In July 2017, insurance company Zurich reported that in the UK alone, 875,000 small and medium enterprises (SMEs) had been affected by a cyberattack in the last year. Over a fifth reported that the attacks had cost them more than £10,000, with one in ten saying they had lost more than £50,000. That’s not a small amount of money no matter who you are, but for a small business, attacks of this scale could seriously hamper their operations, or even shut them down forever.
These SMEs can often be described as being below the ‘security poverty line’, or below the point at which a company cannot, for whatever reason, effectively protect itself from cybersecurity threats.
Wendy Nather, principal security strategist at cybersecurity firm Duo Security, was the first to coin the expression, and warns of the potential dangers of being inadequately prepared for cybersecurity threats. “With automation, it’s very easy now to scan the internet and find that unlocked door that you can exploit,” she says “many businesses are already at risk and just don’t know it.”
Dangerous economic attitudes within cybersecurity
Duo Security recently partnered with market researchers YouGov to survey 1,009 senior decision makers in SMEs across the UK, and discovered that 36% of respondents believed themselves to be operating at or below the security poverty line, and that 38% can’t or won’t spend anything at all on cybersecurity protection in the next financial year.
Budgeting for security purposes should include protecting a business against cyber threats, but the high price of such protective technologies dissuades many from engaging with them, and many smaller enterprises simply cannot afford their implementation. However, Nather believes there are so many dynamics in play that simply making security products more affordable would not necessarily be a solution to the problem.
“58% of respondents said that free cybersecurity products would be the most helpful for their security purposes, but we also asked them to agree or disagree with the statement that ‘overall cybersecurity is too expensive for small businesses like ours’, 47% agreed and 40% disagreed,” she comments. “There’s quite a split – yet they still said that getting free products would be the most helpful to them.
“These businesses are not only suffering from small margins and the inability to spend on security, but also a shortfall of expertise in that people who understand cybersecurity are very expensive to find and hire.”
At the same time, Nather admitted that it is very tricky to encourage SMEs to put aside money for cybersecurity purposes, as in reality no one truly knows how much the right amount to budget is.
“I did a study where I asked a number of security professionals what they would recommend to a CSO who was on their first day on the job in a 1,000 person organisation and what they should buy for effective security. None of them gave the same answer,” she comments.
But if cybersecurity professionals cannot agree on the right advice for startups and small businesses, how can they be expected to appropriately protect themselves?
The hikers and the bear: misconceptions about SME cybersecurity risk
The UK government has set up cybersecurity initiatives to aid enterprises in protecting themselves against cyberattacks. Cyber Essentials claims to help organisations to take the first steps in protecting themselves against the most common dangers, yet according to Duo Security’s survey, only 26% of small businesses consider the government’s initiatives effective. Indeed, many of the businesses questioned had never even heard of the initiatives.
Innocence and ignorance of cybercrime matters is endemic of a wider issue. Of those surveyed, 45% didn’t consider themselves to be at risk at all, meaning they were far more unlikely to seek help in protecting themselves. “It’s a common problem not just with small businesses but with large ones as well,” explains Nather. “One of the most common disagreements people have is over the likelihood of an attack happening. They might agree on the potential impact, but if they don’t think it’s going to happen then they’re really not going to bring out the chequebook and pay to manage that risk.”
The failure is not necessarily theirs, though. Most have only heard of cybercrime through the media, of huge multinationals being subject to large-scale data breaches. It’s easy to see why a smaller company might not see itself as on the radar of such sophisticated criminal activity.
Nather, though, believes this is a dangerous preconception.
“The problem is that there are two types of attack: there are targeted ones and there are opportunistic ones. If attackers are simply scanning for an open door anywhere, then small businesses are just as likely to be as attacked as large ones,” she says.
“There’s that old expression of the hikers and the bear. One hiker says to the other, ‘I don’t need to outrun the bear, I just need to outrun you’, and that’s what many people’s approach is to cybersecurity, but the problem is that today there’s more than enough bear to go around.”
The carrot or the stick: strategies for encouraging better cybersecurity
Governments have typically struggled with how to approach cybersecurity. Most opt for one of two attitudes: incentives to encourage proactive behaviour, or retroactive punitive measures – the carrot or the stick. The problem with punishing a company for a data breach, though, is that it is difficult to prove negligence in an environment where many are entirely illiterate.
“I’ve never been a fan of the ‘the beatings will continue until morale improves’ approach to cybersecurity. It’s very hard to incentivise any organisation through punishment if you’re not sure that they really can achieve what you’re expecting them to achieve.” comments Nather. “But at the same time, depending on the kind of incentives that you create, they may not be attractive for smaller businesses.”
Perhaps it is unfair to expect the government to be able to appropriately provide guidance in this area. Cybersecurity is an incredibly fast-moving area, and may well be difficult for government to react quickly enough. However Nather believes that private ventures would struggle too, commenting that competing commercial interests would only harm the end user. “I do suspect that the answer is somewhere in the middle. A public and private partnership could sit down and look at all the factors before trying to work up the right incentives, technology answers and economic conditions.”
But what does Nather think the solution to the SME security problem is? Well it is certainly not simple. “Part of the problem is that we’re expecting small businesses to have the same level of knowledge on these topics that security professionals have, and I don’t think that’s fair,” she says.
“It may involve reducing the number of choices of technology platforms for companies and saying ‘these things are too important to be left in your hands to secure, therefore we’re going to create centralised infrastructure that everyone needs to use at minimum’. All I know is that we don’t understand the scale of the problem just yet.”