In the blog article “Why don’t organisations adopt cyber security measures?” the Tony Dyhouse observes
A key finding in the report refers to the current practice of lumping together any company with between 1 and 250 employees as an ‘SME’.
When you think about it, that’s clearly not sensible due to the differing requirements throughout that size-band.
Obvious? Then why do we insist on a ‘one-size-fits-all’ approach for SMEs?
Further, although cyber security professionals insist the sky is falling in, most micro and small businesses don’t care because the complexity and the cost of doing something about it would threaten their existence anyway.
They often conclude that the treatment is worse than the illness as it takes away their agility and flexibility – their prime survival advantage.
While I agree with the sentiment, I suggest it is an over simplification.
Proportionality is a key element too. To have a ‘good practice’ security regime in an organisation requires committing IT / security staff to undertake routine tasks such as patching, monitoring AV systems, monitoring log files for anomalies, track intrusion systems. In addition to this, there is reacting to events uncovered and ‘fixing things’, as well as keeping good audit records for a security management system, keeping track of latest development and implementing enhancements. With a company of say 50 employees, that sounds like pretty much a full time job for one person (or FTE equivalent spread between 2-3 people). OR put another way 2% of the work force / 2% of the company’s salary bill.
In the current market there is a strong emphasis on securing the supply chain. Particularly with large companies, normally the prime contractors trying to “fix” the SME problem down their supply chain. A common argument I hear is “we just need to get SMEs to understand the threat and they will implement controls”. Maybe – but the report finding suggest to me there need to be better incentives – the business case is significantly harder in an SME. How many 100,000 employee organisations dedicate 2% of their staff (2,000 people) to protecting the internal network?
Yes, I know about economies of scale etc, so my simple maths does not quite work. But I believe the point is still valid: if we want to organisations to adopt cyber security measures, we need to find ways to scale the solutions and costs downwards to match SME affordability.
Alternatively, demonstrate the business benefits – by showing how good cyber practice reduces supply chain risk, so reduced risk premium to the end customer – so you win more business. This final point is not an easy argument to make, and needs commitment from the entire supply chain to make the case stick – and for the customer to recognise and value the good cyber practice. It seems to me like some seeds are in place, but there is a long way to go.