Part of the mandate for RISCS in its second phase is to broaden its focus from large enterprises to include SMEs, both as research subjects and as community participants. RISCS has some prior experience to draw on, as two of the first-phase projects sought to form partnerships with SMEs. This posting discusses the difficulties these collaborations exposed with a view to finding a way forward.
Productive Security, led by RISCS director, UCL professor Angela Sasse, studied how to make security policies work with, instead of against, users. As part of the project, researcher Simon Parkin led an effort to understand the security problems of both commercial and charitable SMEs. Choice Architectures looked into using “nudges” to encourage better decision-making; Lynne Coventry, the director of the Psychology and Communication Technology (PaCT) lab at Northumbria University, led an effort to work with SMEs. Both researchers found mismatches between the needs of SMEs and the needs of academic researchers.
Small-to-medium-sized enterprises (SMEs) pose several particular challenges for cyber security: their large numbers add up to a significant part of the internet infrastructure; they tend to lack the specialist resources that enable large enterprises to protect themselves; and there is little consistent research to draw on. The numbers are compelling: the government’s 2017 Cyber Security Breaches Survey found that overall 46% of Britain’s businesses identified a breach or attack in 2016, the likelihood grew with business size, and medium-sized firms (66%) were nearly as frequent targets as large ones (68%). However, when translated into raw numbers those percentages are more alarming: according to the Department of Business and Skills there are nearly five times as many UK companies with 50 to 249 employees as there are companies with more than 250 employees.
There are pragmatic reasons for focusing on SMEs to improve security across the board. As of early 2016, government figures show that small businesses make up 99.3% of Britain’s 5.5 million private sector businesses, and SMEs make up 99.9%. SMEs account for 60% of the country’s private sector employment and account for 47% of the private sector’s turnover. In aggregate, therefore, this “long tail” of businesses is economically highly significant. They are also highly significant in ensuring cyber security: today’s networked supply chains mean that a single small supplier can provide the ingress for attackers seeking to penetrate much larger enterprises. An example of this was the 2015 breach of the US retailer Target, which cost the company $39 million in victim compensation, caused an approximately 40% drop in its profits that quarter, and forced the CEO to resign; the attackers first broke in via a much smaller refrigeration, heating, and airconditioning subcontractor.
One difficulty in studying SMEs is the size of the category: millions of “SMEs” is as varied a demographic as “people over 55”. As defined in the UK, “SMEs” includes everything from sole traders to mid-sized organisations with 250 employees. It covers organisations with degrees of maturity ranging from early-stage start-ups struggling to afford an Ikea door to use as a desk to established companies with £1 million-plus annual turnover, and from family-owned local businesses to a 200-person growing enterprise. And it includes charities, which display some distinctive features.
Both charities and their similarly-sized commercial fellows have full-time and part-time staff, but, as outside researcher Emma Osborn (Oxford) has also found in studying the barriers SMEs face in implementing cyber security, small-to-medium-sized charities also have volunteers, and are much more closely regulated. Unlike their commercial counterparts, charities may have access to discounted business productivity software and IT support. Instead, a point Osborn also supports, smaller businesses may rely on software and services similar to those intended for home users. Anecdotal evidence suggests that around the 200-employee mark these companies start to look like larger corporations, but they still aren’t just small versions of large organisations.
The upshot, as Parkin and fellow researcher Andrew Fielder found in collaborating with an experienced outsourced IT services provider, is that the SMEs’ IT systems are equally diverse. Their project therefore sought to draw out a series of archetypes that could be used to make the scale and complexity of SMEs tractable. In some cases, someone might be running their business network connection through a phone plan, removing a whole layer of threats. Alternatively, they may rely on old IT they can’t update, which also affects security. A multi-site chain of restaurants will look quite different. The key actors inside these organisations may or may not include a dedicated IT person. In the smaller organisations, often the CEO takes broad responsibilities, including for IT; in other cases security is not kept separate but rolled into other compliance areas, such as data protection.
This level of variation across SMEs adds to the challenge for researchers by making it difficult to generalise from any particular engagement – or set of engagements – to draw out patterns and lessons that carry across this diverse landscape.
Still, there are many reasons why researchers want to work with SMEs. It’s an under-researched area. As the numbers show, SMEs are often targets for criminals. They’re a good testbed for driving innovation. Working with them helps create an evidence base that can lead to the adoption of best practices rather than succumbing to the latest marketing fad. Finally, the results of such collaborations can have a real impact.
The bigger question is why SMEs would want to work with researchers and how to make that research an experience that benefits both sides. SMEs have little time and resources to devote to research that doesn’t directly benefit their bottom line. Where consultants say they can offer definite solutions to SMEs’ problems, researchers say openly that they don’t know the answers; SMEs hoping that researchers will provide quick solutions based on the data they collect are likely to be frustrated. The diversity of participating businesses also means that although researchers can analyse the data they collect and draw conclusions, these conclusions may not be applicable for a different set of SMEs. RISCS hopes to compensate for this difficulty by including IT providers for SMEs on its practitioners panel.
The mismatch between business and academic cycles is a particular problem because it takes time to develop trusted relationships. A new PhD student can’t just be slotted into the place of the last one. Plus, time itself moves differently in businesses versus academia. Researchers may need flexibility in scheduling interviews with SME staff, if those staff are willing to participate but can’t afford to take time away from their everyday tasks to do so. For this reason, RISCS researchers have found that engaging in a meaningful way and understanding the drivers for their security-related decisions requires them to keep interviews short and explore security from the participants’ perspective.
In the longer term, the hope is that research within SMEs, perhaps via the consultants and specialists who provide IT services to them, will lead to solutions that will improve their ability to defend themselves. In the meantime, research is still working on the first step of identifying and understanding the challenges SMEs face in managing security. To date, every study has examined a different set/community of small organisations or involves just a small set of participants or organisations. The small sample sizes and the already-discussed diversity of SMEs make it difficult to translate findings across studies toward a unified understanding that subsequent research can build on or extend. The diversity of RISCS researchers and the community’s experience to date put us in a good position to pursue further work in this area.
RISCS is eager to engage with SMEs, their representatives, and those who support them. SME IT providers may like to participate in our Practitioners Panel. If you are interested in getting involved as an SME, please email us at firstname.lastname@example.org.