We’re on the brink of cyber crisis
By Lewis West, Head of Cybersecurity at Hamilton Barnes, a leading provider of talent
I think we’re at a crossroads in our fight against cybercrime.
Cyberattacks are at an all-time high, including ransomware attacks more than doubling since last year. But the Q2 Cyber Security Breaches Survey found that only 68% of micro businesses consider cybersecurity as a high priority, compared to 80% in 2022.
This figure is symptomatic of a national trend of underspending: UK security budgets have remained flat since 2021, with only 11.3% of the average IT budget spent on security, ranking the country 13th globally. And this is despite the UK suffering the most cyberattacks in Europe in the last year, accounting for 43% of all attacks and costing the small business community an estimated £4.5 billion a year – at an average cost of £1,100 per individual attack.
This drop in priorities was largely prompted by small businesses being priced out of the market, with salaries of cybersecurity specialists rising by as much as 50% in the wake of the pandemic. But at Hamilton Barnes, we’re seeing this issue levelling off.
After COVID-19, there was huge demand for cyber talent, when a lot of people were getting hacked because of new setups and ways of working. Businesses wanted as much cybersecurity as they could get and were paying experts whatever they wanted. Since then, there has been the threat of a recession and things have started to slow down. Companies no longer want to spend, so crazy-money salaries are few and far between.
Yet, despite talent being more readily available, businesses are still not taking the threat of cyberattack seriously, as demonstrated by a 112% increase in ransomware attacks. I believe an immature business market is to blame for that, with SMEs simply not doing enough when it comes to cybersecurity, from the tooling in place to the attitude of employees around security risks. Studies have shown that 43% of cyber-attacks are aimed at SMEs but only 14% are prepared to defend themselves – an unbelievable and hugely worrying statistic.
In the case of the ransomware rise, businesses are too willing to simply pay the ransoms because for SMEs they will often be a nominal fee. They’ll think, “We’ll just take the loss, pay it and get our stuff back because doing so is cheaper than bringing someone in to prevent it.” It doesn’t help that there’s no real legislation around ransomware, no set procedure to follow, and a lot of business have a very immature set up around it or neglect it altogether until it’s too late.
The issue is compounded by a global skills shortage. The talent was historically available to fill requirements, but as the demand for skilled cyber experts has risen, the number of specialists in the market has not grown to match this. So, there’s talent out there, to an extent, but it’s at the more experienced end of the spectrum and these guys are leaving the market, even retiring early having earned enough. And there aren’t enough specialists coming through to fill these gaps. The big shortage is the mid layer; someone who has done anything from three to five years of engineering is like gold dust at the moment.
In short, there is a crisis – there are too many jobs and not enough people. SMEs face the additional challenge that cyberattacks are becoming more and more niche and sophisticated. Experts are therefore increasingly focusing on a specific discipline within the market, whereas many small businesses still need a ‘jack of all trades’.
The solutions lie in changes of approach both from an educational and business perspective. More needs to be done to push students in the direction of cybersecurity specifically, where it’s still largely lumped into IT courses at least up until university. Businesses should be focused on building a security culture, increasing awareness across the entire team and hiring the correct personnel. Training employees to become more aware of security attacks and attackers’ methods is an effective way to reduce the number of successful cyber-attacks. As is including cybersecurity talent in your hiring strategy.