Why it’s people, not technology, that will make or break an SME’s best attempts to prevent an attack

You may have thought that the success of a business’s efforts to prevent an attack by cybercriminals would be defined by how much it spends on its technical defences.

Surely, ploughing more money into the latest hard or software will create an impenetrable fortress?

Not necessarily, says Dr Robyn Remke of Lancaster University Management School (LUMS).

Because, like so many other business issues, cyber security is first and foremost a ‘people problem’.

Dr Remke, whose expertise lies in organisational leadership, culture and behaviour change, explains: “It used to be the case that only the largest organisations were worthy of hackers’ attention, whether for a large ransom or in protest or ‘hacktivism’ like the Anonymous group.

“More recently, though, the prevalence of attacks against even small organisations is rising: government statistics show that in 2022, 39 per cent of small businesses reported a cyber breach or attack.

“It’s simply a numbers game: it’s easier for a criminal to crack the weak passwords of 100 small businesses and take £10,000 from each, than hack into one major organisation to steal £1m.

“And, until staff at every level of a small or medium-sized enterprise (SME) understands the risk of an attack and their role in preventing one, a company remains vulnerable.

“For example, sharing passwords, repeatedly using the same, weak password or not installing the latest software updates are the digital equivalent of leaving the front door unlocked, and no amount of money spent on technical solutions can compensate for that.

“Therefore, it’s essential that SME leaders create and maintain an organisational culture where cybersecurity is an absolute priority and secure behaviours become second nature for everyone.”

The cost of inaction

As any business leader will know, changing culture can seem like a tough challenge at any time. Add it to a to-do list that already includes overcoming sky-rocketing energy costs, labour shortages and supply chain challenges and it may seem like one task too many.

Despite this, the financial and reputational impact of postponing culture change could be substantial. An attack could mean temporarily or permanently losing access to files, website disruption or theft of money or assets. And, if a business is responsible for the loss of customer data, it could be liable for substantial financial damages.

“Whatever the impact, in the aftermath of a breach, business leaders will have to make the cultural and behavioural changes that were necessary in the first place, so there really is no benefit, and plenty of risk, in putting it off,” says Dr Remke.

Create a culture that prioritises cybersecurity

Whilst the challenge may seem daunting, there are practical steps that SME leaders can take to get their teams on board, regardless of sector or specialism.

Robyn continues: “In a positive security culture, all employees understand why cybersecurity measures are in place, have the knowledge, skills and motivation to implement them and understand what the likely risks are. This creates an organisation that is robust and resilient in the face of digital threats.

“Organisational change starts from the top. Senior leaders must first model the behaviours that they want to see throughout their teams. If a director cuts corners, switching off two-factor authentication, for example, then it is tough to motivate colleagues to do otherwise.

“Colleagues also need to know how to combat common threats through regular and sustained awareness raising, training and an environment where cyber security is regularly discussed.

“Leaders then need to bring staff on board by winning their hearts and minds. Colleagues need to care about good cybersecurity because they know that it is vital to the future of the business they work for.

“After that, it’s time for leaders to let go a little. It sounds contradictory, but owners and directors have to listen when colleagues raise issues or suggestions about how measures will work in reality, and then trust them to find the right solution in their circumstances.

“Whether it’s a cleaning company, non-league football club, or a gin distillery the approach is the same. A positive culture of security will grow when all staff from the CEO, to the chef to the groundskeeper embrace their vital role in minimising the likelihood of an attack.

“It’s not simply about giving staff a checklist”, says Robyn, “it’s about infusing an awareness and appreciation of the issue into every aspect of the business. In this sense, employees are not repeating actions they’ve learned by rote, but become the vigilant eyes and ears of the company, constantly alert to the risk of both a malicious attack and the all-too-easy human errors, like the ‘reply all’ email, that can result in a breach.”

By shifting your internal culture, cyber security no longer needs to induce fear or dread in your teams and you’ll start to realise tangible benefits which you will want to shout about to your customers.

Help is at hand for SMEs

To help business leaders implement both the technical and cultural changes they need in their organisations, LUMS and the University’s School of Computing and Communications have come together to create the new Cyber Strategy Programme.

The Programme, which is fully funded for SMEs in Lancashire, brings together experts from these two, highly-accredited university departments to help SME leaders understand the risk that cybercrime presents and minimise the threat by confidently implementing changes within their systems and teams.

Leadership and culture sessions will empower delegates to build a culture of cyber-excellence within their organisation and they’ll also benefit from the peer support of other business leaders in the area. Workshops and masterclasses will see participants learn from leading cyber and leadership experts, as well as detectives at Lancashire Constabulary’s cyber crime unit.

Dr Remke finishes with some reassuring words for business leaders who are looking to up their commitment to cybersecurity: “It’s important not to be daunted by the task of implementing more or new cybersecurity measures, whether they are technical or people-based.

“Business leaders, especially entrepreneurial SMEs owners and directors, confront challenges of this nature daily. Cybersecurity is simply another application of their ability to innovate, act decisively and bring people with them.”

Places are available on the Cyber Strategy Programme, starting 16 November 2022

The Cyber Strategy Programme will run over five months via a mix of in-person and online learning.

A two-day introductory residential session will be followed by monthly one-day workshops and masterclasses with Lancaster University academics and experts. During the five-month programme, delegates will also implement their learning through a company sprint project.

Places are fully-funded by the European Regional Development Fund (ERDF) for Lancashire businesses that employ between five and 250 people.

Find out more and register your interest in joining the programme online at www.lancaster.ac.uk/cyber-strategy-programme

Related Blogs

• 

  How ‘Good Growth’ re-energised accountancy firm Towers + Gornall

• 

  “Accidental” Lancashire business that now boasts an 18-strong team

• 

  Growth is green at the Bath House

Disclaimer

The opinions expressed by our bloggers and those providing comments are personal, and may not necessarily reflect the opinions of Lancaster University. Responsibility for the accuracy of any of the information contained within blog posts belongs to the blogger.