The UK is home to around 5.5 million Small and Medium-sized Enterprises (SMEs). They collectively account for 99.9% of businesses, generating three fifths of employment, and with a combined turnover of £2.3 trillion. As such, they represent a vital element of the economy and a significant national asset, which in turn, highlights a need to ensure that they are protected. The connected and IT-dependent nature of modern businesses means that the cyber perspective will be crucial here, but smaller organisations are typically not well placed in terms of related expertise and capability. Many take steps to outsource their security, in the hope that someone else will manage it (although even this arguably requires some knowledge of where to look and what to look for), whereas others may be reliant on limited in-house knowledge or potentially, overlook things entirely.
The annual DSIT study of Cyber security skills in the UK labour market consistently reveals a lack of basic skills, with the 2023 results indicating that 50% of businesses have a basic skills gap in relation to technical cyber security (estimated to equate to approximately 739,000 businesses). The basic skills referred to in this context includes areas such as configuring firewalls, detecting and removing malware, and choosing secure settings. The gap is lower in large businesses (18%), highlighting that smaller organisations face the more pronounced problem. Many SMEs are consequently ill-positioned to attend to their own needs, leaving them both exposed and dependent upon further support in the event of incidents, or when making security-related decisions (including those around technology adoption and procurement).
More directly highlighting a challenge for smaller businesses, the latest release of the UK Cyber Security Breaches Survey suggests a drop in attention toward a range of basic cyber hygiene related activities, such as use of password policies, use of network firewalls, and timely application of security-related software updates (all of which have declined around 10% in the last two years). The survey observes that the results in large businesses have not changed, and so the difference is attributable to the SME community (and in particular, to the situation within micro businesses). While the decline may be explained by factors such as post-pandemic challenges and financial pressures during an economic downturn, the net result will nonetheless be that organisations are less protected and at greater potential risk from incidents and attackers (which in turn, could have more serious consequences and costs for the affected businesses). Such factors further highlight the potential for SMEs to be even more exposed and in need of greater support.
In parallel, SMEs face an increasing expectation to address cyber security and comply with good practice. An example is the increasing requirement for compliance with Cyber Essentials, where SMEs can potentially find themselves obliged to meet standards that they lack the skills to action.
This backdrop provides the context for a new 2.5 year research project led by the University of Nottingham, in partnership with Queen Mary University of London and the University of Kent. The aim of the research is to better understand the cyber security support needs of the SMEs (particularly those of smaller businesses), and to pilot a new approach that engages them in further supporting each other.
The initial phase of the research seeks to establish SMEs’ current understanding and confidence around cyber security, as well as their awareness and perceptions of available support. It will examine the situations in which SMEs may seek advice and support (e.g. what happens when they have concerns, questions, or indeed, incidents), and the extent to which they feel that they achieve effective outcomes. At the same time, consideration will also be given to the existing routes for support, looking at the coverage and consistency of advice, as well as the confidence and capacity of those offering it.
Based upon the findings from these initial activities, the research will then take a more specific focus by attempting to track and analyse individual ‘support journeys’ from participating SMEs. The intention is to determine a set of related case studies, looking at the nature and extent of support being sought, and the factors that lead to successful or unsuccessful outcomes. The ultimate aim of the project is to then use the collective findings to inform the design, implementation and piloting of Cyber Security Communities of Support (CyCOS).
These will be a basis for local collaboration and cooperation between SMEs and associated advisory sources, with the community offering a basis for SMEs to identify and share their support needs and have contact with advisory sources positioned to help them (which may include peer support from other SMEs). The project aims to trial the operation of the CyCOS via three pilots, enabling a practical evaluation of the approach, with a view towards establishing a repeatable model that can be adopted more widely.
SMEs that would potentially be interested in being kept updated or contributing to the work are invited to contact the research team via [email protected].
Equally, if you would like to learn more from Professor Steven Furnell on how we, as a cyber security community, can better support SMEs, be sure to attend his Global Cyber Summit session at International Cyber Expo (London Olympia) at 5pm on the 26th of September 2023.
He will address the following:
- Recognising the support needs of small businesses, including their current understanding and confidence around cyber security
- The coverage, consistency and accessibility of existing support routes available to SMEs
- The concept of Cyber Security Communities of Support, fostering localised collaboration between SMEs and advisory sources
To register for FREE as a visitor: https://ice-2023.reg.buzz/eskenzi