Home Research
Easy targets: SMEs and the growing cyber security threat

As big business improves its cyber security, the threat to small and medium sized enterprises (SMEs) is intensifying. Deakin Business School’s Graeme Pye explains why the threat is real and what can be done to help vulnerable SMEs.

Over the last decade, businesses of all sizes have grappled with invisible enemies who don’t leave any fingerprints (at least not the traditional kind). Instead of budgets and bottom-lines, business planning has increasingly involved preparing for, or responding to, cyber security threats.

So what, and who, is this invisible enemy? Everything from amateur cybercriminals to activist hackers and state regime’s unleashing “malware” attacks (malicious software for the uninitiated), according to cyber security researcher Dr Graeme Pye.

Dr Pye, of the Department of Information Systems and Business Analytics, says the cyber security threat posed to businesses will continue to grow, as the systems and devices used increasingly bridge the physical and digital worlds, and SMEs will increasingly be in the firing line as big businesses get better at protecting themselves. 

Working with Cynch Security and with funding support from AustCyber, Dr Pye has been analysing the results of a survey into how SMEs are managing cyber security. The findings have been summarised in a White Paper — Big Cyber Security Questions for Small Business — and will assist government agencies and cyber experts determine the best ways to help SMEs protect themselves.

“Primarily, what we found from that survey was that SMEs all want to be cyber secure but they don't really know how to be cyber secure,” he says.

“Unlike the top end of town, they don’t necessarily have the money to hire specific experts, so they’ve got to rely on their own ability to decipher the cybersecurity information out there.

“And unfortunately, a lot of that information — well-meaning as it is — is not pitched at small to medium sized businesses (10 employees or less). Much of it is not particularly applicable, or user-friendly, for the average SME owner trying to navigate this tricky terrain.”

One of the objectives of Dr Pye’s project is to get a better understanding of what kind of information, tools and support will be helpful to SMEs as they seek to protect themselves in the cyber sphere.

“The project is still going, but so far what the research has indicated is that SMEs need, first and foremost, to go back to the basics. They need to articulate clearly what their business is about and understand and identify what is important for their business and their business partners,” Dr Pye says.

The challenges and risks facing each business varies according to context, so business managers need to “understand their specific cyber context”. Dr Pye recommends they think clearly about what they don’t want to lose or have stolen (for example, customer details stored in client management system).

“Once they’ve done this kind of thinking, it is then easier to identify what steps need to be taken, what needs to be put in place, if anything. It might be as basic as a firewall, or something more broad-ranging.”

One of the findings of the research was the significance of the human element in cyber security breaches. However much an organisation implements cybersafe measures, it all counts for little if staff are forgotten.

“Business leaders must engage with staff at all levels, they have to develop a culture of business security right throughout the organisation,” Dr Pye said.

A critical component of this culture is a “non-blame environment” and an atmosphere in which staff feel valued, engaged and comfortable in putting their hand up if they notice anything out of the ordinary.

“You need to develop in all staff not just knowledge, but a proactive attitude that means thinking, acting and behaving in a cyber security-conscious way, is second nature.”

Access the white paper Big Cyber Security Questions for Small Business