According to government statistics, the UK has a cybersecurity problem. More specifically, a ‘skills gap’. But what do we actually mean by a skills gap? How did we get here? And, what can smaller companies do to address it?
What do we mean by a ‘skills gap’?
Although the phrase ‘skills gap’ is a neat way to describe the problem, it’s a little vague. Whose skills are we talking about? Does it mean that every small business should have a bonafide cybersecurity expert in-house?
Let’s dig a little deeper.
The Department for Digital Culture, Media and Sport (DCMS) defines the skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’
The DCMS backs this definition up with some pretty alarming statistics. 48% (some 653,000) of businesses in the UK have a ‘basic’ skills gap. This means they lack the confidence to carry out the fundamental security tasks laid out by the Cyber Essentials scheme. These include things like setting up configured firewalls, storing or transferring personal data, and detecting and removing malware.
But the problems don’t end there.
Approximately 408,000 businesses (30%) have more ‘advanced’ skills gaps. These include areas such as penetration testing, forensic analysis and security architecture. Another 27% have a gap when it comes to incident response.
Looking to improve your cybersecurity but lack the skills to get started? Check out the CyberSmart platform. It's your automated, in-house cybersecurity officer.
Why does the UK have a cybersecurity skills gap?
To get to the bottom of why the UK has a cybersecurity skills gap, we have to look back. Way back. Specifically, we’re heading to the 1990s – a decade of Britpop, Blairism and bad fashion, and when the internet began to take off as a public utility. Of course, the internet had been around in some form for much longer, but the late nineties marked the point when businesses and consumers really started to use it.
At the dawn of the modern internet, cybersecurity knowledge was mostly confined to the experts. Universities were just beginning to offer qualifications in the subject and some of the more forward-thinking businesses were offering staff training. But, for the most part, cybersecurity expertise was the preserve of academics, tech companies and a handful of specialist firms.
Fast forward a couple of decades and not much has changed. Even though every business and individual now uses the internet for nearly every daily task, cybersecurity teaching in schools remains in its infancy and optional most of the time. Many universities now offer cybersecurity courses but it is a niche subject, usually studied by postgraduates. Meanwhile, few businesses offer anything more than rudimentary cyber skills training that usually culminates in ‘switch your antivirus on’.
All of these things combined have created a world in which very few of us know much about cybersecurity. In turn, this scarcity has made cybersecurity expertise one of the most sought after skills in the UK economy.
For SMEs, hiring your own in-house expert is prohibitively expensive. And even outsourcing the problem to a specialist firm is still likely to take an almighty bite out of your IT budget. So, short of humming loudly and pretending the problem doesn’t exist or heading back to school, what can small business leaders do about it?
What can SMEs do about it?
Some things will always require calling in the experts. If your business is covered on the basic skills front but needs more advanced knowledge, you’re probably not the average SME and it’s worthwhile consulting with specialists or hiring an in-house guru.
However, for everyone else, there’s a lot you can do to protect your business without in-house skills or eye-wateringly expensive expert help. Let’s take a look at some options.
Take a government-standard certification
The UK government has been worried about our collective lack of skills for a while now. In the past few years, you’ve probably seen or read news reports about encouraging kids to study STEM subjects and learn basic coding skills. But while these are noble aims that will improve society tremendously in 10-15 years, we need a solution now.
So, back in 2014, the UK government created the Cyber Essentials scheme. The scheme covers the essential actions every business should take to ensure it’s digital security and protection from cyberattacks. Think of it as ‘cyber hygiene’ – a bit like washing your hands, brushing your teeth or wearing a face mask.
And this approach really works. Research from the University of Lancaster reveals that businesses can mitigate cyber risks by as much as 99%. What’s more, the certification process is relatively straightforward. The entry-level Cyber Essentials certification is a self-assessment that can be taken and passed in as little as 24 hours.
The more advanced version, Cyber Essentials Plus, includes an onsite or remote assessment from an expert and is a little more complex. However, this can also be completed for little cost in a few days.
If you’re unsure of which is right for your business, take a look at our handy guide covering the differences in more detail.
Automate the problem
Cyber Essentials certification is a great starting point. But your business’s cybersecurity requires year-round maintenance. It’s a bit like your car or bicycle. You might put it in for a service or MOT once a year, but in the period between visits to the shop, components wear out or break, leaving your vehicle less than roadworthy.
The same is true of cybersecurity. It’s very unlikely that nothing will change in the year between Cyber Essentials certifications. Software will need to be updated, new devices are added, and previously unknown threats emerge.
Tackling this manually is a job in itself, one that few SMEs have the skills, budget, or time for. Fortunately, you don’t need to run out and nab a recent cybersecurity graduate from your local university. Tools like the CyberSmart Active Protect can keep an eye on your cybersecurity for you all year long.
This automated software continually scans for vulnerabilities, such as out-of-date software, incorrectly configured security settings and switched off defences. All you need to do is flick a switch if something’s not right, and the platform takes care of the rest.
The UK’s cybersecurity skills gap will shrink. Heavy investment in the sector and the generation of burgeoning experts in our schools and universities point to a more secure future. However, this doesn’t mean we all have to wait until 2030 to do business safely. There is plenty your business can do today without expert knowledge.
Are you looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.