Smaller organizations nearing cybersecurity breaking point – Source: www.csoonline.com

Limited budgets, overstretched IT teams, and a rapidly evolving threat landscape mean smaller organizations are approaching a “cybersecurity tipping point.”

The World Economic Forum’s (WEF) Global Cybersecurity Outlook 2025 report noted that “71% of cyber leaders say small organizations have already reached a critical tipping point where they can no longer adequately secure themselves against growing complexity of cyber risks.”

More than a third (35%) of small organizations believe their cyber resilience is inadequate, a proportion that has increased sevenfold since 2022.

By contrast, the share of large organizations reporting insufficient cyber resilience has nearly halved over the same period.

Skills gap leading to deteriorating security outlook

Experts quizzed by CSO said that the rapid adoption of emerging technologies — which comes with the downside of fresh vulnerabilities that cybercriminals can exploit — together with a widening skills gap is contributing to a deteriorating security outlook for small and midsize businesses (SMBs).

“Cyber skills gaps are prevalent in SMBs largely due to a lack of resources and specialized knowledge,” says Tom Exelby, head of cybersecurity at managed security services firm Red Helix. “Many SMBs don’t have dedicated cybersecurity teams, and those in charge of security can lack the confidence to perform even basic cyber tasks.”

Small and medium enteprises (SMEs) that do have budget to hire specialists often struggle to attract and retain skilled professionals due to the lack of variation in the role. Burnout is also a growing issue for the understaffed, underqualified IT teams common in small business.

“With limited resource in the business, employees are often wearing multiple hats and the pressure to manage cybersecurity on top of their regular duties can lead to fatigue, missed threats, and higher turnover,” Exelby says.

WEF’s report estimates that the cyber skills gap has increased by 8%, with two out of three organizations reporting moderate-to-critical skills gaps, including a lack of essential talent and skills to meet their security requirements. WEF’s findings are based on a survey of 321 qualified participants supplemented by 43 one-to-one interviews.

Resource constraints common in smaller businesses make maintaining even basic security posture an uphill struggle.

Steven Wood, director of solution consulting for EMEA at OpenText Cybersecurity, tells CSO: “Implementing and maintaining even basic defenses require strategies at multiple levels — user training, email threat detection, endpoint protection, DNS layer filtering, proper authentication, patch management, event monitoring, backups and drills — which can overwhelm small IT teams with limited budgets and headcount.”

Wood adds: “Given the scope of this list, it can be difficult for organizations to keep up with even baseline best practices for security.”

SMEs targeted by supply chain attacks

SMEs often mistakenly believe that cyber attackers only target larger organizations, but that’s often not the case — particularly because small business partners of larger companies are often deliberately targeted as part of supply chain attacks.

“Threats are becoming more advanced but their resources aren’t keeping pace,” says Kristian Torode, director and co-founder of Crystaline, a specialist in SME cybersecurity. “Many SMEs are still relying on outdated systems or don’t have dedicated security teams in place, making them an easy target.”

Torode adds: “They’re also seen by cybercriminals as an exploitable link in the supply chain, since they often work with larger enterprises.”

“SMEs have traditionally been low-hanging fruit — with limited resources for cybersecurity training, advanced tools, or dedicated security teams,” Adam Casey, director of cybersecurity and CISO at cloud security firm Qodea, tells CSO. “More often than not, cybersecurity is left to overstretched IT departments already juggling multiple responsibilities.”

Training shortcomings and regulatory headaches

Cyber training is another area where smaller firms are falling behind.

“Annual training modules are no longer fit for purpose given the rate of change,” says Dr. Rick Goud, CIO and cofounder of secure email vendor Zivver. “What is needed is more dynamic, context-aware education that is delivered when and where employees are most likely to make mistakes.”

In addition to challenges keeping up with the latest training, the proliferation of regulatory requirements around the world is also adding a significant compliance burden for smaller organizations.

“As regulations like NIS2 and GDPR become stricter, compliance is often left to senior leadership teams who are already juggling multiple roles,” Goud says. “Without a dedicated data protection officer or team, it’s easy for things to fall through the cracks, especially when third-party suppliers are involved.”

Worse, the need to comply with NIS2 in the EMEA region is eating into IT budgets, placing further strain on smaller organizations. Moreover, regulations like NIS2 and DORA are placing even greater pressure on talent markets and skills gaps.

