A topic that is consistently arising in our current SME research is in relation to the highly publicised data breaches of leading brands, and the implications for SMEs. It seems that business owners may be ‘growing up’ when it comes to cyber security. In understanding this, we need to remember some of the key observations of recent years …
Historically our research has found that larger SMEs have been quite mindful of the importance of cyber security in their own business, but smaller businesses have largely been clueless, or in complete denial. What we are finding now is that the larger have dialled up the importance of cyber security even further, but for the first time, smaller businesses have become aware of the importance of cyber security. Some are taking action as a result – even if their actions may still seem rudimentary to an outsider (ie changing passwords, not using the same passwords for everything, introducing two-factor authentication where possible etc.) Such changes are not insignificant in the world of small business.
One of the key themes to emerge – which is rather subtle but is important – is that in the past, a key difference between those that were cyber-focused and those that weren’t was the issue of ‘responsibility’. Those that were more focused tended to think that cyber security was THEIR responsibility … whereas those less concerned (invariably smaller businesses) suggested that nothing was THEIR problem – they use Gmail so that’s Google’s problem … they use CBA so that’s CBA’s problem … they use Xero so that’s Xero’s problem. Such business owners aren’t saying this much anymore. So the notion that ‘sure we could get hacked but it’s not our concern’ has dissipated. They are taking far more responsibility themselves. Consider the comments from business owners who had previously been dismissive of the importance of cyber security … “For sure. For a while we were pretty lax with our passwords, you’d just use the same one for everything. But now we’ve updated pretty much all of our major passwords. You feel a bit invincible until something happens and then you’re ‘oh right, you do need a password, they’re there for a reason!’” (Bars/Pubs, 20 FTEs)
“My business is all about numbers – big numbers – so I don’t want that to get exposed, I don’t want people to know who is spending how much with me and all of that. Plus with direct debits and direct credits I’ve got customers’ card and bank details and I don’t want all that to be exposed. So for that I’ve done a 2-factor authorisation and any users of my company – if they’re logging in from an unauthorised device I get an email straight away.” (Wholesale Jeweller, 7 FTEs)
“My IT people who I use, do all the back-ups remotely, and they have a firewall and everything is protected that comes through the network in the pharmacies ... I'm not saying I'm immune from a cyber attack, but I think I've got a pretty good layer of protection, and there are people I would know to ring straight away if something did go wrong.” (Pharmacies, 20 FTEs)
“If any company didn’t think about their own cyber security while that was happening, I think that would be crazy.” (Communications Consultancy, 20 FTEs)
Those business owners that were already well aware of their cyber-risk have become even more paranoid because of the recent breaches. It has been a timely reminder of the importance of security in relation to their own business …
“It’s a really timely reminder to every single business that consumer data is a privilege, it’s not a right. And part of that privilege is that you need to protect it, otherwise that privilege will get taken away from you … To fraudsters you’re only as strong as your weakest door. And fraudsters have a way of finding the weakest door.” (Payments Fintech, 12 FTEs)
“It certainly concerns directors – even just the holding of customer data – it’s a great refresher about it being fraught with danger.” (Self Storage, 350 FTEs)
“I used to be an Optus customer. It hasn’t affected me but it does (impact me) from a health clinic point of view – it makes us more aware of the need to protect data. So Medical IT – the company that looks after our stuff – is always pushing to make sure that everything is secured, and secured offsite as well so there’s as close-to-zero chance of a data breach as possible … Every time you hear something like that it’s a reminder that we can’t get complacent.” (GP/Health Clinics, 22 FTEs)
“The breach was a significant thing for us, not because of the data breach – we weren’t affected by that personally – but in making sure that our own security is increased and that we manage that risk better … Now we’re like ‘okay we need to keep a closer eye on it’ as opposed to ‘oh no I’m not going to use Optus’. It’s one of those things whereby it’s always a risk for all businesses.” (Social Care Platform, 28 FTEs)
“I think this has been a really good thing for the industry because now everybody's talking about it and everybody's panicking and putting things in place to actually protect data.” (Online Marketing Services, 2 FTEs)
“We can already see the level of attempted fraud through identity theft – whether it be substituting of emails or supply of false invoices changing bank accounts. We have an obligation to keep looking at that and don’t assume that the institution’s protected from it. Just because you deal with a major bank doesn’t mean the major bank hasn’t been polluted.” (Misc. Business Services, 180 employees)
Conclusion
Our concern about SMEs and their cyber security behaviour has never been about the medium sized businesses … it has always been about the smaller businesses, many of whom felt that it was someone else’s responsibility. Of course, some still feel this way … but equally, many are starting to realise that THEY need to take some responsibility. This is quite a shift in their mindset.
