Despite cybersecurity being recognised as a part of company culture for two-thirds (67 per cent) of UK tech SMBs, 57 per cent feel that support with education and training has been lacking over the past year, in the ongoing battle against security threats.
The UK was the region found by enterprise software company Sage to report the fewest cybersecurity incidents in the past year (42 per cent reporting one incident), but a roundtable discussion around the research pointed to a lack of proper systems being in place, and a shift in investment priorities during this time period.
Under half (48 per cent) of UK SMBs expect investment in cybersecurity to increase, with 44 per cent expecting this to stay the same.
Nearly two-thirds of cybersecurity teams reportedly understaffed — ISACA research reveals that almost two-thirds (62 per cent) of businesses find that their cybersecurity teams are understaffed, as threats continue to increase.
To keep data protected with the resources they have, UK SMBs are putting risk management processes in place for remote workers (81 per cent, but only 53 per cent monitor this), and backing up data (62 per cent).
Meanwhile, just 29 per cent of those with a process in place acknowledge that not all employees adhere to the measures, and 17 per cent rely solely on basic controls.
The cybersecurity challenges most frequently identified by UK respondents towards nurturing a proactive security culture included:
- ensuring staff understand expectations (45%);
- educating staff about cybersecurity (44%);
- understanding what security is needed (43%).
Keys to effective internal training
With a collective responsibility, and education and training of employees, remaining vital in the aim of keeping the company protected, there are measures that can be made internally to effectively train the whole workforce.
“Fundamentally, anyone with responsibility and awareness of security in the organisation should do basic training on what the cybersecurity landscape is, and what the threats are. This is readily available online,” said Sophia Adhami, director of cyber security awareness and engagement at Sage, during the roundtable.
“There should also be a simple understanding of what basic controls you have, what needs to be protected, and what controls need to be in place.
“Cybersecurity should be constantly and visibly talked about across the organisation, and be continuously enforced. This can be as much as saying ‘I’m not sure about this, I need to learn more’. This creates a culture of curiosity and trust.”
Ben Aung, chief risk officer at Sage, added: “People running small organisations will know what motivates their employees, and what interests them.
“For example, if you’re a health provider with reams of sensitive data related to personal health issues, that will be where you would start [when establishing cybersecurity awareness].
“Talking about cybersecurity as an abstract concept doesn’t engage anybody. My advice to small businesses would be to look at what is important to the company, and go from there.”
Sage surveyed 500 UK small and medium-sized businesses, out of 1,700 firms globally, for its ‘Cyber security for SMBs‘ report.
Related:
The top UK cyber security companies — Investing in the right cyber security for your company is more vital than ever, but which are the top UK cyber security companies right now?
