Name: Addressing the Cybersecurity Skills Gap: Solutions for SMBs
Uploaded: 2025-02-06T19:46:08.585Z
Duration: 30 min 12 s
Description: Addressing the Cybersecurity Skills Gap: Solutions for SMBs

Transcript for "Addressing the Cybersecurity Skills Gap: Solutions for SMBs": Welcome, and thank you for joining me today to look at how the cyber security skills gap is impacting smaller organizations and also some practical ways to address it. Smaller businesses are the backbones of our economies and our society as a whole. They make the world go round. Many of you likely work in smaller businesses and you face many of the same challenges as larger organizations as well as additional challenges due to your size. So in this session, we're gonna look at the reality of the skill shortage in smaller organizations, the cause and the impact, as well as some practical solutions you can explore to help address it. And we're also gonna take a look at how Sophos can help. And along the way, I'm gonna be sharing findings from an independent vendor agnostic survey of IT leaders working at the frontline, comparing the experiences experiences of those in smaller organizations with people working in larger ones. So let's start by touching on why small businesses need cyber security skills. I mean it's easy to think I'm just a small accountancy firm, I'm just a small video production company, I haven't got anything an adversary would be interested in. Why would they target me? You know, bigger companies have have got more money, and, you know, that's true in many ways. But the reality is that cybercriminals in general aren't saying, right. I'm gonna deliberately target smaller organizations today. Rather, what they're doing is they're they're probing and they're poking around to find weaknesses that they can exploit. Often, they could be open connections or unpatched software vulnerabilities, for example. And all too often, when they find them, they're in smaller organizations. And the fact that you're a small business won't hold the adversaries back from attacking you. Cybersecurity skills are essential for plugging these weaknesses and defending against these attacks, but the skills are in short supply and this shortage weighs heavily and frankly disproportionately on smaller organizations. So just to illustrate this point, we asked the respondents in our survey what they considered to be their number one cybersecurity risk and you can see here on screen their responses. And the the answers revealed a huge difference between small businesses with fewer than 500 employees and larger organizations. Small businesses rank a shortage of in house cybersecurity skills or expertise as their second biggest cybersecurity risk topped only by zero day threats. In contrast, for organizations with 500 employees or more, shortage of in house cybersecurity skills and expertise ranks seventh. And so while all organizations, you know, of all sizes are impacted by a skill shortage, the data is really making clear that smaller organizations feel the impacts of this shortage most keenly. And at the same time when we look at this data, we can see that some risks that rank highly for larger organizations such as a a shortage of cybersecurity tools, these are really secondary concerns for smaller businesses who are struggling with the more foundational challenges of having people to operate their existing investments. So what's behind this skill shortage? Why are smaller businesses more impacted? Well, as we dive a bit deeper into the data, we see the skill shortage is really a two headed challenge. There's a a lack of expertise but also a lack of capacity as well. So cyber threats and security technologies are complex. Doing cyber security well is is an advanced skill. It requires a high degree of expertise and and the bar keeps getting higher. And the cyber attacks continue to get more and more complex, a greater level of expertise is needed to stop them. And expertise is something that small businesses are more likely to lack than larger ones. So this slide that we have here looks at the percentage of organizations that say they struggle with different aspects of security operations. And while large organizations do definitely struggle with security operations, the challenge is greater for smaller ones, which we can see in on this graph, you know, the fact that those those bars on the left hand side of the screen are much higher than on the right. Now the practicality of developing cybersecurity expertise is a is a particular challenge in, smaller organizations for people working in small businesses. Because, of course, when you've only got one or two, people on IT and cybersecurity, it's much harder to take time out for ongoing education and training because you leave a complete gap behind. And also when there are fewer people on the team, you've got fewer coworkers, you've got, you know, less opportunity to learn from others to do that peer to peer, development. So, you know, definitely a a challenge area for smaller organizations. But it's not just, it's just not expertise. It's also capacity. You know, so, we know we know that, adversaries target their attacks deliberately at times when, they hope to avoid being noticed. Ninety one percent of ransomware attacks start outside standard business hours. And by standard business hours, I mean nine oh, so 8AM to just 6PM, Monday to Friday in the time zone of the victim. So these adversaries, weekend warriors, nighttime warriors, they're looking to get in to carry out their attacks when they're less likely to be spotted, and because it means that they can then have a greater chance of success. So you need round the clock coverage to detect the suspicious signs that somebody's trying to get into your environment, that somebody is moving around. So you can you can see them and you can spot them before