The cyber security skills gap and how it affects SMBs
Even when equipped with smart technology, protected by the latest firewalls and VPNs and secured with the latest AI bots, all businesses are susceptible to cyber attack if they aren’t savvy enough to see the dangers on the horizon.
The problem is that despite the influx of sophisticated technologies, many business employees – more than half (54%) according to a report by the World Economic Forum – lack the skills and understanding required to leverage them. So should small and medium-sized businesses (SMBs) be worried about being attacked? Absolutely.
This lack of cyber security awareness can be chalked up to a lack of cyber security talent, sure; the cyber security skills shortage is tremendous and the gap continues to grow.
But it’s not just a people and tech issue – it’s also a business one.
Cyber security skills shortage still the main cause of security incidents
According to a 2018 report by the Information Systems Security Association (ISSA) and an independent industry analysis firm, Enterprise Strategy Group, the cyber security skills shortage has affected nearly three-quarters (74%) of organisations and remains the root cause for many cyber security incidents.
“Nothing’s improving,” says Jon Oltsik, the author of the report and senior principal analyst at the Enterprise Strategy Group. “While cyber security professionals need to keep their skills up, they’re too busy, and their organisation isn’t providing them with enough training,” Oltsik remarks.
Indeed, in the absence of cyber security programmes candidates are having to figure out cyber security on their own. Though this approach is great for those looking to achieve a basic understanding, when it comes to more complex security management it leaves a lot to be desired.
So, what risks are businesses exposed to?
Nowadays, the most prevalent form of cyber attack is phishing. Phishing is about attempting to obtain sensitive information (usernames, passwords, credit card details and so on) by disguising oneself as a trustworthy entity (a lawyer, a bank, or healthcare service, for example).
Largely, it works. According to statistics from Retruster, phishing accounts for 90% of data breaches and attempts have grown 65% in the last year (2018). These attacks can happen anywhere and at any time, but are more likely to occur on untrusted networks where security is minimal and there’s no threat detection to analyse incoming entities.
So when a business’ employees use unsecured public WiFi networks and/or untrusted networks, it becomes incredibly easy for cyber criminals to phish information. The irony being that, with a bit of know-how, most businesses could avoid phishing attacks.
Man-in-the-middle (MitM) attacks are also quite prominent. Also known as ‘eavesdropping’ attacks, they occur when attackers insert themselves into a two-party communication. Again, these attacks happen on unsecure or public WiFi networks.
Employees with minimal knowledge of cyber security wouldn’t know any different, so they’ll continue to use these networks whilst working remotely. It’s up to the business to drive awareness forward.
Technology helps – but it isn’t a silver bullet
Perhaps the biggest mistake businesses make is assuming technology will solve all of the business’ problems. These businesses go all-in with firewalls, intrusion detection systems, virtual private networks… the works.
But technology is only as effective as those it’s used by. The implementation of solutions to manage security needs to be overseen by those who understand it and can use it correctly. Whether that’s a managed service provider (MSP) or an in-house team is down to the business, but a simple interim solution would be to train employees and use technology that’s easy to understand.
What’s the solution?
Talent is thin but that doesn’t mean there aren’t candidates out there that are 1) interested in becoming a security expert, 2) have the necessary aptitudes to succeed and 3) are a good fit for the company.
Casting the net wider and considering candidates from other backgrounds might be worth considering, especially as these candidates will come in with open eyes.
In truth, businesses need to make cyber security part of the business’ culture. It needs to be driven both from the bottom and the top if it is to stick and be practiced regularly, whether at home or in the office.
Incentivising learning will also encourage employees to do their part. The CEO delivering a mandate just won’t sit well with employees. It needs to be championed by someone who is integral to day-to-day work activities.
How can we help?
At Privatise, we offer a key part of any cyber security provision – a virtual private network. With it, businesses can keep their activities private and secure whilst on untrusted and public networks. Our solution is easy to use, rapidly deployable, always on and scalable, making it perfect for SMB environments where expertise is limited.
If you manage IT security and are interested in adding our solution to your service provision, just check out our partner page.