While we all face similar challenges when it comes to cybersecurity threats, smaller organisations often lack the budget, resources, expertise and software to establish an effective defence, let alone foster a dedicated cybersecurity team. This disparity leaves SMBs vulnerable to an increasingly complex array of cyberattacks. In fact, nearly half of all cyberattacks globally are now targeting SMBs, with threats like phishing, ransomware, and data breaches becoming commonplace [1].
Unfortunately, the cybersecurity reality for SMBs is even darker. According to a recent study conducted by Sophos 96% of SMBs are missing critical cybersecurity skills, making it difficult for them to defend against evolving threats. Unlike larger organisations, smaller teams have fewer opportunities for cybersecurity training, and 33% of the time, no one is actively monitoring or responding to security alerts [2=1]. What is more, a report from 2023 from DigitalOcean found that lack of time to manage security was the biggest security concern facing businesses (25%), followed by data loss or data theft (23%), ransomware attacks (12%), and DDoS attacks (10%) [2]. The same report also states that while cybersecurity is a major concern for SMBs, they mostly have no employees fully dedicated to security, with 38% of surveyed businesses saying they had zero employees dedicated to security as all or part of their role and 42% had just one employee working on security [2]. Considering that the challenge of retaining talent compounds this lack of dedicated cybersecurity teams within an industry already experiencing high levels of burnout and stress [1], the cybersecurity challenges to SMBs have become very particular.
To address this lack of dedicated cybersecurity resources, SMBs are often left with the only practical option of building a non-dedicated cybersecurity team. This decision, however, also bears its own set of challenges and problematic areas, which we would like to discuss further. We would also like to provide you with some tips that might help you if you are running or considering running a non-dedicated cybersecurity team.
Working with cross-functional teams may seem like a straightforward and even advantageous approach. After all, integrating cybersecurity into the daily operations of existing staff can foster a stronger security culture and a sense of shared responsibility, which is something that larger companies often struggle to cultivate.
However, working with employees who take on cybersecurity tasks alongside their primary roles has its own set of challenges, with a major disadvantage of this approach being that it places additional strain on employees who are already balancing multiple responsibilities. Additionally, training for new tasks requires a significant investment of time and effort – both for employer and employee, which also might lead to overwhelm. The more we dig into this issue, the more we begin to realise the potential risks if roles are not properly distributed or we fail to provide adequate tools and resources.
It is, therefore, significant to toe "a path of least resistance", so to say, by assigning tasks of cybersecurity to employees according to their existing role while taking their interests and strengths into consideration.
In this manner, employees will learn the tasks associated with their current responsibilities, and transitioning into assuming new responsibilities will be smoother and less cumbersome. Also, using skills and passions can generally make their team more motivated and productive by avoiding the growing threat of burnout and building a better cybersecurity culture.
Therefore, we should first consider that some departments within an SMB can naturally take on some cybersecurity responsibilities, as shown in Figure 1 below.
While certain tasks may be assigned at the department level, others will likely need to be designated to specific individuals rather than entire teams.
When assigning cybersecurity duties to employees, however, we believe it's essential not only to consider their willingness to take on additional responsibilities but also to select individuals who possess some particular traits, as shown in Figure 2 below.
With 85% of organisations reporting increased burnout and nearly 74% of professionals taking time off for mental health concerns[1], the lack of dedicated cybersecurity personnel puts additional strain on employees who are expected to cover multiple responsibilities. Establishing cross-functional cybersecurity teams can inadvertently contribute to this problem, especially if employees tasked with cybersecurity duties on top of their already heavy workloads are not willing to learn.
There is more you can do to support employees in cross-functional cybersecurity teams and help mitigate burnout.
By investing in tools and automation, you can reduce manual workloads, making cybersecurity tasks more manageable for non-experts. Additionally, providing adequate training ensures that employees are equipped with the knowledge and resources needed to succeed in their roles. When employees feel prepared and supported, not only does the organisation’s security posture improve, but it also helps prevent burnout, fostering a more sustainable and resilient workforce. We discuss this in more detail below.