they they reach active directory, before they install a backdoor, before they, exfiltrate or encrypt your data. But providing that round the clock monitoring and coverage is a particular challenge for small businesses. A third of the respondents in our survey said that they, don't have sorry. A third of the time, small businesses in our survey said they don't have anyone investigating and responding to alerts. So thus a third of the time those businesses are more exposed to attack because there's no one to to see and stop an attacker who's trying to to make their way in to exploit, say, an unpatched vulnerability. So the challenge is a lack of skills, a lack of capacity, and it impacts smaller organizations in multiple ways. But one is that smaller organizations are more likely to have data encrypted in a ransomware attack. Seventy four percent of smaller organizations that were hit by ransomware said that the adversary succeeded in encrypting their data. You know, and that goes down as, as the organization size grows. So just one immediate, you know, direct impact of the skill shortage in smaller businesses. And another important impact to consider is burnout. It's a real risk. When you've got fewer people to share the cybersecurity load, the potential for talent burnout is high. So in some separate research that we commissioned, eighty five percent of organizations said that they experienced fatigue and burnout amongst their cybersecurity and IT professionals. And almost one in four, in fact, twenty three percent said they experience it frequently. And what's particularly troubling right now is that ninety percent said that burnout and fatigue have increased in the last twelve months. So as threats become more complex, as cybersecurity tools become more complex, the the challenges, and the risk of burnout is increasing. Great. So what can we do about it? We have this challenge. You know, the the it's been around for a while. It it's growing. What do we do? You know, the reality is that hiring more people is simply not a viable option for most smaller organizations. Bringing in additional cybersecurity staff is a considerable budget ask and one that will have a disproportionately high impact on overall headcount budgets, in smaller organizations and in larger ones. And at the same time, bringing in new talent, in this area is very difficult. All organizations are competing for a very limited talent pool. And people who've got these in demand cybersecurity skills, they can be selective. And, typically, they prefer to work in larger organizations that offer greater opportunity for for career progression, greater opportunity to to learn from colleagues to, to expand their their skills, as part of the group. So two solutions, you know, for for smaller businesses, is to work with third party specialists, but also to use cybersecurity solutions that are specifically designed for smaller organizations with less capacity. So let's take a a look at that first one, working with third party specialists. This is often the easiest and and the most cost effective way to add both expertise and capacity. And the two most common approaches used are managed detection and response services or or MDR services and also working with managed services providers, MSPs. Now MDR services, lots of m acronyms are going on here, but MDR services, they typically provide that twenty four seven expert led threat hunting, detection, and response across your environment. So you have expert analysts who are monitoring your organization, identifying and and investigating and responding to suspicious activity so they can neutralize attacks and adversaries on your behalf before they impact your business. And if you're looking, you know, at an MDR provider, look for one that adapts to your needs, to your preferred way of working, whether you want to, you know, fully outsource, threat detection and response or whether you want to do it in partnership with your own team. And with budgets invariably tight, it's important to work with a service that can integrate with and and use data from your existing IT and security investments. Now a second option is managed service providers, MSPs. MSPs have for a number of years been providing IT and cybersecurity support to the smallest businesses acting as their in house teams. But over the last couple of years, as threats have increased in complexity, we've seen an increase in the the size of organization that's turning to MSPs to support and supplement their in house resources. Now these two options, MDR and MSPs, are not mutually exclusive. Now our research shows that 81% of MSPs offer MDR services. So you can get both layers of of protection, both layers of third party specialism from one provider. Some s MSPs choose to deliver the MDR services themselves. Others prefer to leverage third party specialists such as Sophos. But these two very much can can work together to help you add capacity, add expertise to your team. Now this all sounds great, but, you know, I'm aware most organizations don't have large budget pots just waiting to be used. So one option I want to share with you to help fund MDR services is to look to see if you can unlock savings from your cyber insurance. MDR users are widely considered the the the tier one customer by insurance providers because they've got the the lower risk of making a claim. They have got low risk to transfer, so they're a very attractive client. And as a result, insurers typically offer material discounts to organizations that are using an MDR service, money that you can then redirect to fund the, the MDR service itself. In just one example I want to share, we have a a nonprofit organization in The US, that has 350 staff, and, they were actually getting, their MDR service through an MSP. And they were able to reduce their, their cyber insurance premium by $8,000 because they were using the Sohoz MDR service. And with the annual MDR subscription through their m d MSP coming in at just over it would just under 8 and a half thousand dollars. This meant you know, with this insurance saving, they were able to elevate their defenses with twenty four seven expert led threat detection response for an incremental spend of under $500. So that's just one example, one particular organization, but I do encourage you to to look to see if you can unlock savings from cyber insurance to help fund elevating your defenses. Let your insurer know about the really high caliber defenses you've got in place and shop around for the best option too. So that's one option and and one item I'd recommend you take a look at, which is outsourcing. But the second area to consider is to look at solutions that are designed for smaller businesses. Because in reality, most cybersecurity tools, most cybersecurity products, are designed and built for large organizations, organizations that have got extensive, IT and cybersecurity teams to deploy a management. And then these enterprise solutions kind of cascade down and become available to medium and and smaller teams as, in medium and smaller sized businesses. But while it might sound very attractive to say you've got an enterprise level solution, the reality is that smaller organizations often struggle to see both the the security and the return on investment benefits from these solutions because they're unable to use the enterprise solutions effectively. So instead of looking for, enterprise solutions, look for security solutions that are are technically advanced under the head, but designed to be easy to use by stretched real world IT teams. And switching, you know, purchase focus to to make sure it includes usability for small organizations shouldn't increase your spend. And in fact, it may offer you the opportunity to to reduce technology and management overheads. So when you're doing this, you know, think both about the the platform and also the product features. You know, when it when it comes, to the platform, choose one that enables you to to deploy, monitor, manage multiple cybersecurity solutions in one place. For example, your your endpoint antivirus, your email security, and also your firewall. And if you can do this, you can considerably reduce your your day to day admin overheads. You know, that the time, the effort that you need to manage your security because you're not having to jump from console to console all the time. And it can also help reduce your vendor management overheads. And if you get an effective platform, it should allow your security solutions to work together so that they're sharing telemetry, they're sharing insights. You've got common user based policies and many other elements that can be, you know, really elevate your cyber defenses. But we also should have a think about, you know, the the products. You know? Be really clear on what you need and and what you can actually use because, you know, many vendors present long lists of features and capabilities on their websites. But when you're evaluating solutions, you know, take the time to think about, okay, what do you need and what do you not need so that you're not paying for capabilities that that you haven't got the capacity to to use and that you're not gonna get benefit from. So to get the most from your investments in cybersecurity, you need to be able to deploy and use the tools, the technologies effectively. Choose the solutions that automatically deploy with their recommended settings from day one. So it takes away the need for you to spend time doing manual configuration, but it also removes the risk that you may not get the configuration right. I look for intuitive controls that are really designed with real world environments in mind. Now security tool misconfiguration is is a major risk. And when you've got really complex products, if you haven't got the settings right, you're you're leaving yourselves exposed. So look for tools that make it easy to maintain good security posture so you can easily see how your posture is, and you can easily fix it if something has gone astray. And, you know, if you're a smaller business, your team is unlikely to be solely solely focused on cybersecurity. And, certainly, you know, there may be 20 gaps in your twenty four seven coverage. So look for solutions that can do automated threat response so they can take action. They can buy you time until you can step in. So that's some suggestions on how to manage the skills gap practically and and it's something you can do right now. At Sophos, we've got really deep experience in securing small and mid sized organizations from advanced threats, and we've purpose built many of our products and services to specifically address the needs of smaller organizations. Overall we secure more than 600,000 businesses worldwide many of whom have fewer than 100 employees and we've also got a large and fast growing MSP network. So let me take you through the soft host solutions and how we can help you. This diagram here really is our platform visualization. It really really, I think, brings the whole Sophos story together on one one slide. We start off with with Sophos Central, our adaptive AI native platform that's the the foundation, of our defense capabilities. It's powered by threat intelligence from our our renowned Sophos ex ops team, and it's an open platform. It works with the the products, the solutions you've already got. It works with the Sophos portfolio, but it also works with technologies from, non Sophos vendors. And you can see just some examples of those along the bottom of the street. And at Sophos, we provide protection for you at every point in your defenses. So we, help you mitigate the risk of threats. So identifying exposures, identifying areas of risk. So our