Do SMBs not care about security? Or just don't realize that they should?
- Summary:
- When it comes to security issues many in the UK SMB community don’t understand they need it, and don’t know that they don’t understand it. The UK Government is trying to do something about it.
Rather controversially, this is almost a position I have some sympathy with, but with some crucial qualifications. For example, understanding the coding language details of the technology – the 'how' it works - may not be that important to most users, but why it is useful and the how, when and where of its real-life application in the world can be vital knowledge.
The second qualification is perhaps even more important, for displaying what appears to be a degree of arrogant pride in professing a real lack of knowledge – almost as a virtue – is a tempting position to adopt to which I can, sometimes, plead guilty. Yet it can be the most dangerous step of all. If it is deemed appropriate for a Secretary of State to profess such a view, who are humble, hard-working owners of small businesses to feel any different?
And when the subject is IT security, having such lack of knowledge is not only an easily definable 'bad thing', but it also begs an important question as to who, or what, is responsible for that lack of knowledge? It would be easy to point the finger at the small business people themselves, but for many of them issues such as 'IT security' really do fall into the 'not knowing what they don’t know' arena. Just why should it be assumed that a machine tools or bespoke furniture maker understands and can defend themselves against the attack vectors of virii or ransomware?
Secure in their (unknown) poverty
The underlying problems that can follow from this were highlighted recently in a survey undertaken by YouGov, at the behest of security tools vendor, Duo Security. Its aim was to examine the existence, level, and impact of the 'Security Poverty Line’' within the SMB community. The poverty line concept refers to the point below which a company cannot effectively protect itself from cybersecurity threats, and was a term created by Duo’s Principal Security Strategist, Wendy Nather, when she was an analyst with The 451 Group.
The underlying observation to come out of the survey is that knowledge about IT security issues amongst the SMB Community are pretty scant. What is worse, many SMBs see IT security having little relevance to them because they are, in effect, below the radar of the typical hacker or cybercriminal. Yet even their small datafile of customer details could be gold dust to a hacker for all they know.
To be blunt, most of them are sitting targets, and they not only don’t know they are sitting targets but do not seem to care that much either.
For example, the survey often gave respondents a five-level choice of answer, ranging from 'OK' to 'Seriously Not OK', across a range of questions such as how much of challenge, if at all, are the following issues in protecting your business from cyber threats: lack of budget, lack of awareness, and lack of knowledge?
While SMBs responding with 'no challenge’'came out as 24%, 23% and 18% respectively, the more worrying result was that the cumulative responses in the 'bit of a challenge-to-serious challenge’ categories amounted to 48%, 49% and 55% respectively. Yes, lack of budget is always going to an issue for all SMBs, but lack of awareness and knowledge is a bad, and solvable issue.
One source of solution, in theory at least, comes from the Government, in the form of schemes such as Cyber Essentials and CyberAware. That observation - 'in theory' – is largely the case, sadly. The survey’s questioning and presentation model highlights that, while 4% of respondents strongly agree that these services help their businesses gain useful knowledge about IT security, 44% know nothing about them, and a further 31% may know something about them but obviously don’t rate them as a source of help.
It also shows that 47% think getting cyber secure is too expensive, and it would be easy to dismiss that with, 'Well, they would say that, wouldn’t they?’. Well yes, and it is particularly true if they have no knowledge about the subject – especially the relative impacts of having and not having secure IT capabilities.
But when slightly more of the respondents, 44% to 42%, see the lack of awareness and education in the subject amongst themselves and their employees as being `no challenge’ to their business, an interesting position becomes clear: when it comes to cyber security, the need for it, and the importance of it to the survival of their businesses, a very large minority of the UK SMB community do not know anything about the subject, do not know that they do not know, and don’t care anyway (either because they can’t afford to care, or don’t think any of it applies to them at all).
Education – the 'yeah, but...' answer
It is easy and obvious to say that SMBs – indeed, everybody – should know much more about these subjects, and in particular the reason why it is important in personal, as well as financial, value terms (the notional cost a picture of Granny is close to zero, but the emotional cost of its loss might just be huge).
Education is obviously important here, but as the responses to the Government’s own schemes show, simply having something available is just not good enough. But then again, as usual, the Government has demonstrated it couldn’t market its way out of a paper bag. For example, hands up those that know nothing about Cyber Essentials and CyberAware?
(Small admission time - my own hand is up, despite running a [yes, very small] small business and working in and around the IT business since the mid ‘70s.)
But I believe the security tools vendors are as much to blame about this. They may shout and scream loudly about the need for users to have security tools – and in particular theirs’ – but none of them make their offerings particularly easy to use, and all of them are keen to make product differentiation from all the others their most important selling point. But differentiation can be, and in security is, I believe, the death of useablity.
People may buy security tools, but how many use them……at all, let alone properly or effectively? They all work differently, are set and optimized differently, often using explanatory taxonomies that are close to foreign languages to many users. Setting up and optimizing some of these tools is like a car driver going to new garage selling a different brand of petrol/gasoline and being handed a list of instructions on remapping the engine management system or re-setting the ignition timing to get the best out of the engine.
Small business users, even if they understand such things, rarely have the time to do such work. Nor do they see an obvious justification for the investment needed to hire staff with those skills, contract for such services.
And the evidence from this survey suggests that the SMB community still cannot see that justification anywhere, and neither the Government nor the industry seems yet to be able to provide it. Yet with an estimated 5.5 million SMBs in the UK, this all means a market of over 2 million need help, yet don’t know it or understand the issues.
My take
This, to me, is just one more example of where a branch of the IT industry is guilty of selling the wonders of technology for its own sake rather than addressing the real issue of the solutions that their target markets really need. In this case, while it may be good to be able to trap the very latest virus or malware, being able to set up an environment that traps most of them, easily, quickly, effectively, and without the need for a PhD, is actually a far better option.