Security professionals, myself included, often refer to the ICO fines when making the argument for why SMEs need to implement cyber security. These arguments are well intended: we’re only too aware how vulnerable small businesses can be to cyber-attack, and our hope is that this will act as a trigger for security adoption. However, more often than not, such arguments do not trigger action but instead infer that the ICO is a draconian organisation ‘out to get’ businesses, when indeed the opposite is true.
Small business owners are very busy people, often operating in difficult economic circumstances andunderstandably focused on their core business operations. But this can mean that issues including cyber security can be left behind. Indeed, my Ph.D research into SME security suggests that SMEs tend to operate in two knowledge vacuums: a lack of understanding of the threat, and a lack of understanding of what cyber security actually is. Many micro businesses feel that their business is too small to be attacked, have nothing worth stealing, or take the mistaken belief that the bad guys only go after big businesses, as they are resource-rich and want the kudos of successfully hacking such organisations. This is why using the threat of ICO fines as a nudge to act fails, as small business owners believe ‘I don’t need to do this stuff as I’m not a target, and therefore I won’t be caught up in fines’.
It is obvious therefore that more needs to be done to better explain to small businesses that cyber crime is not always targeted but indeed akin to opportunistic crime – i.e., the burglar walking down the street in the middle of the night looking for an open door. It is the vulnerability that is targeted, not the actual business – and the presence, or absence, of such vulnerabilities usually being the determining factor in whether an attack is successful, aka ‘the low hanging fruit’. When such opportunities present themselves to exploit people’s personal data, the ICO can come in and take a view on what has happened, conduct an accurate risk appraisal and where appropriate, issue fines.
But this is not all the ICO do! Look at their website, it is packed-full of useful information, hints, tips, guides, advice, and explanations as to why certain data is valuable, and what data small businesses are likely to carry, and the actions needed to secure them.
I often muse that the narrative around cyber security needs a be re-framed: instead of scare-mongering small business owners with threats of fines as a result of poor practice, the argument should be that cyber security measures can help to grow your business, encourages investment, and helps you to win more leads. Adequate cyber security should breed confidence in your customer base, knowing that you are doing the right things with their data. That re-framing must also include a repositioning that the ICO is a foe, when actually it is very much a friend trying to help businesses understand the value of the data they carry, and the work needed to safeguard that.