managed risk service, identifies, vulnerabilities and also provides risk based prioritization of patching so that you can focus your limited efforts where they can have the most impact. Our built in account health checks for our products help you quickly see just at a glance, you know, what's your posture, and there's a one click button to to fix anything that's out of line. So reducing your exposure to attacks in the first place. We also take a prevention first approach. We believe that we need to stop everything as early as possible before it can impact your business to minimize the, the impact of cybersecurity. And our technologies are highly effective at automatically stopping threats upfront from our firewall to our email solution to, to our m, our endpoint protection, you know, all designed for optimized, optimized prevention, and and that's one of the reasons we've been a leader in the Gartner Magic Quadrant for endpoint for the last fifteen years. Now sometimes, you know, there are suspicious signals that come into your environment. Something is going on and, you know, you need to investigate and respond to say, well, is this legitimate? Is it is it is it Sally who is going in at midnight and and using PowerShell, or is it an adversary who's got into our environment and, is is pretending to be me and and, using PowerShell. So we need to go to investigate and respond. And and here we also have a range of options. We have tools such as our EGR, XDR, NDR technologies that you can use to investigate and respond in house. And we also have our market leading MDR service as well that secures more than, 26,000 organizations with more than 500 analysts providing round the clock coverage. Of course, we don't want to just sit back and respond. We also want to proactively hunt for new threats, identify in it proactively, is there something untoward going on? And and if so, let's stop it. So, again, our our tools and our services offer those capabilities whether you want to do that in house or whether you'd like our experts to do it for you. And should you find yourselves under an active attack, then, you know, we have our instant response services that are able to step in and eject the adversaries. Our expert team, they have they've seen, they've stopped everything an attacker can throw at you. So they've got extensive experience across small businesses of all sizes, and of all industries. So they can they can really, provide fast effective defenses in the event of an actual incident. So really wide range of solutions all managed through the the Sophos Central open platform. Platform. So we have our our platform and a cross portfolio's, range of solutions, but we also design our solutions for smaller businesses in mind. Sophos has been defending smaller organizations for approaching forty years with continued success. We have good experience of what small businesses need and and how best to enable them to optimize their defenses. Just a few examples. Sophos endpoint automatically deploys with recommended settings, so you don't need to do any manual fine tuning. Everything automatically is set up from from, you know, minute one, day one. You are good to go. You are fully protected. You don't need to do anything to to get your defenses where they where they should be. We've done it for you. And we also built in adaptive protection. So our adaptive attack protection that's automatically built in with Sophos endpoint, If it detects suspicious signals that there's there's potentially potentially an adversary in your environment, it automatically kicks in a higher level of protection, to block the adversaries, to stop them moving around, and buy you or your your MSP time to respond. Now these higher levels of defenses, they would they would slow people down if they were, you know, you spoke so your people don't know and, I mean, your team's down, if they were deployed the whole time. But when there is an adversary in the environment, it's the ideal moment to kick them in so that that you can then get in and neutralize them before they can carry out their attack. And, of course, we have a the built in posture checks that I was mentioning. And on the firewall side, you know, we have centralized management and reporting that gives you greater control and and helps you lower the day to day time, spent managing your network security. Plus we know that lots of small businesses are working in in small offices. Noise is a real issue. So we have whisper quiet appliances that are ideal for when when you need the, the the technologies to be, you know, going really quietly in the background to avoid causing any disruption. So solutions very much designed for smaller businesses. So that brings us to the end of this session. We've, taken a a look at the the challenge, which is the cybersecurity skills back gap, which, as we've seen, is is disproportionately impacting smaller businesses, hindering their ability to defend against cyberattacks and resulting in a higher ransomware encryption rates, greater burnout. But there are options, you can partner with specialists, such as MDR providers, such as managed service providers, and also look for solutions that are designed for smaller businesses with less capacity that will enable you to have optimal defenses with lower overheads. So I'd like to thank you very much for your time. I hope this has been useful. I hope, that you have got some some practical takeaways here. If you'd like to explore more about how Sophos can help you, do visit our website sophos.com or contact your Sophos representative to explore how we can help you. And if you'd like to learn more about the the research we've conducted into the cybersecurity skills gap and how it's impacting small businesses, then you can download the report from our website. So with that, let me thank you again for your time. Thank you.