Lack of IT expertise is significantly undermining SMBs’ cyber resilience, according to Infosecurity Europe poll


A lack of expertise is the issue having the greatest negative impact on cyber resilience within small businesses, according to 41.5 per cent of respondents to the latest Twitter poll run by Infosecurity Europe, Europe’s number one information security event. The surge in remote workers driven by COVID-19 lockdowns is the second biggest stumbling block, cited by 34 per cent of respondents. The findings suggest that the need for SMBs to adopt digital ways of working at pace may have significantly increased their cybersecurity risk and vulnerabilities.

The impacts felt by small businesses across the UK as a result of the coronavirus pandemic are estimated to be six times larger than they were during the 2008 recession, according to analysis undertaken by O2 Business and the Centre for Economic Business Research (Cebr). Infosecurity Europe’s poll set out to find out how SMBs are managing to build and invest in cyber resilience – their ability to prepare for, respond to and recover from cyberattacks – and the obstacles they face.

“The rapid pivot to remote working was – and continues to be – a huge challenge for SMBs,” says Maxine Holt, Senior Research Director at Omdia. “These organisations typically don’t have a dedicated cybersecurity function, and it’s part of someone’s job to oversee it. There was a sticking plaster placed over security during the shift to remote working, which isn’t sustainable. Companies must now peel the sticking plaster back, and put longer term security approaches in place.”

The skills deficit is of particular concern as half (49.7%) of poll respondents believe small companies bear primary responsibility for educating and supporting themselves in becoming cyber resilient. This was followed by government bodies (32.3%) and large tech companies (18.1%).

Maxine Holt agrees. “Government bodies certainly have a role to play in educating and supporting SMBs, such as the NCSC in the UK,” she says, “but protecting the business is the companies’ own responsibility. There are plenty of free resources available, not only from government bodies but also standards bodies, management consultancies, technology vendors, and service providers. This is one way of keeping up with the ever-widening skills gap.”

Independent researcher David Edwards believes governments need to drive the initiative more visibly, through financial incentives. “A direct link to small business tax relief for attaining certain cyber essentials would mean there’s a motivation to learn and investigate cybersecurity,” he explains. “The mindset then shifts to missing out on a benefit as opposed to increasing costs.”

The outbreak of COVID-19 has squeezed the budgets of many small businesses, making it more difficult for them to find the funds to invest in the areas of cybersecurity that need bolstering. When asked how the pandemic has impacted their spending on cyber resilience, a quarter of small businesses (24%) have had to spend less. Only 18 per cent have spent significantly more, while 43 per cent say that ‘little has changed’.

“Typical challenges such as lack of budget, staff being stretched thin and a changing threat environment have all been amplified in 2020,” says Heidi Shey, Principal Analyst serving Security and Risk Professionals with Forrester Research. “For many small businesses, the focus was on making sure they could still operate, and concerns like cyber resilience weren’t necessarily a priority. If business is down, cuts have to come from somewhere. Harder-hit sectors like retail or travel had to make different choices than those in a more fortunate position. Most spending was reactive; to support remote work, many had to make investments in things like laptops, VPNs and collaboration applications.”

Nicole Mills, Senior Exhibition Director at Infosecurity Group says: “Human skill and expertise was singled out as the most important element of a cyber resilience approach in our November poll. Lack of skills, combined with a rise in remote working and shrinking budgets, could prove to be a ‘perfect storm’ for smaller businesses. If they are ultimately responsible for their own cyber resilience maturity, as most believe, achieving this without the relevant expertise and resources will be nigh-on impossible. The constraints SMBs are operating under won’t be going anywhere – but enhancing their resilience must be a key priority for 2021.”

Cyber resilience will form a core theme for Infosecurity Europe 2021 (8-10 June, Olympia, London) and will be covered extensively as part of the Conference programme. To register your interest in exhibiting or attending in 2021, please visit:

Infosecurity Europe, now in its 25th year, takes place at Olympia, Hammersmith, London, from 8-10 June 2021. It brings together information security professionals attending from every segment of the industry, as well as the leading industry suppliers showcasing their products and services, industry analysts, worldwide press and policy experts. Expert practitioners are lined up to take part in the free-to-attend conference, seminar and workshop programme. Find out more at 


About the Twitter Poll 

Drawing 3,649 responses, the Infosecurity Europe Twitter poll was conducted during the week of 16 November 2020. Infosecurity Europe also asked its community of CISOs and analysts for their views on cyber resilience in small businesses.

The three questions Infosecurity Europe asked in its November 2020 poll were:

  • How has the impact of the pandemic fuelled your spending on cyber resilience in your small business this year?

  • Who should be responsible for educating and supporting smaller businesses in cyber resilience?

  • What has had the biggest negative impact on cyber resilience within small businesses this year?