Reading Time: 5 minutes

What’s the biggest cybersecurity problem facing today’s small and medium-sized businesses (SMBs)? 

If you answered “talent,” you’d be right. The cybersecurity workforce is growing rapidly, yet demand is growing even faster. (ISC)2 ’s cybersecurity workforce gap analysis revealed that, despite adding more than 464,000 workers in the past year, the cybersecurity workforce gap has seen a 26.2% year-over-year increase, making it a profession in dire need of talent.  

This widening gap is putting organizations at significant risk with 74% saying that their organization does not have enough cybersecurity employees which is putting their organization at a “moderate” or “extreme” risk of a cyberattack. 

While the cybersecurity skills gap impacts all businesses, it impacts SMBs more. What’s more, most SMBs believe that they’re too small to be targeted by bad guys. But the reverse is true. Consider this: 

“…more than 30 percent of U.S. small businesses have weak points that bad actors can exploit. Moreover, fraudsters tend to set their sights on small businesses since smaller companies usually have weaker security safeguards in place compared with those at larger companies.” 

In fact, one report found that SMBs faced an average of 6,300 attacks per day in 2019, rising to 17,500 in 2020 and 31,000 in 2021. If this same pace continues, SMBs will face between 56,000 and 86,000 attacks daily in 2022 alone. These are concerning numbers! 

How can you ensure that your business is protected? 

To outsource or not to outsource: Business leaders weigh in 

The general rule, according to one staffing expert, is one IT professional for every 100 people. But this ratio is no match for the voluminous and ever-changing threats that are bombarding SMBs. A more common model is that SMBs, who were early adopters for cloud-based services, are paring down their in-house IT teams to refocus on their core business. Many have IT generalists who serve as the point person for outside managed services providers (MSPs).  

With an MSP, you’ll have the resources needed to ensure your business is protected—without having to find and hire talent, implement and support solutions, pay a heavy upfront cost, or assume risk.  

In a recent survey of business leaders (64% of whom are SMBs), 88% are outsourcing cybersecurity tools and processes and they chose to outsource because of a lack of in-house specialists (75%), team size limitations (56%), and budgetary reasons (42%). In fact, one finance executive explained that it “…allows us to handle situations where we have insufficient knowledge or manpower, but also presents the opportunity for our in-house team to learn from the vendors and consultants.”

Here’s what business leaders are outsourcing:  

We are outsourcing these cybersecurity tools and processes… 

NOW 

IN THE NEXT 12 MONTHS 

Security information and event management (SIEM) 

58% 

26% 

Threat & vulnerability management 

44% 

21% 

Identity and access management (IAM) 

42% 

25% 

Secure endpoint management 

40% 

23% 

Incident response management 

38% 

 

 At the end of the day, 91% are satisfied with their partnerships and 92% believe that outsourcing better protects their businesses from cybersecurity incidents. As one leader said: “The solution isn’t 100% [in-house] or outsourced. Know your strengths and outsource to cover weaknesses.” 
 

CISA: Cybersecurity essentials for SMBs

Should you decide not to outsource, make sure you at least have the right controls in place so you don’t become a victim. Reducing risk requires a holistic approach that enables a culture of cyber readiness. Consider these essential elements offered by the Cybersecurity and Infrastructure Security Agency (CISA):  

Role/Key Responsibility 

Recommended Actions  

IT Leader  

Drive cybersecurity strategy, investment, and culture. 

  • Lead investment in basic cybersecurity.  
  • Determine how much of your organization’s operations are dependent on IT.  
  • Build a network of trusted partners to drive cybersecurity strategy and for access to timely cyber threat information.  
  • Approach cybersecurity as a business risk.  
  • Lead development of cybersecurity policies. 

IT Team  

Develop security awareness and vigilance. 

  • Provide basic cybersecurity training to increase threat awareness and improve knowledge of concepts, terminology, and activities associated with implementing cybersecurity best practices. 
  • Develop a culture of awareness to encourage employees to make good choices online.  
  • Learn about risks like phishing and business email compromise. 
  • Identify training resources available through professional associations, academic institutions, private sector, and government sources.  
  • Maintain awareness of current cybersecurity events, using lessons-learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends. 

Systems  

Protect critical assets and applications. 

  • Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at risk in an attack.  
  • Leverage automatic updates for all operating systems and third-party software. 
  • Implement secure configurations for all hardware and software assets.  
  • Remove unsupported or unauthorized hardware and software from systems.  
  • Leverage email and web browser security settings to protect against spoofed or modified emails and unsecured web pages.  
  • Create application integrity and whitelisting policies so that only approved software is allowed to load and operate on your systems. 

Physical  

Ensure only those who belong on your digital workplace have access. 

  • Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.). 
  • Leverage multifactor authentication for all users, starting with privileged, administrative, and remote users.  
  • Grant access and admin permissions based on need-to-know and least privilege.  
  • Leverage unique passwords for all user accounts.  
  • Develop IT policies and procedures addressing changes in status (transfers, termination, etc.). 

Data  

Make backups and avoid loss of info critical operations. 

  • Learn what information resides on your network and maintain inventories of critical or sensitive information. 
  • Learn what is happening on your network. Manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.  
  • Filter out and block dangerous sites and unwanted content through DNS protection.  
  • Learn how your data is protected. 
  • Leverage malware protection capabilities.  
  • Establish regular automated backups and redundancies of key systems.  
  • Leverage protections for backups, including physical security, encryption, and offline copies. 

Response  

Limit damage and quicken restoration of normal operations. 

  • Lead development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often. 
  • Leverage business impact assessments to prioritize resources and identify which systems must be recovered first.  
  • Learn who to call for help (service providers, vendors, government/industry responders, technical advisors, and law enforcement).  
  • Lead development of an internal reporting structure to detect, communicate, and contain attacks. 
  • Leverage in-house containment measures to limit the impact of cyber incidents when they occur. 

 And if becoming cyber ready takes more from your team than you can afford, find a MSP to help. 

Logicalis: Security fit for today’s future-forward SMBs 

Logicalis offers a range of enterprise-grade professional and managed security services to help you develop and maintain a culture of cyber readiness and ensure your business is protected. From security assessments to ongoing management, we can help enhance your strategic planning, fill IT staffing and technology expertise gaps, and free up IT teams to innovate and focus on your strategic initiatives. 

But enterprise-grade security doesn’t have to require a huge upfront capital investment. In fact, our subscription-based Secure OnMesh offering takes a lifecycle approach with the  Secure OnMesh Assessment to align to your requirements, a Secure OnMesh Proof of Value to show how we transform your security posture, and Managed Secure OnMesh for continuous 24/7 detect and respond security operations through our global SOC to help you scale.    

Take our complimentary 15-minute Security Maturity Survey to see how your business stacks up against security best practices. You’ll receive not only an overall score, but individual scores on Program, Network, Endpoint, and Cloud. Or contact us to speak with a Logicalis Security Expert.  

 

Brad Wright is a Principal Security Architect at Logicalis, responsible for helping our customers identify the right technologies to protect their businesses.