Changing SMEs’ cyber security behaviours

The Cyber Security Breaches Survey 2018 [1] found that 42% of small businesses considered cyber security a very high priority.

Nevertheless, research by Cyber Aware in the same year [2] identified a wide range of SMEs’ misperceptions abut cyber crime, including that SMEs:

Vastly underestimate the risk of cyber crime;

Feel powerless to protect themselves against cyber crime; and

Amidst a plethora of often contradictory advice, believe that because the most important security behaviours are forced upon them, those which aren’t enforced are merely ‘nice to have’.

There is lots and lots of academic research, quantitative and qualitative surveys and studies that aims to find out how to change SMEs’ behaviours and encourage better cyber security behaviours [3 – 7]. They looks at:

Barriers: lack of financial resource, lack of awareness and capabilities, complexity and poor quality of advice; and

Enablers: empowering businesses, offering pragmatic advice that is meaningful to business operations, and providing consistent and simple action plans.

On that basis, we’ve seen Cyber Aware reiterate targeted messaging to encourage SMEs to improve online security by downloading and installing the latest software and app updates and using strong passwords.

We’ve also seen the National Cyber Security Centre (NCSC) follow up its Small Business Guide with an easy-to-read action list [8] of 26 “to dos” that SMEs can integrate it into their normal workflow (only four of these relate to software and application updates and password policies).

While it is positive to see that current advice embraces the theories of how to change small businesses’ cyber security behaviours, yet more work is needed to find out if it actually works in the real world. Do SMEs take on board the advice, does it effectively change behaviours, do changes in behaviour successfully reduce SMEs’ cyber risk?

It is encouraging to see a greater trend towards evidence-based cyber security policy and advice that measures and evaluates outcomes to determine the success (or failure) of interventions and initiatives. And it is encouraging to see the clear desire by those who write policy and advice to understand the operating environment and realities of businesses to tailor what they produce rather than work on the basis of (false) assumptions about what will be useful.

That said, a piece of work that small businesses should follow closely is that of the Behavioural Insights Team (BIT) (https://www.bi.team/) who will undertake a trial involving thousands of UK businesses early this year to explore how SMEs can be encouraged to keep website software up to date and secure [9].

It is one of a range of projects the BIT undertakes in the UK and internationally to apply behavioural science in testing interventions to inform policy and decision-making.

And the outcomes of the BIT’s work should help ensure that future interventions are rigorous and materially improve SMEs’ cyber security posture.

Sources:

1. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_-_Main_Report.pdf 
2. https://www.cyberaware.gov.uk/sites/cyberstreetwise/files/thecyberawareperceptionsgapreport.pdf
3. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/290998/scho0209bpjq-e-e.pdf
4. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/344803/report232.pdf
5. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/350683/Report_335.pdf
6. https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493223445.pdf
7. http://discovery.ucl.ac.uk/1468954/1/Awareness%20CampaignsDraftWorkingPaper.pdf
8. https://www.ncsc.gov.uk/blog-post/you-askedwe-delivered-small-business-guide-now-has-actions-list
9. https://www.bi.team/wp-content/uploads/2019/01/Annual-update-report-BIT-2017-2018.pdf