Through our work in the cybercrime awareness clinic we have had the opportunity to interact with many different stakeholders and vulnerable groups in the local community. One of these groups was small and medium organisations.
The European Commission has defined small and medium enterprises as businesses that employ from 1 to 249 employees (those between 1-10 employees are also called micro-businesses). Due to the pro-bono, community supporting nature of our work, we decided to include charities and other non-for profit organisations, as, due to potentially reduced funds that could be devoted to cybersecurity, they were probably even more vulnerable.
The 2019 Cybersecurity Breaches Survey found that 31% of micro and small businesses, and 60% of medium businesses had experienced breaches or attacks in the last 12 months. The mean annual costs for businesses that lost data or assets following a breach were £3650 for micro / small businesses and £9270 for medium businesses.
For charities, 19% of low-income charities and 32% of medium income charities had experienced breaches or attacks in the last 12 months, with the average cost (across all charities including larger charities) for those losing data or assets being £9470. Considering the above, the following discussion highlights the importance of working with SMOs and shares some of our core findings.
One of the main issues identified was, of course, the lack of time and resources. Many of the organisations we spoke to relied on non-expert staff for their internal cybersecurity and few had the resources to employ an external party on a regular basis.
Even when presented with the opportunity to book a free consultation with the Clinic team to discuss improving their information security/incident response policies or attend a free talk organised by relevant stakeholders, such as banks or the chamber of commerce, take up was low. The common reason provided was the lack of time on behalf of managers and staff. Especially for smaller organisations, taking part in cyberawareness training meant they would not be operable for half a day or more, if core personnel were away, something they could not afford.
Despite security compromises mainly happening due to insider malicious actions or innocent mistakes, very few organisations seemed to have a concrete policy relating to employees leaving the organisation or even working from home or bringing their own devices to work. For charities and other non-for profits the employment of volunteers might be an asset, but it can also entail serious risks to information security and privacy.
This is because such employees could be provided with organisational passwords and access to personal and even sensitive personal data. Yet their working situation can be very flexible and they can easily quit volunteering. In those cases, it is rare that the employing organisations would have established policies that ensure passwords are changed and departing volunteers do not hold any personal information on their devices.
Last, but not least, there is the issue of getting advice and guidance. Although there is willingness to get advice and interest in cybersecurity training, usually SMOs were unaware as to how and where to obtain this, and as already highlighted, time pressures affect the inclination to seek it out. Conversely, the tendency is to have a reactive rather than a proactive approach to cybercrime, essentially that it will be dealt with if it happens.
Additionally, there is a lack of consistent messages received by SMOs about how to defend against and mitigate the impact of cybercrime. There was little to no awareness of national campaigns and initiatives or of government organisations especially set up to deliver practical guidance, such as the National Cyber Security Centre.
At the same time, regarding the reporting of cybercrime, SMOs felt they might not be taken seriously, would be wasting police time, or that the police do not have the resources to deal with cybercrime. Some SMOs were more inclined to report cybercrime to their bank, particularly if they felt they could rectify the situation and be reimbursed. This means they would probably not report to Action Fraud too, as its website was widely criticised and considered inefficacious as a reporting mechanism.
To conclude, one could argue that despite there being some level of awareness of cybercrime for SMOs, there are systemic issues, both internal, but also in relation to the existing supporting framework that impact negatively on the prevention of and the reaction to information security compromises.
Although the implementation of the European Union General Data Protection Regulation acted as an incentive for organisations to consider cybersecurity more actively, more than a year post-implementation we are seeing that not much has changed in the sector.
We also need to bear in mind that the above conclusions are drawn from organisations that were actually keen to attend events and interact with the cyberawareness initiatives. The biggest risk lies with those organisations that are even less aware and confident/keen to engage with the issues of information security and privacy protections, yet are still part of the supply chain and thus the cybersecurity chain. And in cybersecurity, as the saying goes, we are only as secure as the weakest link.
Information breaches such as the one suffered by US giant Target through the lax security of a third party vendor is a typical example of how poor SMO cybersecurity can have serious implications for SMOs, which might lose customers and even go bankrupt, but also on every person and organisation interacting with them.
Dr Vasileios Karagiannopoulos, Reader in Cybercrime and Cybersecurity, Director of the Cybercrime Awareness Clinic, Institute of Criminal Justice Studies, University of Portsmouth
Dr Lisa Sugiura, Principal Lecturer in Criminology and Cybercrime, Deputy Director of the Cybercrime Awareness Clinic, Institute of Criminal Justice Studies, University of Portsmouth
Dr Annie Kirby, Research Associate of Cybercrime Awareness Clinic, Institute of Criminal Justice Studies, University of Portsmouth