We know why UK SMEs do not transact online. We need action on causes, not more awareness

I have asked before why so few small firms transact on-line and why the proportion is not growing. The causes are becoming clearer. The growing  “evidence” that BT has a policy of not upgrading exchanges to provide Fibre to the Cabinet where more than a given proportion of the lines are for business explains much. Small firms commonly face a choice between overpriced lease lines and even more over-priced fibre to the premises. Then when they do go on-line, they are disproportionately the victims of fraud.

Whose fault is this?

BT appears about to face some very public criticism for over-pricing and discrimination to protect its leased line business. Its policies are, however, a byproduct of a seriously flawed regulatory system . The effect is then compounded by the impact of business rates on those who might wish to lay alternative networks. Our regulators (not just Ofcom but also those for Electricity, Gas and Water) are increasingly fixated with fictional costs and rates of return rather than focussed on price, quality of service and barriers to market entry. A side effect is that the motivations placed on BT include price (and other) inflexibilities which actively discourage imaginatively structured, “self-funding” service upgrades which would enable them to make more money by providing cheaper better services to business. Meanwhile would-be alternative suppliers are charged business rates based on fictional valuations in advance of any revenue and landlords and property developers are denied easy packages to improve the services available to their tenants.

When it comes to information security, the problem appears to dereive from an obsession with technical fixes and “awareness” (alias “buy what we are selling and stop moaning”). Meanwhile the need is for the provision of hands-on personal support at affordable cost to the “average SME” where the combined CIO (chief information officer) and CISO, (chief information security officer) is the secretary-receptionist who also maintains the website and handles administration. For a million or so micro-businesses the CIO/CISO is “the roofer’s wife” (who takes the calls when he is out and does the books) when it is not “the roofer”, himself, who runs it all from his smart phone. I remember the trauma when a roofer, who had just given me a quote, was changing “chipcards” (his words not mine) in his smart phone (I never quite understood why) and dropped the card in the gutter. It was drinks all round when we found it. It reminded me that technology moves on but people do not – he had not backed up his phone in over a week – when did you last back up yours. Also the gulf of understanding between Computing and Communications (including Infosecurity Security ) professionals and real human beings remains as wide as ever.  

I was recently contacted by one of the PR firms putting together “an imaginative new approach”  for their bid for the next Government Security Awareness Campaign, mentioned by James Brokenshire on monday at the Digital Policy Aliance in a very well received speach. I said they should focus on promoting awareness of who to contact when the security products stop the system until the user has responded to an incomprehensible “warning” and awareness of who to contact when victimised. In other words, the time has come to focus on victim support, not awareness. Most of of the target audience is already only too well aware, because the majority has already been victimised.

The big question is how government encourages the provision of commercially viable and trustworthy end-user (consumer or small firm) support services – not just clogged help-lines to Indian callcentres?  I suspect the answer lies in the re-creation of frameworks akin to the ITECs and City and Guilds 726 to train and support an new generation of hands-on end-user support apprentices for the on-line world. Hence one of the reasons I volunteered to work with e-Skills to try to get employers involved in ensuring that the new cybersecurity skills programmes help meet their needs and not just fit within frameworks drafted by those security professionals who are not busy protecting customers.

So who should be driving the changes needed

  • to our regulatory systems to enable BT (as well as its competitors) to make more money by providing better services at lower cost to small firms?


  • to the cybersecurity strategy so that it gives small firms the confidence to go on line?

The answer is


Via your political party (I do not have details for UKIP, LibDems or Labour but if you have conservative leanings please visit the Conservative Technology Forum website and then let me know the contribution you would like to make to policy formation and scrutiny. I am currently reviewing the priorities with my successor. My term of office ends next year). 

Via your professional body: thus BCS, CILIP. ISACA and others offer routes for individual members to contribute to the collective work of the Digital Policy Alliance as well as via their own submissions)

Via your trade association or interest group: thus FCS, Intellect, ISSA offer routes for companies to controbute to sectoral inputs as well as on a cross-sector basis via the DPA

Via your constituency MP: the egregious behaviour of a minority means that the good word done by most all-party groups has been seriously comprsmised but it is only “nasty lobbying” when you try to work via some-one else’s constituency MP. Remember put the case into local and personal context, otherwise their eyes will over, quite understandably. 

The motto of this blog remains “the silent majority gets what it deserves – ignored”.