We would like to state in the beginning that often, burrowing an employee with a set of online courses is not really helpful; on the contrary. Those courses are often too generic, and asynchronous learning, while helpful in many other ways, will most likely not provide the support, guidance and mentorship that employees tasked with new, high-stakes duties outside their zone of competence need to succeed.
So, when building a non-dedicated cybersecurity team, we recommend investing in targeted, customised training designed specifically for your company’s needs, tools, and context – ideally as a follow-up to a security audit. This approach helps avoid burdening your employees with generic information and provides tailored advice that is directly applicable to your organisation’s unique environment.
Based on a generic SMB profile, there are four critical areas where cross-functional teams should focus their learning to ensure they can perform their cybersecurity responsibilities effectively:
You will notice that some of these areas are intended to be trained internally based on existing cybersecurity policies.
Regarding the tools and the automation used in the organisation, many vendors will offer their own courses and will also regularly host free webinars that focus on specific topics relevant to the use of their tools. These will help your team gain timely insights into current best practices regarding the tools.
Regarding the rest of the training areas, while online resources could be valuable, they often provide a broad and generalised overview of cybersecurity. For SMBs with unique industry challenges or specific regulatory requirements, these offerings may only partially address their particular needs. Non-dedicated teams, in particular, may need more time to sift through extensive, non-personalized content to find what is most relevant to their roles.
For a more practical approach, you could consider investing in tailored training programs that align with your specific cybersecurity needs. Customised training can be more efficient, focusing directly on the most relevant threats and regulatory obligations the company faces. Given the time constraints of non-dedicated teams, targeted coaching can equip them with the necessary skills without overwhelming them with unnecessary information.
Partnering with vendors that offer tailored cybersecurity training or coaching allows non-dedicated teams to:
As threats evolve, regular training sessions—whether through affordable online resources or customised coaching—ensure that non-dedicated team members remain prepared. Continuous learning doesn’t have to be time-consuming; even short, targeted refresher sessions can help teams keep up with the latest threats and best practices.
Last but not least, a core aspect of ensuring that your company is continuously improving is to review the frequency and effectiveness of cybersecurity training. Regularly assessing training efforts can help identify areas where additional education may be necessary or where education is ineffective, redundant or overwhelming for your teams.
Policies are the backbone of any cybersecurity strategy, and for SMBs, these policies need to be clear, practical, and easy to follow. Overly complex procedures can confuse employees, leading to mistakes or negligence. Instead, focusing on creating simple, actionable guidelines that employees can incorporate into their daily routines can support your team and actually function according to their purpose.
Key areas for policy development include:
A key component of creating these policies is making them accessible and easily understandable for all employees, regardless of their technical expertise. Leaders should ensure that policies are regularly reviewed, communicated clearly, and, most importantly, enforced consistently across the organisation.
The right mix of budget-friendly and easy-to-use technologies can help your team protect the organisation from cyber threats without overwhelming their already limited time and resources.
SMBs often need to prioritise cost-effective tools that don’t compromise security. Fortunately, there are many open-source cybersecurity tools available that can meet the needs of non-dedicated teams. Actually, in our blog, we have also written a guide for introducing open-source security tools for startups and SMBs [3], which might be useful for you. To recap the main points, here are some main tool categories that you might consider including.
These open-source tools are both affordable and efficient, making them ideal for SMBs with non-dedicated teams. While they may come with a steeper learning curve, choosing tools with vibrant, active communities can provide valuable support and resources for your teams. Even with this initial challenge, an open-source tool is far better than leaving your organisation unprotected and your non-dedicated security teams - unsupported. Additionally, the flexibility and cost-effectiveness of these solutions make them a worthwhile investment for enhancing your security posture.
