The cybersecurity skills gap has been growing for years. In 2014, just 23 percent of organizations surveyed by ESG reported a “problematic shortage” of cybersecurity skills. In 2018, that number reached 51 percent. As a small business with fewer security needs than a large corporation, you may not believe this is a problem for you.
It’s quite the contrary, however: 50 percent of all cyber attacks target you, the small business owner, according to Joseph Steinberg, CEO of SecureMySocial. Why? The reasons include:
- Small businesses owners are more likely to pay ransoms.
- Small businesses store valuable data, such as financial information.
- Small businesses are an easy way for hackers to get into larger enterprises
As Steinberg notes: “The massive Target breach of just a few years ago, for example, began when a hacker exploited the access that the retail giant provided to an HVAC contractor.”
Consider what this shortage means for your business and how you can keep it safe in an increasingly dangerous online world.
Training is necessary to close the cybersecurity skills gap
Security is everyone’s job within an organization — even those in HR or sales should be included in security efforts. Before initiating new training, start by assessing what you currently offer and how effective it is.
There are a few ways to do that, according to How to Audit Your Company Security Training Efforts, including identifying the most vulnerable employees and assets. In addition, set metrics to determine the success of your training and plan for how you’ll measure it as you close the cybersecurity skills gap. Justin Bonnema, author of the former article, suggests:
“For example, organization-sponsored phishing campaigns will give you an indication of the click-happiness of your employees. Penetration testing will demonstrate whether your users can identify social engineering attacks, both in the cyber domain and in the physical domain.”
Use these tests to determine the impact of your current methods and finding a focus for those in the future. As you look to implement new trainings addressing the cybersecurity skills gap, consider the entire spectrum of formats, including:
- Live in-office trainings.
- Company-wide initiatives.
- Institute company security advocates.
- Online workshops.
Most importantly, make trainings and cybersecurity discussions relevant:
According to 24By7Security, Inc. President and Founder Sanjay Deo: “More often than not, people tend to forget what they learnt in a training class, and the same holds good for cybersecurity training unless the training program provides 1-3 practical actionable tips on what people should or should not do in specific cases. More importantly, what helps dig the tip even deeper in attendees’ minds is continued follow up with brief periodic reminders of those tips.”
You need an emergency plan
All businesses need an in-case-of-an-attack emergency plan, especially when you have fewer cybersecurity experts on staff than you’d like. This policy is is also called an Incident Response Plan, and ensures that protocols are in place for getting back up and running as quickly and safely as possible in the event of an attack or breach.
The FBI shared tips with Oracle for creating your plan. Keep these in mind as you put yours together:
- Business critical information. This includes your operating systems and the miscellaneous information your business needs to function.
- Detection and containment methods. How are you actively monitoring, and what will you do to contain an issue?
Editor’s note: Use a tool like GoDaddy Website Security, powered by Sucuri, for daily security scans — without any software to install.
- Internal and external stakeholders. Outline who is responsible for what, and how those people will be notified, including outside vendors if that applies to your business.
- Circle of trust. Ensure all technology partners can be trusted. “SMBs should be wary accepting cybersecurity services from foreign or lesser-known companies, especially for penetration testing.”
- Fight bad tech with good tech. Part of your plan should be investing in automation software that works 24/7 to monitor and detect.
- Recovery and mitigation. How will you recover lost files? How will you resume business? Answer these questions now, not later.
Prep the employees you do have
“It is the responsibility of the business to exercise due diligence when engaging a service. Current advice to startup companies about obtaining a web presence generally does not include securing information, checking qualifications, checking whether suppliers are registered with the ICO or taking utmost care when choosing a website designer and ISP.”
~ Computer Weekly
With a lack of security experts to hire, the ones who you do have on staff are likely overworked and undertrained — which can widen a cybersecurity skills gap. A 2018, ESG report confirms this, finding that 63 percent of cyber security professionals feel they are not receiving adequate training from their employer.
Training options to consider include:
- Paying for lower-level employees to earn a higher-level certifications.
- Ongoing development using a training platform to track progress and milestones and hold employees accountable.
- Live, hands-on seminars to build specialized skills in emerging technologies, such as blockchain or IoT.
If you don’t have an in-house team, remember to vet security vendors closely. Outside vendors can be helpful in plugging the cybersecurity skills gap, but also make you more vulnerable. Do your homework to mitigate some of that risk.
Don’t let the cybersecurity skills gap leave you vulnerable
All small businesses are at risk, especially those who are suffering from the global cybersecurity skills gap.
Train the entire organization on security protocols and how they can help.
Don’t forget to create your incident response plan and focus efforts on prepping your current security team; specialized skills training and good vetting of outside help may be all you need to stay on top of risks and avoid an attack.
Online security resources
Read these related articles to learn more about how to protect your business from security threats:
- Google Chrome 68 introduces HTTPS as the new security must-have
- 5 best practices for customer data management
- How to run a WordPress security scan
- 7 best practices to protect your business website
… plus many more in the GoDaddy Blog online security articles archive.