Even before the current geopolitical and economic crisis, security teams were feeling squeezed. Back in 2018, (ISC)² conducted a global survey of 1,500 cybersecurity professionals in North America, Latin America, Asia-Pacific and Europe. They found that 59% felt their organizations were at a moderate to extreme risk of cybersecurity incidents because of a shortage of cybersecurity staff.

Have things gotten better over time? Since 2018, we’ve experienced a global pandemic. We continue to see growing levels of geopolitical conflict. Cyber incident costs continue to climb. As a result of these factors, the results from the OpenText Security Solutions’ 2022 Global Ransomware SMB Survey and several other studies should be no surprise. Security professionals are worried that things are getting worse.

Climbing the wall of worry

Small and medium-sized businesses (SMBs) appear to be increasingly worried about their current security situation. In the OpenText study, an overwhelming majority (88%) of SMBs said they are concerned or extremely concerned about an attack impacting their businesses. And 52% of respondents now feel more at risk of suffering a ransomware attack due to geopolitical tensions.

Nearly half (46%) of SMBs surveyed have already experienced a ransomware attack. Meanwhile, 66% of respondents are not confident or only somewhat confident that they can fend off a ransomware attack.

Other sources also reveal troublesome rates of cyber incidents. The IBM Cost of a Data Breach report revealed that 83% of organizations studied have had more than one data breach.

Shrinking budgets and rising inflation

Inflationary pressure drives prices up. But the impact is further amplified if security budgets shrink while other prices rise. The OpenText study revealed that 67% of SMBs spend less than $50,000 annually on cybersecurity. Fifty-nine percent reported plans to increase their security budget in 2023. However, 57% fear inflation will lead to a change in plans resulting in budget cuts.

Meanwhile, cyber criminals also face higher costs. To offset inflationary pressure, malicious actors may work harder to pay their bills. Or maybe criminals sense the time is ripe to attack as security teams suffer economically.

Starving teams

Security teams aren’t getting much relief from their team size, either. According to the OpenText survey, 68% of SMBs have fewer than five people on their security team. Meanwhile, more than half (58%) of respondents use external security management support. Among SMBs that don’t currently use a managed services provider (MSP) for their security needs, 65% are considering doing so.

Another study by VMWare shows that 47% of incident responders said they experienced burnout or extreme stress in the past 12 months. Of this group, 69% have considered leaving their job as a result. Organizations are working to combat this, with more than two-thirds of respondents stating their workplaces have wellness programs to address burnout.

Another study from IBM Security conducted by Morning Consult surveyed more than 1,100 cybersecurity incident responders across 10 countries. They found that 67% experience stress or anxiety daily due to the pressures of responding to a cyber incident. Also, more than a third are working over 12 hours a day during the most stressful period of incident response. These engagements typically last about a month.

Are companies planning to expand their team size? This would certainly help ease the pressure. However, larger security teams seem unlikely as brands like Amazon plan to lay off thousands of workers. But what if companies really do want to hire new security pros? The tight technology labor market makes talent acquisition and retention difficult.

The recent ISACA State of Cybersecurity 2022 survey provided some key observations. Unfilled positions are on the rise and existing teams are understaffed.

Small and medium-sized companies are struggling

A Cynet survey interviewed 200 Chief Information Security Officers (CISOs) at small and medium-sized enterprises with five or fewer security staff members and security budgets of $1 million or less. This study found that a majority of these organizations were overwhelmed by ongoing waves of cyberattacks.

The surveyed security pros feel pressured by the same threats facing larger organizations, but SMBs lack the financial resources, staff specialists, training and advanced tools to consistently mitigate attacks. Other evidence points towards threat actors preferring smaller targets, such as companies with less than 1,000 employees. Those with limited defenses bear the brunt of attack volume with insufficient resources.

Wider economic impact

While each company must face its own security challenges, it also creates a wider economic problem. How do business owners assess and plan for the risk? What steps should they take, given the large potential consequences involved? Can they afford to spend millions on a data breach? What if they have more than one incident?

This uneasiness forces decision-makers to make hard choices. Do they invest in stronger security? Do they increase the price of goods and services? Either way, the economic impact is real. The IBM data breach report revealed that 60% of breaches led to increased prices passed on to customers. This drives inflation up, even more, contributing to a vicious cycle of rising costs.

Security planning is core business planning

Given the widespread impact of security incidents, business leaders are more concerned than ever. This is why solid security planning has increasingly become essential for business success.

This may be why the Cynet survey revealed a significant year-over-year rise in the use of Endpoint Detection and Response (EDR) tools (from 52% to 85% of respondents), as well as a doubling of Extended Detection and Response (XDR) tool usage (from 15% to 30%). Among respondents, 77% indicated that EDR is now the number one tool for detecting threats, up significantly from 23% in 2021.

Not long ago, security pros thought not in terms of if but when an attack will occur. Now, CISOs must gauge how many times they will be attacked during any given time frame. Ransomware leads to financial, reputational and operational damage. Perhaps future business leaders will be the ones with the best security.