One of the greatest challenges for non-dedicated cybersecurity teams is time. By automating key security tasks, these teams can focus on more critical business operations without leaving the company exposed to unnecessary risks. Several important tasks that can be automated include.
Automation is key for non-dedicated teams who may not be available to monitor threats 24/7. By relying on tools that handle the heavy lifting, teams can stay protected while minimising their workload.
When a cybersecurity incident occurs, clear communication is essential for rapid response. For non-dedicated teams, establishing a straightforward process for reporting security issues can save valuable time and prevent confusion in the event of a breach.
By having clear communication channels and an organised process for incident reporting, SMBs can respond to cybersecurity threats more efficiently and with less confusion.
An incident response plan is a set of instructions designed to help employees respond to cybersecurity threats in an organised and efficient manner. For non-dedicated cybersecurity teams, the complexity of such plans must be minimised to ensure they are easy to execute, even during stressful situations.
Without an incident response plan, you may waste valuable time scrambling to understand the extent of the damage or who to contact. A well-constructed plan ensures that everyone knows their role, and response steps are clearly laid out, reducing panic and confusion. This can be especially crucial for SMBs, where resources are limited, and a quick response can contain a minor incident and prevent it from escalating into a more major or resource-intensive breach.
An effective incident response plan should focus on key steps to manage and recover from security incidents. A simple plan outline is illustrated as a basic framework to follow in Figure 3 below.
More interesting, however, are the roles of each team member in an SMB where cybersecurity responsibilities are distributed across various employees, and we do not have a dedicated cybersecurity team. A generic structure on how non-dedicated team members can contribute based on departments is illustrated in Figure 4 below, following the department breakdown established at the beginning of this article.
By assigning clear roles and responsibilities in the incident response plan, SMBs can ensure that each team member knows exactly how they should contribute, making the response process faster and more effective.
Not every security incident is a catastrophic breach, but even minor incidents—such as a phishing attempt caught early or an employee accidentally downloading suspicious files—offer valuable learning opportunities. SMBs should create a culture that encourages reporting these smaller incidents and treating them as opportunities for improvement.
Alongside learnings from incident response, regular reviews of cybersecurity practices are crucial for identifying gaps in your business’s defences and ensuring that existing protocols are being followed. Consider setting up periodic evaluations depending on the size and complexity of your business.
Key areas to focus on during these reviews include revising established security policies and procedures, ensuring that software products and systems are up to date and well maintained and that learnings from incidents are incorporated into your policies, procedures and operations.
While non-dedicated cybersecurity teams can handle many day-to-day security responsibilities, periodic collaboration with external experts is highly beneficial. Working with security consultants or penetration testers on a project basis can provide an outside perspective and help the organisation identify weaknesses that internal teams might miss. Some beneficial collaborations might include.
By taking small, consistent steps—such as gradually introducing security practices, training staff, and automating processes—SMBs can build an efficient cybersecurity strategy with non-dedicated cybersecurity teams. Regular reviews, learning from incidents, and external support when needed will help ensure continuous improvement, which, combined with the right tools and automation, will support a robust security culture within your business.
People, as cliché as it may sound, are the biggest asset in any company, especially in IT-intensive settings where talent is often scarce. This is why careful consideration is needed when approaching security through cross-functional cybersecurity teams to avoid overwhelming and burning out employees. A well-thought-out balance between manual tasks, automation, and tools will be key for this process, as well as thoughtful training and regular audits.
Integrating cybersecurity into existing roles can foster a culture of shared responsibility, but it’s important to implement this approach gradually and with the right support. Automation can ease the burden on non-dedicated teams, ensuring that threats are detected and addressed promptly without exhausting staff. Regular training and tools for incident response can equip employees across departments to stay vigilant and contribute to the organisation's security posture.
Ultimately, while resources may be limited, with careful planning and attention to employee well-being, SMBs can build resilient cybersecurity practices that protect their assets and ensure compliance with industry regulations.
References:
