucrative for cybercriminals, regardless of their size. SMEs are also easy victims because they look to accelerate their growth with advanced technology but lack the necessary security systems or the right resources to mitigate or protect their infrastructure. They need to have well trained and skilled individuals who can help keep their businesses safe from possible cyberthreats and attacks. Cybersecurity continues to become more commonplace in our day-to-day lives, the value and need to have IT security professionals on staff is rising, increasing budgets to hire and retain these individuals. For 2022, participants reported an average increase of 5% to their previous year’s security budget.

One way of doing this is to ensure that their existing resources update and grade their certifications and trainings. As part of the Fortinet NSE Training Institute, the Education Outreach Programme extends to various sectors, including academia, government and non-profits to ensure all populations – such as women, minorities and veterans – are provided with opportunities for a career in cyber. The Fortinet Training Institute achieved the milestone of over 1 million NSE certifications issued to date (October 2022). The eight-level training and certification programme is designed to provide technical professionals with independent validation of their security and networking skills as well as work experience. Fortinet’s 2022 Global Skills Gap report revealed that 95% of leaders believe technology-focused certifications positively impact their role and their team, while 81% of leaders prefer to hire people with certifications. Any company looking to further protect their security posture by advancing all their employees’ cyberskill sets and knowledge can easily deploy the Fortinet Training Institute’s Security Awareness and Training Service. The Fortinet Security Awareness and Training service provides timely end user awareness training on cybersecurity threats. It assists an organisation’s leaders of IT, security and compliance in establishing a cybersecurity awareness culture where employees recognise cyberthreats immediately and avoid falling victim to them. The training service also helps satisfy regulatory or industry compliance training requirements for organisations that need to comply.

The cybersecurity skills gap is an issue that has plagued the industry for years and can affect how successful cybercriminals are when teams are strained and don’t have the right talent. Fortinet made a commitment in September of 2021 to train 1 million people in cybersecurity over five years between 2022-2026 and is on track to meet this through various initiatives.

Browse our latest issue

Intelligent SME.tech

View Magazine Archive