The government’s Cyber Security Breaches Survey was released in April and it unearthed a worrying trend: while most large organisations are actively enhancing their cyber defences, awareness among micro-sized organisations is declining.

Every year, the government releases a snapshot into cybersecurity threats targeting UK organisations and the practices they are adopting to protect themselves in response. In parallel with most major reports, the Government’s survey highlighted that threat activity is increasing.

In response, most large organisations are giving cyber defences a higher priority, with increased awareness among staff and c-levels, improved technical controls and heightened efforts to meet regulatory compliance frameworks.

However, when looking at the findings in relation to smaller firms, and in particular micro-sized organisations, an entirely different picture emerges. Awareness is declining, the detection of attacks is reducing, supply chain risk management adoption is rare, while the uptake of basic cybersecurity awareness frameworks is alarmingly low.

Smallest Organisations

These findings undoubtedly need to be investigated. Why are our smallest organisations not recognising the threat, and secondly what can we collectively do to better protect this important demographic against cyber threats?

Could this indicate that the important messages aren’t getting through? Worse, are they getting lost in a cascade of fear-inducing headlines that are desensitising their impact?

This could be leaving these organisations in a false sense of security that their operations are too small to be viable targets for malicious actors. However, threat actors don’t prey on big organisations, they prey on vulnerable ones, regardless of size, focus or perceived importance.

Micro they may be, but these organisations contribute significantly to the UK’s economy, making up 89.1% of businesses overall. Furthermore, these businesses are the backbone of regional economies, spawning innovation and forming the foundation of countless livelihoods across the country. Additionally, one weak link in the chain weakens us all. In our interconnected economy, a breach of a small supplier can compromise the data, operations and trust of much larger critical organisations.

Yet, from a defence standpoint, they often fall through the cracks, but these organisations need support: they don’t have the internal skills to fully understand the threat and in turn improve their defences. This is something that won’t change.

In micro businesses, where headcounts range from one to ten employees, staff are stretched, focusing on revenue-driving activities, meaning cyber security is often out of bandwidth. Awareness training is not readily adopted, while investments in defences remain static, even in the face of an increase in attacks.

What can be done to tackle these challenges, taking into account that large security budgets rarely exist and that it’s unlikely these organisations will ever possess inhouse skills to sufficiently protect their environments?

Moving Beyond the Paperwork

We’ve talked long enough about the risks. Countless warnings, regulations, frameworks and assessments have been produced, but awareness is still low. So, what can we do to make a lasting impact on the defences of these micro-sized organisations?

Perhaps we need to take a step back. Instead of issuing guidance based on the assumption that organisations have in-house IT security skills, perhaps it’s time to look for other ways. 

The UK government recently announced the upcoming launch of Active Cyber Defence (ACD) 2.0, which will make available the important services delivered by the programme to select organisations in the private sector, but can this go further to provide a protective umbrella to UK businesses more widely?

Alongside ACD, there is a need to look at the managed service providers (MSP) who so many small and micro businesses rely on. The Cyber Security and Resilience Bill - due in Parliament soon - is a first step in that direction in bringing MSPs (and cloud providers) within scope of regulation, but it will take time to designate MSPs in scope, to develop detailed regulations, and to implement and ultimately enforce.

In the meantime, industry can, and should, do more to offer secure-by-default environments with pre-configured security baselines for smaller firms, perhaps even embedding aspects of active cyber defence too. Environments which we can be confident are configured securely, regularly patched and updated, embed malware detection and employ services such as protective DNS.

This would ensure that the technology our micro businesses depend on is configured according to best practices, while helping them not only detect potential threats but also ensuring their networks are robust and set up to prevent unauthorised access.

If the government’s survey tells us anything, it’s that we risk leaving a vital segment of our economy behind on the journey to being cyber secure.

By tackling the problem at the root, we may find a solution. Cyber is a community sport that requires public and private collaboration. By focusing on secure-by-default technology, this could support these micro businesses and free them from navigating the daunting and time-intensive world of cyber, while granting them some peace of mind that the foundations on which their business, and many livelihoods, depend on are secure.

David Ferbrache Managing Director Beyond Blue