Small firms still struggling to tackle threat of cyber crime, one-of-a-kind security study finds
Scotland’s small businesses are aware of the increasing threat of cyber crime but are still failing to act on the threat effectively, according to what is thought to be the most detailed cyber security survey of small businesses in the past year.
Instead, they are being overwhelmed and confused by the amount of advice around cyber crime, the poll conducted by the University of Glasgow on behalf of the Scottish Government and Scottish Business Resilience Centre (SBRC) suggests.
The research, which was funded by a Royal Academy of Engineering Industrial Secondment Grant, found that, as a consequence, small firms are choosing to take only the most minor ‘common knowledge’ preventative measures, such as using anti-virus software and firewalls, which may leave them vulnerable.
The survey also shows that SMEs still do not regard the data they hold, whether their own or that of customers, as having value.
The study is the first of its kind to assess why Scotland’s SMEs are not doing more to protect themselves, despite the almost daily reports of companies being hacked, having personal data stolen or experiencing a loss of business.
SBRC director Mandy Haeburn-Little says the survey provides crucial guidance on how small businesses, government and other agencies all need to change their thinking to counter the threat of cyber crime.
She said: “It’s vital we do everything we can to support smaller companies including the many businesses who work from home. These findings will help us to do this. They show that SMEs do care and take cyber crime seriously, but they are hitting obstacles on what to do about it. However, also particularly concerning is that many small businesses still do not recognise that there is a value attached to the data they hold.
“The fact that there is so much advice online – and also significant levels of conflicting advice – is leaving them confused, bewildered and overwhelmed. The survey also shows that the majority of people simply turn to Google for advice despite there being several dedicated websites and portals of guidance available.
“This all points to the need to establish clarity over recommended actions and a single source for advice and contact. This is very much in line with the concept of the creation of a cyber hub for Scotland which would act as one trusted source of advice and cyber security services at affordable cost. SBRC is taking forward the scoping of this concept with more news on this expected in the next six months.”
The SBRC says it’s considering how small businesses can be more supported with their specific needs and for other simple measures to be introduced to keep cyber crime front of mind to help to drive behavioural change.
University of Glasgow senior lecturer Dr Karen Renaud, who was seconded to the SBRC and who conducted the survey, found that:
95% of businesses carried out security activities that showed they did care about security, but only 15% thought they were at significant risk of being the target of an attack.
More than 50% said they consulted Google for cyber advice with less than 7% consulting Government websites. With 12 million results coming up on Google, firms feel unable to identify trustworthy advice and are left floundering.
The recent Cyber Breaches Security Survey, which was carried out by Ipsos Mori for the UK Government, found that two-thirds of large British businesses have experienced a cyber attack or breach in the last 12 months – one in four of which were attacked at least once a month.
More than half (53 per cent) of small businesses in Scotland think it is unlikely or very unlikely they would be a target for an attack and only 23 per cent feel completely prepared for one, with 19 per cent saying they have not taken any steps to protect their data.
The SBRC, whose partners include the Scottish Government, is now proposing to highlight the survey recommendations in its ongoing discussions with the Scottish Government and Police Scotland as part of Scotland’s developing cyber strategy.
It says cyber crime can take many forms, including theft, fraud, selling sensitive company data and sabotaging equipment.
In the past year, notable cyber attacks have included the TalkTalk scandal and the crashing of the BBC website; however, smaller firms are at an increased risk due to limited resources and lack of in-house IT capabilities.
As part of its cyber prevention guidance, the SBRC provides crucial, affordable services to protect companies – particularly vulnerable small firms – by working with ethical hacking students from e-criminals and scammers.
These assessments can vary from a cyber footprint review, which assesses what information is available online about a business or an individual and how that can be better managed, to a security test which looks to identify the risk of unauthorised intrusion from an external or internal source.
Other cyber assessments can be carried out including cyber attack rehearsal, simple business hygiene checks for small companies and phishing simulation.