UK’s SMEs are facing cybersecurity crisis: Hamilton Barnes
Hamilton Barnes, a provider of talent to the global cybersecurity and network engineering market, believes UK’s SMEs are at a crossroads in the fight against cybercrime.
A recent report – Cybersecurity skills in the UK labour market 2023 – by the Department for Science, Innovation and Technology (DSIT) found that cybersecurity job postings had risen by 30% increase on the previous year, to over 160,000.
Therefore, a 10% rise in employment in the cyber workforce is not enough to fill demand, especially as cyberattacks are at an all-time high, including ransomware attacks more than doubling since last year. Moreover, the Cybersecurity breaches survey in 2023 found that only 68% of micro businesses consider cybersecurity a high priority, compared to 80% in 2022.
This figure is symptomatic of a national trend of underspending: UK security budgets have remained flat since 2021, with only 11.3% of the average IT budget spent on security, ranking the country 13th globally. And this is despite the UK suffering the most cyberattacks in Europe in the last year (accounting for 43% of all attacks) and costing the small business community an estimated £4.5 billion a year – at an average cost of £1,100 per individual attack.
While a shift in attitudes has largely been prompted by small businesses being priced out of the market, with salaries of cybersecurity specialists rising by as much as 50% in the wake of the pandemic, Lewis West, head of cybersecurity at Hamilton Barnes, believes this issue is “levelling off”.
“After COVID-19, there was huge demand for cyber talent, when a lot of people were getting hacked because of new setups and ways of working. Businesses wanted as much cybersecurity as they could get and were paying experts whatever they wanted. Since then, there has been the threat of a recession and things have started to slow down. Companies no longer want to spend and things are levelling off, so crazy-money salaries are few and far between,” says West.
Yet, despite talent being more readily available, businesses are still not taking the threat of cyberattacks seriously, as demonstrated by a 112% increase in ransomware attacks.
West blames an "immature" business market. "SMEs are simply not doing enough when it comes to cybersecurity, from the tooling in place to the attitude of employees around security risks. In the case of the ransomware rise, businesses are too willing to simply pay the ransoms because they see doing so as cheaper than bringing someone in to prevent it. Studies have shown that 43% of cyber-attacks are aimed at SMEs but only 14% are prepared to defend themselves, an unbelievable and hugely worrying statistic."
“A ransom for SMEs will often be a nominal fee, and they’ll think, ‘We'll just take the loss, pay it and get our stuff back.’ It doesn’t help that there’s no real legislation around ransomware, no set procedure to follow, and a lot of business have a very immature set up around it or neglect it altogether until it's too late.”
A global skills' shortage compounds the issue.
According to West, the talent was historically available to fill requirements, but as the demand for skilled cyber experts has risen, the number of specialists in the market has not grown to match this.
“There’s talent out there, to an extent, but it’s at the more experienced end of the spectrum and these guys are leaving the market, even retiring early having earned enough. And there aren’t enough specialists coming through to fill these gaps. The big shortage is the mid-layer; someone who has done anything from three to five years of engineering is like gold dust at the moment,” he adds.
“There is a crisis. In short, there are too many jobs and not enough people.”
SMEs face the additional challenge that cyberattacks are becoming increasingly niche and sophisticated. Experts are, therefore, increasingly focusing on a specific discipline within the market, where a "jack of all trades" is still needed for many small businesses.
The solutions lie in changes of approach from an educational and business perspective.
“More needs to be done to push students in the direction of cybersecurity specifically, where it’s still largely lumped into IT courses, at least up until university.” West also argues that businesses should be focused on building a security culture, increasing awareness across the entire team and hiring the correct personnel. “Training employees to become more aware of security attacks and attackers’ methods is an effective way to reduce the number of successful cyber-attacks. As is including cybersecurity talent in your hiring strategy,” West concludes.