UK SMEs and charities are becoming more digital and this is translating into organisational success. It’s a headline message from this year’s Lloyds Bank Business Digital Index (BDI). But that doesn’t mean it’s all plain sailing. Hand-in-hand with SMEs’ adoption of digital skills and technologies, we’re seeing a sharp rise in concerns over cyber security. That’s significant.
Up to now, key inhibitors for organisations going online have been largely attitudinal. Quite simply, many SMEs didn’t think digitalisation was relevant for their businesses. This year, that’s changed. SMEs are obviously embracing digital but, for 14 percent of them, fears over online security are holding back their digital potential (up from 8 percent a year earlier).
Drilling down, a lack of digital security skills is causing real problems. The BDI shows that over 2.6 million small businesses (69 percent of the survey sample) recognise they need to develop these skills. The deficit’s even more pronounced amongst charities: over 70 percent of them need better online security skills. And it’s worse still amongst sole traders. Seventy-eight percent of them are investing no money at all in digital skills of any kind.
All this is interesting for a number of reasons. First, it shows that cyber risk is not just an issue for big business. That’s backed by the UK government’s Information Security Breaches Survey, which shows that up to 75% of small businesses are potential targets for hackers, with the most serious breaches costing them over £300,000.
Mega-breaches at companies like Sony, Yahoo and TalkTalk may dominate the news, but these statistics underline the exposure of smaller companies. And whether attacks target SMEs’ core assets like IP, market-sensitive data and databases, or are indiscriminate phishing campaigns, they can obviously do a lot of damage.
SMEs are unlikely to have the resources to recruit dedicated cyber security specialists. This makes them especially vulnerable. So what should they be doing to bridge the cyber skills gap and shore up their defences? Perhaps the most critical message: it’s not enough to focus solely on the prevention of breaches. The threat landscape is evolving so fast, and with such sophistication, that detection, interception and remediation capabilities are also essential.
Persistently vigilant businesses are resilient businesses. 360-degree awareness and a holistic enterprise-wide approach are both essential. That’s one of our key security messages. Another is the importance of embedding security strategies into the fabric of the business. Security investments, of whatever size, won’t succeed if they’re siloed IT activities. The business has to get behind them, understand them and actively implement them.
Of course, large companies can afford to invest very substantial amounts in developing and sustaining these capabilities. SMEs cannot. But that doesn’t mean they should ignore the development of security skills and awareness at every level of the organisation. Two-factor authentication for business services and devices is relatively straightforward to introduce. Secure email protocols for all staff can be implemented quickly. And regular assessments can uncover potentially dangerous weak spots.
None of these actions need be expensive to undertake. And combined with the upskilling of all employees in digital security, they should help SMEs to expand their digital capabilities with ever greater confidence. That will be good for their business performance and good for UK plc.
Thanks for reading.