Really understanding technology adopters’ cybersecurity needs
6th November, 2023
Author CyberKit4SME
With the CyberKit4SME project coming to an end, there are a whole number of things that we need to consider. As we’ve improved and integrated different technologies, working with our end-user partners to validate each step of the way, another picture has started to emerge. We’ve been reporting our findings as we’ve gone along in journals and at conferences. It’s worth pulling together the main themes, though. What follows are some typical observations that we have come across in the literature and marketing. In each case, we comment on what we’ve found in CyberKit4SME.
SMEs don’t know and don’t care about cybersecurity
After all, they’ve got their core business to focus on! But life for the SME is not so simple. For a start, most SMEs are part of a co-competitive supply chain with others. They have to demonstrate that interactions with them – either clients or collaborators – are secure. We found this too: our survey of over 100 SMEs demonstrated awareness and concern. We also found that sometimes, when an SME had outsourced its IT infrastructure, it could be frustrated that they were not fully informed of any breach or attack. They wanted to know, so they could understand and prepare themselves inhouse too.
Cybersecurity is simple with the right tools
This, of course, was one of our main objectives in CyberKit4SME: we wanted to develop the right tools, standalone or integrated with one another, that would support SMEs in securing their infrastructure and their processes. The latter point is really important: it’s been known for a long time that human agents, especially employees, are often the target of cyberattacks. So, in CyberKit4SME, we listened to our SME partners across different domains as well as reached out to SMEs not directly involved in the project and made sure that our tools could address their priorities. That is both to demonstrate compliance with cybersecurity standards like the ISO 27000 series, as well as related regulations, such as the GDPR. What we did, though, was “layer” the tools: like many other cybersecurity tools and toolsets, we provide monitoring capabilities that secure and supervise operations almost invisibly. The occasional warning and regular reports let our SMEs know that they were there and doing their job. On top of that, though, we also included tools that help SMEs design, build, and understand their infrastructure; and tools that help them understand their processes. Giving these snapshots in addition to the more traditional tools, means that over time, SMEs learn about cybersecurity as their own systems and processes require.
Non-experts can’t really cope with sophisticated tools
At the same time as trying to tailor our tools to typical SMEs and their needs, we know that part of the problem with cybersecurity tools and awareness is that sometimes the elegance and comprehensiveness of those tools can be overwhelming. And it’s been known for several decades now that when people feel like this, they are just as likely to stick their heads in the sand as they are to try and do something about it. The CyberKit4SME consortium included partners experts in how individuals react and interact with technology and not just experts in developing technology. So as well as engaging with SMEs to understand their needs – common requirements gathering, of course – we listened to how they interacted with the CyberKit4SME technologies. What we found was that Yes, to begin with, it all seemed a bit daunting, but with a little encouragement and familiarity, our SME partners began to develop their own specific scenarios (called narratives) around the technologies and what they meant for them. What we discovered was that these narratives – and we’ve witnessed this before – did not just consider using the technology to address the requirements they’d listed, but how the technologies made real sense to them in the broader context of their own jobs within the SME. And so what we found was that the traditional call for ease of use and perceived usefulness with technology, potential adopters need to make sense of how technology relates to their own world.
Compliance increases client trust
As we mentioned above, cybersecurity technologies are often focused on demonstrating the secure handling of business transactions but also compliance with appropriate personal data protection regulations. When the GDPR came into force across Europe, panic set in: for SMEs, it’s not just about diverting resources from their core business, but also becoming data protection savvy! Of course, regulations like standards need to be carefully considered and compliance or certification is important. However, in one of our related surveys with private individuals, we discovered that citizens effectively assume businesses and service providers are safe and secure and handle their data appropriately. What this means, though, is that they don’t spend a lot of time checking out privacy notices or accreditation, private individuals – clients – develop and maintain trust by other means: like they’ve always done. This includes word-of-mouth and reputation. We’ve been able to show our SME partners, therefore, that while the CyberKit4SME toolkit will take care of security for them and will support them in understanding the dynamic cybersecurity landscape, we have also shown them that they can then focus their efforts on what they do best: working with their clients providing solutions that work for them.
So what did CyberKit4SME achieve?
CyberKit4SME was, like all European projects, ambitious in its central aims. We have developed technologies that meet the security needs of our SME partners and which they have started to understand and personalize for their own needs. That in itself is a major achievement and one which could only be realized with the close collaboration of all partners: SMEs themselves, of course, and technologists. But as we’ve touched on above, we’ve broadened our scope and been able to contextualize these essential technologies with the business domains of SMEs and how they interact with clients and collaborators. We think our project then is a flagship for important technology meeting urgent needs but with clear and demonstratable evidence that through collaboration those technologies can contribute to the broader commercial and service provider ecosystem.