We’re all increasingly aware that criminals are exploiting the virtual environment in a variety of ways, sometimes tricking individuals to reveal sensitive information or holding their data literally to ransom. So, we’re all encouraged to go online with caution, to update software regularly, install virus scanners and firewalls, and to be suspicious of unsolicited items attached to eMails. Yet still people get caught out. Sometimes, they fall for some tempting offer, other times, they’re just not aware of the risk. For the private individual, and maybe anyone in their eMail contact list, this can be distressing as well as disruptive. Take it into a business context, though, and the consequences can be a lot worse. On the one hand, businesses need to set up a secure environment for themselves and their employees. And, they need to encourage employees to be on their guard and take some responsibility for keeping cyber threats at bay. The question, though, is whether making employees aware of risks is enough.
To start to find answers to this type of question for Small to Medium Enterprises (SMEs), we recently ran a short anonymous survey. The full survey is summarised here. There were 164 responses to questions like: To what degree do you fear for a cybersecurity attack towards your company? Or How would you characterize your company when it comes to cybersecurity awareness? And Do you discuss cybersecurity issues on your company meetings or presentations or, in general, internally in your company? The results told us a lot about cybersecurity awareness and preparedness.
Almost all respondents (97%) said they interact with other agents or companies; and so, cybersecurity is important in their day-to-day dealings. At the same time, just under half (44%) of respondents worked in micro-enterprises – that is employing less than 10 people. They may simply not have the resource to manage cybersecurity, therefore. In fact, across all respondents, not a single one identifies themselves as being officially a cybersecurity expert or professional. This reflects what’s been claimed for some time: SMEs may just not have the resource for cybersecurity when there are other commercial imperatives for the business.
Turning to the measures already deployed, 65% report using typical measures, such as firewalls, anti-virus software, and maintaining patch levels, while only 12% report any kind of encryption. This is a concern since over half of these SMEs said they rely on external communications. Further, only 7% had implementation user-centred methods like two-factor authentication; and only 6% report the use of staff training although 23% report different types of training resources available. Yet at the same time 68% respondents report that a cyber-attack would have significant impact on the SME causing more than an hour’s disruption.
This paints a disturbing picture when it comes to SME cyber safety. So, this is where CyberKIT4SME comes in. The project aims to provide tooling that goes beyond monitoring cyber security status, like virus scanners, and beyond explicit warnings like “Caution: this eMail originates outside the company” which people tend to become immune to. Instead, we’re creating visually intuitive aids to make clear where the greatest problems lie and what to do about them.