Growing threats

Smaller teams, already struggling with limited cyber skills, are often ill-equipped to manage a growing array of threats. This is contributing to a widening gap in security maturity between larger and smaller organizations.

“Unlike large enterprises, SMEs often lack the budget and specialized personnel to secure a sprawling IT stack, especially as hybrid work and cloud adoption expand their attack surface,” says Robert Phan, CISO at cloud-based directory services firm JumpCloud.

Martin Greenfield, chief executive at Quod Orbis, also sees the shift to cloud and hybrid work environments challenging SMEs at a time when “threat actors have become faster, smarter, and better resourced,” he says.

Moreover, a small business monoculture of similar (cheap) security tools and much the same IT equipment — often set up in default (insecure) configurations — makes it possible for cybercriminals to automate attacks against SMEs at scale, notes Richard Werner, cybersecurity platform lead for Europe at Trend Micro.

As a result, security threats are evolving and growing faster than most SMEs can track let alone remediate. For example:

• Generative AI is supercharging phishing and BEC social engineering: Attackers are using AI to craft highly personalized, fluent phishing lures — making messages harder to spot and massively increasing overall volume.

• Ransomware-as-a-service has professionalized: Today’s RaaS platforms offer affiliate dashboards, playbooks, negotiation support, and multi-extortion (combining encryption, data theft, and public shaming), raising both the technical sophistication and reputational pressure on victims.

• New attack surfaces are rising around cloud and identity: “Poor IAM and exposed remote-access services have driven a surge in cloud-focused ransomware and account-takeover attacks,” according to OpenText Cybersecurity. “In 2024 alone, cloud ransomware incidents spiked as attackers moved beyond endpoints to steal API keys or abuse services like Okta and Azure AD.”

“Security threats are evolving faster than most SMEs can track,” Zivver’s Goud says. “AI-driven phishing, deepfake scams, and automated exploitation are all on the rise, but most organizations do not have the internal capability to monitor or respond to them. That gap is growing and so are the risks.”

Vulnerability surge

Small business IT teams have always struggled to prioritize and triage security problems — a problem that has only grown more acute in recent years as the volume of vulnerabilities has increased.

According to the Verizon Data Breach Investigation Report for 2025, vulnerabilities grew as an attack vector by 180% over the year prior. Looking at the number of software vulnerabilities reported, that number has gone up as well — from 25,059 in 2022 and 28,961 in 2023 to 40,077 in 2024.

“When you are a small team, that number of issues is just impossible to track,” Matt Middleton-Leal, managing director for EMEA at Qualys, tells CSO. “The right approach here is to grade potential issues for severity and then spend time on what matters. This can help every small team have a big business impact.”

Business dynamics also have a part to play in the increasing security problems faced by SMEs.

“SMEs have accelerated digital transformation to remain competitive or simply to stay operational during the pandemic,” Qodea’s Casey points out. “Yet many still lack the internal expertise to properly assess or address the security implications of this shift.”

Mitigation

While a wealth of information is available, such as the UK NCSC’s small business security guide, small businesses often find it difficult to find actionable guidance.

During a session at the Infosecurity Europe conference earlier this month, representatives of the CyCOS project explained how they were offering a community-based approach to support small business in becoming more secure.

CyCOS is a collaboration between three UK universities (Nottingham, Queen Mary, and Kent), and is supported by a variety of partners, including the Home Office, National Cyber Security Centre (NCSC), ISC2, the Chartered Institute of Information Security (CIISEC), and three regional Cyber Resilience Centres.

During the panel, Professor Steven Furnell, a CIISEC board member, pointed out that “SMEs have the security guidance but they don’t know how to take it forward by building communities, so that small businesses have someone to talk to apart from consultants.”

Industry experts argue that use of managed security services can help small businesses to become more resilient.

“In the short term, SMBs can solve the problem by partnering with a managed security services provider who can not only better protect them and respond to threats but also advise them away from overinvesting in security tech that they really don’t need,” says Red Helix’s Exelby. “To fix the long-term skills gap issue impacting the entire sector, education is a key alongside greater diversity.”

Automation is another vital security strategy for helping SMBs mind the gaps.

“Most small IT teams can’t manage the constant churn of alerts, patches, and manual controls — that’s why automation is essential,” says Albert Estevez, field CTO at Zero Networks. “By automating segmentation and access control, organizations can reduce risk and contain threats — without needing enterprise-sized security teams.”