As a long-time security consultant to the SME sector I have over the years empirically identified some consistent patterns of resistance to accepting the scale and nature of current infosec risks, and to implementing appropriate defences. So when I recently discovered that the Business Crime Reduction Centre based in Sheffield had researched this issue formally, I took the opportunity to pick the brains of Head of Unit David Stockdale.

 

MB:  So David, first off, could you tell us something about the unit and its remit.

 

DS:  The BCRC offers free and impartial physical and ICT security advice to small and medium sized businesses in the Yorkshire and Humber region. It’s funded by Yorkshire Forward and the European Regional Development Fund.

 

MB:  And you recently undertook a survey of SME attitudes to infosec.

 

DS:  Yes. We won a competition to produce e-crime advice for SMEs through the Cyber Security Knowledge Transfer Network. To shape this work we undertook focus groups and a questionnaire-based survey with SMEs nationally.

 

MB:  So can you sum up your basic findings?

 

DS:  There was a snowballing effect in SMEs knowledge and values around e-crime. One misconception led into another. So they generally believed they were too small to be of interest to hackers, due to the stories of data theft/loss that were generally in the media. SMEs didn't know if they had or hadn't been hacked, it had made no difference to their current operations if they had, so again, why worry? There was a lack of knowledge on the threats and solutions, and a reluctance to learn more as they saw it as over bearing and too much to take on board. All of this led to a 'head in the sand' reaction, or a belief that the cover they had (which generally was what was on their systems when they were bought) was adequate.

 

MB:  That’s a pretty depressing picture, but it chimes rather well with my own experience. Can you suggest what other factors might contribute to this ‘head in the sand’ approach?

 

DS:  The reluctance to engage with the threat or problem, and the lack of understanding led to a mistrust in IT professionals that were selling the solutions. There was a belief that they were being sold products they did not need, and were over the top for their situation. There was no way for SMEs to check if an ICT solutions provider was a trusted source or understood the products they were selling and if they were fit for purpose.

 

MB:  At first sight, a pretty serious indictment of the ability of the vendor community to communicate the issues. But of course there is a very real problem of perfectly good security products that do not scale well downwards, particularly in terms of cost. The primary market will always be a medium-scale corporate one, and SMEs may simply be falling off the map.

 

DS:  Yes, cost was also a factor. At any level security is seen as a grudge purchase by SMEs, and not something that productively adds to the bottom line. This was more so with ICT security purchases. As one contributor put it, 'CCTV is easier to justify to the boss, than anti-virus software. With CCTV you can see it, it acts as a visual deterrent and the outcome is clear.'

 

MB:  Of course that seems a valid argument when you’re competing for budgets. It’s difficult to justify an invisible protection for an invisible threat. But a major component of security being sound management processes, what did your survey reveal about that?

 

DS:  The survey results showed that 21 per cent of MDs of SMEs do not know if they have anti-virus software. If they do not know, in a company of 10 or less employees who does? Who is driving ICT security in smaller businesses? 10 per cent of businesses did not have anyone identified as being responsible for ICT. This was also the percentage of companies that did not back up their data - showing a clear link between having a nominated IT responsibility, and ensuring data is backed up.

 

MB: That accords with my own experience. If they seek anything at all, it’s illusory ‘fire and forget’ technical solutions, without realising that no technical fix can substitute for proper security management. It would be interesting to know whether it was the same 10 per cent who did neither. However, given the overall situation, what do you feel would make the greatest single contribution to change?

 

DS:  Increased education and awareness of the risks SME's face would obviously help. The language barrier between the ICT community and business people also needs to be bridged so that the threats and solutions can be explained and understood in layman's terms. The 'e-crime - What Your Business Needs to Know' guides are hopefully the first step in this process and are available to download free of charge from www.bcrc-uk.org.

 

MB:  Thank you David. So there we have it. It seems that although technologies offer necessary protection, alone they will not curb the information security threat, even if we get SMEs to buy into using the technologies. This serious threat to business is not going to go away - indeed it is growing as organised crime gets ever further involved - but it is still seriously under-rated by the SME community. So I think this research deserves applause for highlighting the real issues - awareness, communication and management commitment - and I hope the efforts of the BCRC serve as an impetus for the funding of similar initiatives in other regions, or indeed ultimately a national programme of co-ordinated security advice and support for smaller businesses.

Permalink:
http://www.infosecurityadviser.com/view_message?id=109