Skills Shortages Now a Top-Two Security Risk for SMBs
A shortage of cybersecurity expertise and capacity in global SMBs is fueling talent burnout and creating new opportunities for threat actors, Sophos has warned.
The UK-headquartered security vendor polled 5000 IT and security professionals in 14 countries, 1402 of whom work in organizations with 100-500 employees, to compile its report: Addressing the cybersecurity skills shortage in SMBs.
It revealed that a shortage of security skills is now ranked by SMBs as their second top cyber challenge after zero-day threats, while for organizations of over 500 employees, it ranks only seventh.
The report claimed that SMB skills shortages make it harder for teams to continue learning on the job, as they must to keep pace with the ever-changing threat landscape. Nearly all (96%) respondents in smaller businesses claimed to find at least one aspect of investigating suspicious alerts challenging.
Read more on skills shortages: SMB Skills Gaps and #COVID19 Imperil Cyber-Resilience
Fewer staff can also mean that threats go unmonitored for longer periods, according to Sophos.
SMBs have no one actively monitoring, investigating or responding to alerts for a third of the time, the report noted. That’s a problem when 81% of attacks reportedly start outside of normal business hours. In fact, data from Malwarebytes released in August revealed most ransomware attacks now happen at night and weekends.
SMB skills shortages could also be linked to worse outcomes when it comes to such attacks.
Threat actors managed to encrypt data in 74% of SMB attacks, versus just 66% of attacks on organizations with 1001-5000 employees, according to the Sophos report.
A Vicious Cycle
Worryingly, skills shortages may also create a vicious cycle whereby stretched teams are more likely to suffer burnout, leaving even fewer colleagues left to guard the fort.
Sophos pointed to a separate APAC study which revealed 85% of organizations experience fatigue and burnout among their IT and security professionals, with a quarter (23%) experiencing it “frequently,” and 62% “occasionally.” Some 90% of companies polled said burnout rates had increased in the past 12 months, with 30% saying they had risen “significantly.”
“A shortage of in-house cybersecurity skills is one of the biggest cyber risks for businesses today. When you couple this mounting skills gap with a major burnout crisis among cybersecurity professionals, small businesses are more vulnerable to attacks,” said Sophos field CTO, Aaron Bugal.
“With 91% of ransomware attacks occurring outside of standard business hours, SMBs need to monitor their networks 24/7 to identify malicious activity before an attacker can exfiltrate or encrypt data.”