38% of small business spend 0 on security; only 5% think they're attacked
38% of small business spend 0 on security; only 5% think they're attacked

It's not controversial among cyber-security professionals to say that we either know we've been hacked, or we've been hacked and we just don't know it, and most CISOs accept their large organisation with all its protection has been hacked – but 91 percent of small businesses report that they have not been attacked, and only five percent admit they have.  This compares to 46 percent of UK businesses overall that reported having a data breach in 2016, according to the government's Cyber Security Breaches Survey 2017

That's not the only surprising result from a recent survey of 1,009 small business decision makers by Duo Security and YouGov – but the surprise becomes less when you realise that 38 percent spent nothing whatsoever to protect themselves from cyber-security threats this financial year – with 45 percent simply believing they are not a target and have nothing to protect.

For 36 percent of respondents, they say they simply couldn't afford to spend enough to effectively protect themselves from cyber-security threats – a group described in the report as being below the security poverty line. It is thought the results are indicative of the situation as it relates to the 5.5 million small businesses in the UK, with Cyber Essentials and Cyber Risk Aware making little impact on this group.

Other findings include:

·  Only 26 percent of small businesses consider the government's measures effective in making them more cyber-resilient

·  45 percent of small businesses surveyed do not consider themselves to be targets for hackers

·  47 percent of respondents think that security is too expensive, but lack of knowledge on combating cyber-threats is seen as a bigger issue than either money or employee awareness.

Wendy Nather, principal security strategist at Duo Security, commented on the findings saying: “When an organisation is IT-poor, it is subjected to a number of complex dynamics that keep it from implementing effective security. Simply lowering the price point on security products is not enough; they need expertise, resources, and influence on the vendors that supply their systems and software. Moreover, small businesses may not be able to tell whether they've been breached if they don't have proper security monitoring in place; this prevents them, and us, from grasping the full scope of the problem.”

Professor Richard Benham, chairman of The National Cyber Management Centre and founder of TheCyberClub added, “The feedback from this survey underlines that more needs to be done to better communicate government initiatives like Cyber Risk Aware and Cyber Essentials to their target audience. The fact that knowledge to combat cyber-threats is considered the biggest requirement to help small businesses rise above the security poverty line shows just how valuable this programme could be in helping educate them in how to tackle cyber attacks, without breaking the bank.”

At a roundtable for the launch of the findings, attended by SC Media UK, it became apparent that these organisations work below the level of cyber-essentials, and simple awareness is the first step.  Then, while regulation such as GDPR will have an impact, it is often resented as a stick making them spend more money on things they think they don't need.  Incentives, such as lower insurance premiums were attractive to some, but here too, there was a danger that unsophisticated buyers might think they were protected because they had bought insurance, whereas it was unlikely to cover consequential loss or reputational loss.  Not covered, but reported elsewhere in SC, more than half of SMEs that are hit by a cyber-attack do not recover.

One outsourcer at the event, himself representing a small business, concluded that enhanced cyber-security as a service could be an attractive offer – but only those who perceived themselves at risk would likely take it up.  So, law offices with small staff but high value data would be interested. Cost coupled with lack of understanding of what level of spending would provide what level of protection was the main deterrent to expenditure on cyber-security for most small businesses – a situation familiar to board members on even the biggest bank – but more acute where margins are so much tighter. 

And if all this sounds of no interest to the enterprise, how many operate without small businesses in their supply chain – and if you cannot simply impose a service level agreement because is not economically viable for your suppliers, where do you go then?   Despite some high level discussion on the topic, the only thing the roundtable agreed upon was that security poverty is a problem for us all, not just the small businesses themselves, and it needs to be taken seriously at a governmental level to raise up awareness levels and consider potential remedies, including possible minimum levels of efficacy of cyber-security solutions.