The UK government is making good progress in implementing its National Cyber Security Programme but has struggled to encourage SMEs to make their businesses more resilient to attack, according to a review by the National Audit Office (NAO).
The NAO update was published last week for the Committee of Public Accounts and claimed that the programme is on track to spend its budget of £860 million by March 2016.
The government spent £12.4m last year on engaging with the private sector and the public, with a further £21.1m earmarked for 2014-15.
GCHQ, the Cabinet Office, the Foreign & Commonwealth Office and the Department for Business, Innovation & Skills have all published information designed to help businesses become more secure and the Ministry of Defence’s now requires all suppliers to conform to “Cyber Essentials” criteria.
However, the range of advice may be confusing for SMEs, the NAO said, citing industry stakeholders it interviewed.
“There is a greater need to scale the guidance to fit these smaller businesses. SMEs are often too small to employ dedicated IT staff, and the impact of breaches can be just as damaging,” the report said.
Relevant guidance includes the BIS Cyber Essentials scheme, a document on 10 steps to cyber security for the smaller firm by the ICAEW and the Cabinet Office backed guide: Information Assurance for Small and Medium Enterprises’ 10 steps to Cyber Security – Guidance for SMEs.
A Cyber Streetwise campaign has had a decent success rate with the public, but only “limited impact” with SMEs – just 8% have undertaken 10 or more of the 14 cyber security behaviors listed.
“This lack of movement may be due to SMEs investing their limited resources into meeting the behaviors that are most critical to their business. While the campaign appears to be raising awareness among the public, this has not yet been reflected in the actions of business,” said the report.
The government will be hoping the next phase of Cyber Streetwise has the desired effect of increasing impact among smaller firms.
Chris Boyd, malware intelligence analyst for Malwarebytes, argued the government needs to concentrate on easy-to-understand, basic best practice guidelines, reinforced through “relentless education and training.”
“The problem of falling foul of cybercrime is greater than just an inconvenient few hours of downtime,” he told Infosecurity.
“Today’s malware is smart and built for purpose. It can remain hidden on an SME’s networks and devices for long periods of time, transmitting sensitive data such as bank details and intellectual property back to shady individuals. Not only this, but should such a breach become known by customers, the reputational impact can be long lasting.”
SMEs are also at risk if they’re partnered with larger firms, as they can be used as a “jumping off point” for targeted attacks on the bigger enterprise, he added.
James Lyne, Sophos global head of security research, argued that although SMBs may not be in the headlines, their combined number represents a far greater risk to the UK economy.
"They represent to a large degree the ‘death by a thousand cuts’ - the volume of cases is hard for police to investigate and the individual crimes are small enough they are often ignored by the individuals," he told Infosecurity.
"It is therefore critical that we continue to seek ways of making security awareness accessible and engaging for SMEs and that it is kept up to date as threats and practices evolve."
Graeme Stewart, director of public sector strategy at McAfee, added that industry hasn't been sufficiently "engaged" by the government.
"McAfee has a huge number of resources for SMEs, as I’m sure do other security companies – yet the government seems intent on reinventing the wheel every time it launches a new programme," he told Infosecurity.
"There should be one central cyber security hub which manages the various targeted government programmes – big business, SMEs, education, etc - and ensures they have access to the resources and expertise they need to be successful."