With the increasing demand for cybersecurity expertise and capacity in global small and medium-sized businesses (SMBs), a new warning has been issued by Sophos highlighting the implications of talent burnout and the rise of opportunities for threat actors.

In a recent study, the UK-based security vendor surveyed 5000 IT and security professionals across 14 countries, with a focus on 1402 individuals working in organizations with 100-500 employees. The findings, presented in their report titled “Addressing the cybersecurity skills shortage in SMBs,” revealed a disturbing trend.

According to the report, a shortage of security skills has now become the second most significant cybersecurity challenge faced by SMBs, following closely behind zero-day threats. This is in stark contrast to larger organizations, where skill shortages rank much lower on the list of concerns.

The lack of security expertise within SMBs not only hinders the ability of teams to keep up with the evolving threat landscape but also makes it challenging for them to investigate suspicious alerts effectively. In fact, nearly all respondents from smaller businesses reported struggling with at least one aspect of investigating alerts.

Moreover, the report pointed out that fewer staff members in SMBs often result in threats going undetected for extended periods. In some cases, there is no one actively monitoring, investigating, or responding to alerts for a third of the time, leaving organizations vulnerable, especially during non-business hours when a majority of attacks are known to occur.

Furthermore, the impact of skills shortages can be seen in the outcomes of attacks on SMBs. Threat actors are more successful in encrypting data during attacks on SMBs compared to larger organizations, as highlighted in the Sophos report.

The Vicious Cycle of Skills Shortages and Burnout

Interestingly, the study also shed light on a concerning correlation between skills shortages, burnout among cybersecurity professionals, and compromised security defenses. According to a separate APAC study referenced by Sophos, a significant percentage of organizations reported experiencing fatigue and burnout among their IT and security professionals, with a worrying increase in burnout rates over the past year.

Sophos’ field CTO, Aaron Bugal, emphasized the critical role of in-house cybersecurity skills in mitigating cyber risks. He highlighted the need for SMBs to monitor their networks 24/7, especially given that a majority of ransomware attacks occur outside of standard business hours.

As SMBs continue to face challenges in acquiring and retaining cybersecurity talent, it is crucial for organizations to prioritize skill development, invest in training programs, and implement effective security measures to protect against evolving threats.

To learn more about the cybersecurity skills shortage in SMBs and how organizations can enhance their cyber-resilience, you can access the full report here.