It is well known that Small and Medium Enterprises (SMEs) are being targeted by cyber criminals, and that many fall victim to attacks. We carried out an investigation, funded by the Scottish Government, to find out what the state of play was for UK SMEs. We surveyed 361 small businesses (with fewer than 250 employees) across the UK to determine their experience of attacks, attitudes towards cyber security, and to assess their current practices in terms of controls they implement and precautions they take in the cyber domain. We asked them several questions to assess their “cyber situational awareness”, based on Endsley’s (1985) theory[1]. Our questions were aimed at assessing SMEs’ awareness of:
- The reality of cyber security threats.
- The precautions and controls they could take.
- The need to act upon their knowledge.
These issues are critical for a successful cyber security strategy, as awareness is the first step towards implementing appropriate safeguards. We then tested whether this awareness (or lack thereof) was significant in leading to their current implementation of controls and precautions. Our results indicate that:
- In terms of their awareness of cyber security threats, we discovered that half of the respondents did not search for any advice about cyber security. Only 4% searched for advice from the UK government’s excellent online website to inform themselves. A third of single person businesses were not even aware of the fact that the government offered such advice.
- We then examined how aware they were of controls and precautions. The UK government has several schemes to support businesses in this respect but, once again, many of our respondents were unaware of this fact. Over half of the participants avoided looking for advice about what they ought to do, because they were overwhelmed by the amount of advice online and did not know how to prioritise it.
- Finally, we analysed the third kind of awareness, related to the need to take action. Here, we discovered that many businesses suffered from one of two misperceptions. The first is the halo effect, where they believe that what they are doing must be sufficient since they have not yet experienced an attack. The second is a belief that they are too small and insignificant to be attacked. Both misperceptions can lull SMEs into a false sense of security.
We used Partial Least Squares Structural Equation Modelling to analyse the predictive relevance of the data and discovered a significant impact of this lack of awareness on the precautions and controls SMEs implemented.
What can we do about this state of affairs? An awareness of the threats, and of the advisable precautions and controls is clearly lacking. Both are rooted in the fact that SMEs are not consulting authoritative sources. They tend to use a regular search engine to look for advice, and then become overwhelmed by the sheer volume of advice, which they have no way of judging or prioritising. Many become discouraged and then rationalise their lack of action by believing that they are too insignificant to attack or decide that what they are currently doing must be adequate. This false sense of security can have a disastrous impact on the business should it fall victim to an attack.
[1] Endsley, M. R. (1985), ‘Toward a theory of situation awareness in dynamic systems’, Human Factors 37(1), 32–65.
SMEs urgently need trusted and actionable cyber security advice, tailored to their context. Such advice is often available from Government sources, as is the case in the UK. However, such provision is essentially based on a passive paradigm – assuming that SMEs will come to this authoritative source and benefit from the advice. Our study brings into question whether this is optimal. It is clear that a more proactive paradigm is required – reaching SMEs where they are in their local contexts, to ensure that they become more aware of the right sources of advice and assistance.
Assuming that we can ensure that SMEs obtain the correct advice, the next step is to ensure that their misperceptions are addressed. SMEs need to understand that (a) their current practice is likely to be insufficient, and (b) they are not too insignificant to be attacked. In particular, it should be pointed out that they might well have been attacked but may be unaware of this. After all, this has happened to large companies such as SolarWinds, so it can happen to anyone. Illusions of insignificance should also be dismantled.
Any campaign to reach SMEs should not utilise fear as a tactic to encourage people to act on the knowledge that is being imparted. Many are already avoiding looking for advice, which could be a consequence of an existing underlying anxiety in this respect. In this case, the use of fear is likely to backfire and lead to even more avoidance (Renaud & Dupuis, 2019[1]). Much better to focus on bolstering self-efficacy and providing much needed support.
For full details about this study, please consult Renaud & Ophoff (2021)[2]. Finally, we have produced three videos targeted specifically at SMEs to help to raise awareness in an accessible and fun way. We hope they will be helpful to any SMEs who are reading this.
Karen Renaud is a Scottish computing Scientist and at the University of Strathclyde in Glasgow, working on all aspects of Human-Centred Security and Privacy. She is a senior policy analyst at Global Foundation for Cyber Studies and Research.
Jacques Ophoff is a Senior Lecturer in the Division of Cyber Security at Abertay University in the United Kingdom. His research interests include cyber security, privacy, and education.
