We regularly hear that smaller businesses are not very interested in cyber security and that this is creating weak links across supply chains. But why are they not interested? What is stopping them from adopting simple good practices? And what can we (and the government) do to help more?
To get some answers to these questions, we held three roundtable events in Edinburgh, Manchester and Birmingham this week to meet some members who work in small businesses or practices and listen to their views. While lots of ideas came out of the three events, there were two strong and consistent themes.
The main issue is lack of time. While there are some SMEs who are in total denial about their risks, many small businesses are aware of cyber security issues. Their biggest problem is finding time to take action - there is always something more urgent that needs to be dealt with.
This is strongly linked to the relatively low prioritisation of cyber security issues, and the difficulty of linking ‘cyber’ as a concept to specific business risks - disruption, reputational damage and loss of IP etc. Until businesses get better at doing that, it’s difficult to see how they will be able to raise it up their agendas.
This is something that applies to businesses of all sizes. But the limited and often stretched resources of smaller businesses mean that it is a particular issue here. In many cases, it’s only when businesses experience failures themselves that they make it a high priority.
It’s all about people. One of the problems about cyber security is the word ‘cyber’, which makes it sound very technical and IT. But in most cases, we are talking about human issues. The greatest fear of many participants was employees falling for phishing emails or other social engineering scams. As a result, building basic skills at all levels is a major part of improving security in practice.
The question of trust was also raised by many participants. Businesses always need to be alive to the internal threat - employees or ex-employees stealing sensitive data, such as customer lists, for example. But how do you find IT staff or cyber security specialists you can trust? Given that small businesses can’t have all the knowledge in-house, they have to rely on others. But there were worries about finding good suppliers and knowing who to trust.
As a result, one of the key learnings for us is that there a real need for simple training to help everyone in small businesses to be a bit more savvy around cyber threats. We have been working with BIS on a short e-training module which will be freely available later in the year and which we hope may plug the gap a bit here.
I’ll do a full write up of the events (which included a briefing from BIS on the new Cyber Essentials scheme) in Chartech. In the meantime, if you’re interested in taking an early look at the training package and testing it out, let us know.