If you survey the owners, chief technology officers and IT specialists of most small- to medium-sized enterprises (SMEs) and ask them to highlight the digital dilemmas keeping them awake at night, cybersecurity will likely top most of their lists.
Finding the professionals needed to fend off cyberattackers would surely come a close second.
“There are a lot of smart people out there, but they’re being hired by the big companies,” says Alex Dow, chief technology officer at Vancouver’s Mirai Security Inc., a cybersecurity consultancy. “Companies in the small- to medium-sized space really struggle to find talent that’s willing to work in that space. Even my company struggles to win talent over from the Amazons and the Microsofts in Vancouver.”
Compounding the problem, Mr. Dow says, is the fact that novice cybersecurity specialists often need on-the-job training and time to gain practical experience before building the skills to tackle the toughest challenges facing their employers, such as social engineering-focused phishing and ransomware attacks. In reality, most SMEs can’t afford to spend the time necessary to train these new digital defenders.
Sometimes they can’t afford them at all. As Mr. Dow notes, new cybersecurity recruits can command salaries of up to $80,000 in markets such as Vancouver and Toronto. “We brought a recent grad in and he wanted $65,000,” he recalls.
That dearth of qualified professionals is a growing problem. A 2018 Deloitte Canada report projected a 7-per-cent annual increase in demand for cyber talent across the country, with organizations needing to fill about 3,600 cybersecurity positions between now and 2021. Globally, the consulting firm projects a 1.8 million-person shortage in cybersecurity professionals by 2022.
The latest Statistics Canada data highlight the importance of closing that talent gap. Fully, 21 per cent of Canadian businesses reported being victims of cybercrimes in 2017, with 10 per cent connecting those incidents to declines in revenue. More than half said cybersecurity issues impacted their ability to do business, at least in the short-term.
As the number of IT incidents continues to grow and the cyber-skills shortage deepens, SMEs are scrambling to protect themselves. Do they hire a full-time IT staffer or build out a full department? Or outsource to a third-party provider?
What they do know is they need to act now. But while doing more with less is a small- to medium-sized mantra, the escalating rate of cyberattacks is putting that philosophy to the test.
“There really aren’t enough cybersecurity practitioners in the marketplace,” says Moshe Toledano, a Montreal-based consultant and former chief information security officer at Bombardier Inc. He says that despite their limited budget, SMEs can no longer take a laissez-faire approach to cybersecurity. The attacks are far too frequent and the skills so specialized that having a part-time IT specialist managing that risk is likely inadequate.
So too is having a specialist that focuses solely on the technical side of cybercrime prevention. In Mr. Toledano’s view, it’s important for IT professionals to possess soft skills, such as the ability to analyze and effectively communicate a threat’s severity to senior leaders in a timely way.
Convincing them to proactively invest in risk-mitigation strategies and tools – such as teaching employees to spot phishing emails, or frequently patching software, for example – is one of the keys to preventing an attack.
Tying security to the business is also important, according to Mike Kulawik, the principal security solutions architect at digital security infrastructure and cloud services provider Scalar Decisions Inc., in Calgary.
Security professionals not only need to be able to spot security gaps, he says, but to develop fixes that are user-friendly and take the business’s operational needs into account.
“I’ve worked with many junior security people and they will try to impose such strict controls that the business apps are either unusable or so slow that it impacts productivity,” Mr. Kulawik says.
Vivek Gupta, Toronto-based cybersecurity practice leader with BDO Canada LLP, points to another, fundamental challenge for SME owners and their IT teams: understanding and quantifying the value of the digital assets they need to protect.
That could include personal information such as credit card or social insurance information, competitive data or intellectual property. Understanding the consequences of losing those assets – from lawsuits to regulatory ramifications – can help to develop the business case for hiring a full-time cybersecurity specialist, he says.
“A breach isn’t a matter of if or even when anymore,” he says. “A breach has potentially already happened; research shows it takes four to six months for someone to realize they’ve been breached. The question is, are you prepared to recover?”
For Mr. Dow, the ultimate case for making that kind of (often costly) initial cybersecurity investment comes down to the potential cost of not acting.
He says many large organizations are now adding security criteria into RFPs to protect their own networks, requiring suppliers to outline their cybersecurity protocols before agreeing to new contracts. SMEs that rely on dated strategies are facing a decided disadvantage.
“They might be able to survive without doing security until a ransomware attack happens,” Mr. Dow says of SMEs. “But if they want to be competitive and sell to the Fortune 1,000 or Fortune 2,000 [companies], they need to start demonstrating that they know what they’re doing when it comes to cybersecurity.”