A lack of expertise is the issue having the greatest negative impact on cyber resilience within small businesses, according to 41.5 per cent of respondents to the latest Twitter poll run by Infosecurity Europe, the information security event series.
A surge in remote workers driven by COVID-19 lockdowns is the second biggest stumbling block, cited by 34 per cent of respondents.
The impacts felt by small businesses across the UK as a result of the coronavirus pandemic are estimated to be six times larger than they were during the 2008 recession, according to analysis by O2 Business and the Centre for Economic Business Research (Cebr). Infosecurity Europe’s poll set out to find out how SMBs are managing to build and invest in cyber resilience – their ability to prepare for, respond to and recover from cyber attacks – and the obstacles they face.
Maxine Holt, Senior Research Director at Omdia, said: “The rapid pivot to remote working was – and continues to be – a huge challenge for SMBs. These organisations typically don’t have a dedicated cybersecurity function, and it’s part of someone’s job to oversee it. There was a sticking plaster placed over security during the shift to remote working, which isn’t sustainable. Companies must now peel the sticking plaster back, and put longer term security approaches in place.”
The skills deficit is of particular concern as about half (49.7pc) of poll respondents believe small companies bear primary responsibility for educating and supporting themselves in becoming cyber resilient. This was followed by government bodies (32.3pc) and large tech companies (18.1pc).
Maxine Holt agreed. “Government bodies certainly have a role to play in educating and supporting SMBs, such as the NCSC in the UK, but protecting the business is the companies’ own responsibility. There are plenty of free resources available, not only from government bodies but also standards bodies, management consultancies, technology vendors, and service providers. This is one way of keeping up with the ever-widening skills gap.”
Independent researcher David Edwards believes governments need to drive the initiative more visibly, through financial incentives. “A direct link to small business tax relief for attaining certain cyber essentials would mean there’s a motivation to learn and investigate cybersecurity. The mindset then shifts to missing out on a benefit as opposed to increasing costs.”
The outbreak of COVID-19 has squeezed the budgets of many small businesses, making it more difficult for them to find the funds to invest in cybersecurity. When asked how the pandemic has impacted their spending on cyber resilience, almost a quarter of small businesses (24pc) have had to spend less. Only 18 per cent have spent significantly more, while 43 per cent say that ‘little has changed’.
“Typical challenges such as lack of budget, staff being stretched thin and a changing threat environment have all been amplified in 2020,” says Heidi Shey, Principal Analyst serving Security and Risk Professionals with Forrester Research. “For many small businesses, the focus was on making sure they could still operate, and concerns like cyber resilience weren’t necessarily a priority. If business is down, cuts have to come from somewhere. Harder-hit sectors like retail or travel had to make different choices than those in a more fortunate position. Most spending was reactive; to support remote work, many had to make investments in things like laptops, VPNs and collaboration applications.”
Nicole Mills, Senior Exhibition Director at Infosecurity Group says: “Human skill and expertise was singled out as the most important element of a cyber resilience approach in our November poll. Lack of skills, combined with a rise in remote working and shrinking budgets, could prove to be a ‘perfect storm’ for smaller businesses. If they are ultimately responsible for their own cyber resilience maturity, as most believe, achieving this without the relevant expertise and resources will be nigh-on impossible. The constraints SMBs are operating under won’t be going anywhere – but enhancing their resilience must be a key priority for 2021.”
About Infosecurity Europe 2021
The conference and exhibition, unable to run in summer 2020 due to the covid-19 pandemic, is due to run from June 8 to 10, at Olympia, west London, pictured. To register your interest in exhibiting or attending in 2021 visit https://www.infosecurityeurope.com/en-gb/enquire.html.
