To many small businesses, IT and IT security provision is often deemed a non-important business driver. In-house security expertise is usually rare, too. This means that SMEs are likely to underinvest in time and resource in what is a critical supporting factor for the success of a business
The IT and advisory firm Gartner has looked into the spending habits of businesses when it comes to IT security. Their research – isolated to the US market – finds that approximately 5% of a company’s revenue is spent on the IT budget, and of that budget, about 5% is spent on cybersecurity. Though this is a broad-brush analysis, we should recognise that IT and IT security spending profiles will change as businesses grow.
If we presume a similar spending allocation exists among UK businesses, this means in real terms that a company with £36 million per year in revenue has a cybersecurity budget of £91,000 – which is perhaps enough to hire a single dedicated cybersecurity employee.
Moreover, it means that most of the people who work in cybersecurity are employed by either governments, security vendors or FTSE 100-type companies. Almost none work for non-profits or small businesses. In fact, the US Department of Labor says that small businesses make up 99.7 percent of US employer firms and 49.2 percent of private sector employment.
Herein lies the elephant-sized problem in the room. 99.7 percent of firms don’t have a firm security posture and therefore half of the workforce is under protected.
This cybersecurity poverty line has created a huge disparity gap between the haves and the have nots. It means that many of our companies – in the US, the UK and elsewhere – lack the visibility into their networks and user activity. They don't have the knowledge, experience, or budget to create a firm cyber posture. As a result, approximately the top 0.3% of firms by revenue have an elitist grip on security.
Much of the problem is that for some time, the market has been driving towards ever-shinier, AI-focused products. However, these products are often overwhelming and underutilised, and they distract buyers from focusing on what is most important, which is establishing a good and solid security foundation, doing the basics right, and focusing on people, process and technology. Security isn't actually that difficult if you're prepared to do the right things at the right time.
A funding gap
It’s true that small organisations may not be able to afford a dedicated cyber employee but that doesn't mean there aren't providers out there who can provide a service-based solution, whether it's one day a week, one day a month, or once a year. This service-based flexibility is the first step. It opens the door to security cover that’s relevant, realistic, attainable, and importantly, within budget.
Education and awareness programs can help keep cybersecurity best practices top of mind for employees and consistently help to remind people what to look out for. Beyond this, its about establishing the right processes and then supporting these processes with the relevant security technology.
That’s why you don’t need FTSE 100 budgets.
By looking at the current business needs and the likely needs generated out of the roadmap for growth, businesses can:
Align their current business model with their current IT and IT security needs so they can be deemed fit for purpose.
Determine appropriate IT security controls that are fit for purpose for their current and planned business size. This may be productivity platform work, AV or other simpler IT security controls.
Consider the initial outsourcing of IT security as the business grows.
The onus is on the industry to share as much information as possible. Vendors typically have the resources and bandwidth to conduct more thorough and sophisticated research, and it's critical to share with the larger community so that we can work together to better defend against attackers. We know that attackers are collaborating and sharing threat intel, so the industry should, too.
But coming back to process and best practice. Businesses may not regard IT and IT security as one of their key business drivers or may not have the experience, so they deal with problems as and when they arise i.e. point solution to point problems.
I would say that buyers are often prompted into a kind of analysis paralysis because one vendor will solve a problem with a vulnerability scanner, another company will solve it with a PEN test, and another company will use an external risk assessor. There’s so much variety – it’s confusing, and there isn't a standard type of assessment.
So, vendors can assist by creating technologies that are user-friendly, intuitive and ultimately easy for end-users to incorporate in their day-to-day.
It's often the small things that can make the biggest impact. Security measures like multi-factor authentication and single sign-on are easy to explain to the end-user and don't require as much from them. The same goes for selecting remote access or VPN alternative solutions—find tools that integrate the basic security standards in a seamless way.