The attitudes of SMEs toward cyber security remain incredibly varied. Accordingly, cyber security continues to be one of the great concerns (and great opportunities) in the SME arena. We have been monitoring it for years and maybe the most puzzling aspect of all is that the Covid 19 era – and the Work From Home implications of that – had virtually no impact on SME attitudes/behaviour toward cyber security. In fact, 2020/21 perspectives on cyber security merely enhance what has been observed in the past … those that were initially concerned about cyber security are likely to be MORE concerned now than a year ago … but those that weren’t concerned a year ago are not concerned now either. But levels of concern have almost nothing to do with the WFH trends. Those that are more cyber-aware simply attribute this to broader events/awareness of attacks/phishing rather than a Covid 19 related development. In fact, it is curious that hardly any SMEs pointed to the cyber security implications of the distributed/WFH workforce
There are three types of SME when it comes to cyber security. (These are generalisations but largely accurate) …
Micro businesses who either think that they are not at risk or think that their suppliers have this risk covered.
Micro businesses that are tech-savvy/focused … who realise that cyber security IS important and they behave accordingly.
Medium sized businesses … most of which think they are too big to take risks with cyber and realise that it is an aspect of their business that they need to manage.
Sadly, most small businesses fall into the first category. They think that their business simply wouldn’t be on the radar of a potential attacker … or that their suppliers – for example, their bank (in the case of online payments) … or Google (in the case of Gmail) … or their cloud provider (for almost everything) – has this covered. Included in this category are small businesses that completely outsource this part of their operation to their ‘IT adviser’. But some don’t … and most of those that do, have no idea what protections are in place or if they are adequate. Would it be unkind to suggest they are almost clueless? …
“I don’t feel like I’m a good example of what to do for that to be honest. I don’t actively do anything. There’s a guy who’s helped me set up my computer and I think there’s a standard thing that’s set up when you set up a computer and that’s as far as I get!” (Health consultant, Sole Trader)
“I have no clue about these things. I would think that the bank portal should be providing the security on their side of it. I’ve got no idea.” (Cafe, 5 FTEs)
“I figure they could hack into my systems but knock yourselves out, what are they going to find? I don’t have payment systems which I think is basically the risk.” (Leadership/HR Consultant, Sole Trader)
“Logically I should be concerned because once I was hacked quite badly and I should have changed all my passwords but I haven’t. But no, it doesn’t bother me. I’ve just got McPhee protection on all my devices. (Q : Is that sufficient do you think?) Probably not. But I think I’m reasonably aware, any email that looks remotely like it’s not for me I don’t open, I just delete it immediately and if I’m going to do my banking in the website, I always have a quick look at the website to see if it looks normal.” (Financial Training/Investing, Sole Trader)
“I’m not sure if we are a massive risk – I’ll touch wood on that one – I often wonder with a business such as ours, unless they’re particularly after our money, someone’s not going to get a huge amount of information out of us – ‘look, so and so is building a really nice bathroom’. I’m not sure if that’s really what they want.” (Designer/Builder, 7 FTEs)
As noted, the key exception to these micros that have their head in the sand are those that are tech-focused …
“It’s a big problem, a big challenge. That’s what keeps me up at night – in the event of a ransomware attack, having the right insurance, having the right cyber security. Investing into cyber security as a platform is very costly and then having policies and procedures ... and how to manage them and training all of those things ... Thinking through all of those things is absolutely critical. There have been so many attacks this year on platforms that are vulnerable ... From a business perspective, we have the right processes in place and security done but even then, there will be vulnerabilities that we may or may not be exposed to, so you have to constantly keep updating.” (Online retail insurance portal, 3 FTEs)
In contrast, medium sized businesses tend to view cyber security as a key risk in their business. Each year these businesses become more aware of, and concerned about, cyber security risk. Oddly though, hardly any of the medium sized businesses we’ve interacted with attribute their greater awareness of cyber risk to any Covid 19 developments such as a distributed workforce.
“We’ve had a couple of attacks but nothing that has broken through as yet. But we’ve upped our investment in that area significantly from where it was 2 years ago. So I think that we’re a lot more acutely aware of the risk. And there’s a lot of risk around inventory and inventory systems and pricing models that if that got corrupted it would cause all sorts of issues. So they are real issues … If I just go back 2-3 years it wasn’t really on the radar. Now it’s very firmly on the radar.” (Retail, 500 FTEs)
“People like me are at a loss as to how you can ringfence your data. And not just your data but the privacy of all those customers, credit card numbers and all sorts of stuff. So we lifted insurance based on it, consultants in to get systems in place, red flags if certain things happen – all very technical – and I’m not going to profess to know how it works – but we had to spend some money on it.” (Self storage, 400 FTEs)
“We’ve had to address our cyber exposures and we have had an issue with social engineering where there was quite a big loss that we suffered as a result – so it’s on the rise. Someone hacked in and stole someone’s identity and they basically pilfered a large amount of money. So we’re addressing all those issues.” (Insurance broking, 70 FTEs)
“There’s been a bit in the media ... even the government - ScoMo came out and said this is the next big thing ... and we’ve picked up on a few things that could have been very bad for us that we picked up early.” (Steel Manufacturer, 56 FTEs)
Conclusion
As is so often the case in the SME community, the greatest concern in relation to cyber risk is the behaviour of the couple of million smallest businesses. So many of them have no meaningful cyber risk protection in place. As we commonly see, it is important … but not ‘urgent’ – and business owners tend to focus on what is urgent, not on what is important.
