The role of IT companies in cascading information on cyber security best practice

What is it about?

There is a pressing challenge of how to improve cyber security in micro and small businesses. Such businesses are vulnerable to attacks, including ransomware, and yet lack the resource and expertise to protect themselves. In this paper we explore the role of local IT companies in cascading cyber security best practice. In doing so we recognise that local IT companies are typically also micro and small businesses that often lack resource and expertise. We first analyse data from the UK Government's Cyber Security Breaches Survey (2018-2021). This annual survey provides a wealth of data on micro and small businesses. One question asked in the survey is where, if anywhere, businesses have accessed information on cyber security in the last 12 months. We identified five channels of information: public sector (e.g. police, National Cyber Security Centre, awareness campaigns), business services (e.g. accountant), IT/cyber support, media channels and networks. Our analysis shows that, by far, the main channel of information for micro and small businesses is IT/cyber support. Few businesses are accessing information directly from the public sector. IT/cyber support is, therefore, an important intermediary in the cyber eco-system. We second report the findings from interviews and focus-groups with experts in the field of cyber security in micro and small businesses. Our analysis shows that while IT companies can be part of the solution they can also be part of the problem. This is because the IT market contains many providers that are not adequately equipped to advise on cyber security. Moreover, micro and small businesses need help navigating the market to distinguish, for example, the accreditations and qualities they should look out for in IT/cyber providers. To improve the eco-system we make several recommendations: (1) improved regulation of IT providers so that they have a minimum required standard, such as Cyber Essentials in the UK; (2) improved guidance and support to micro and small businesses on how navigate the IT market and recognise quality indicators such as accreditations; (3) increased financial support to micro and small businesses and IT companies. e.g. subsidies, grants or cost-sharing, to facilitate improved cyber security. Cost was seen as a major challenge in implementing cyber security.

Featured Image

Photo by CoWomen on Unsplash

Photo by CoWomen on Unsplash

Why is it important?

Micro and small businesses are a fundamental part of any well-functioning economy and vulnerable to cyber attack. Such attacks can have a devastating impact on owners, not only materially but in terms of health and wellbeing. Cyber security is, however, not a high priority for many businesses who are managing with a range of other priorities, and lack resource and expertise. It is vital, therefore, to question how cyber security best practice can be mot effectively cascaded to micro and small businesses. Current cyber awareness campaigns are not cutting through. We suggest that a greater involvement of local IT companies is an integral part of the overall solution.

Perspectives