On the morning of the first day of Infosec I attended a PICTFOR briefing on the current state of UK Cyber Security. The lack of intelligible security guidance for small firms was identified as a major issue by several speakers. Later that day I attended the launch of the 2013 Data Breaches Survey. Over half the small firms responding had suffered staff related security breaches over the past year and 2/3rds had been attacked from outside.
The following day I attended the launch of “The Digital Imperative” a joint report by Intellect and the Federation of Small Business on small businesses, technology and growth. Nearly three quarters of the 2,200 respondents to an online survey had websites but barely a third used them for on-line sales. This tallies with the finding in the recent Policy Exchange report “The Superfast and Furious” that around 80% of small firms have a web presence but only a third are willing to transact (i.e. accept bookings or payments) on-line.
Why is this?
Last year the National Fraud Authority survey of small firms as victims showed that 2/3rds had experience as victims, a quarter within the past 12 months. They do not need awareness programmes. They know they need education and support – but to do what?
The 2013 Data Breaches survey indicates the value of ensuring that staff know what to do. Over 90% of organisations where the security policy was poorly understood had staff related breaches. Under half those where the policy was well understood had such breaches. I think we can quite reasonably conclude that one reason why small firms are so reluctant to transact on-line is that awareness without the knowledge of how to take effective action has led to fear, not confidence.
So what training and support do small firms need and who is going to provide it? There is no shortage of advice and guidance – usually based on variations on ISO 27000 which assume knowledgable staff with the time to learn how to use complicated products and make sophisticated choices as what they trust and why. BIS is currenlty seeking inputs to a consultation on which security standard it should support – as though a “standard” was a signiciant part of the “answer” to the problem of loss of confidence in the on-line world.
When I was IT skills advisor to West London Training and Enterprise Council, three decades ago, we found that 2/3 of local organisations with more than 10 staff were already using computers but few had any professional IT staff. The “users had taken over the system” and most of them had received no IT training at all. Shortly afterwards another TEC, using a different methodology, found that the person in charge of IT in over 75% of small firms was the secretary/receptionist.
Today the world has moved on. Almost ALL small firms (including sole traders) use some form of IT and HMRC is trying to make Real Time inputs from approved accounting software mandatory for all who employ anyone (even a part-time Parish Clerk or a voluntary worker receiving a payment to cover expenses). Who is in charge of information security for the 99% of employers with no IT staff? What training have they received? The “Chief Information Security Officer” for an SME is typically the plumber’s wife who, hopefully, reminds him to back up his smart phone when he gets back … or it might be one of their children, who discovered the perils of cyberstalking and bullying before reaching puberty.
In a discussion after the launch of “The Digital Imperative” I said that the problems of giving small firms the confidence to transact on-line without fear of fraud would not be solved unless and until Intellect members can make a good living from providing and supporting products and services to FSB members that are genuinely easy to use and secure. My experiences in the ealry 1980s from running the pilot Micro-System Centre and advising the ITECs prejudice me strongly against advisory services which are not based on a robust and sustainable business model: unlike all those services created to support SMEs which are staffed by those who have never run one.
But the ease of use and security will not help if you cannot get the bandwidth necessary to provided an attractive, interactive business experience to your target customers. The FSB/Intellect study makes many good points about how technology can help small firms but a significant part of the answer is Cloud Computing, including for support and security. I first asked what bandwidth do you need in order to make effective use of cloud computing about three years ago . The answer was “What do you mean by cloud computing?” with some respondents saying that webmail and similar applications for a firm with up to a hundred employers would work adequately over a 10 mbps leased line. In the US, however, those promoting cloud services tend to think in terms of customers having symetric pipes providing at least 100 mbps symetric. Around the Pacific Rim our the competitors of the future think of gigabit fibres. Now look at the needs of some FSB members to handle inter-active video traffic, as with a small firm providing hand-crafted customised products or a country pub with customers watching different sporting events over their smartphones. The bandwidth requirement is akin to that which is now commonplace around the Pacific Rim.
At the recent DPA event with Neelie Kroes speakers from Digital Britain First made the point very strongly that those who could not get Fibre to a Business Park in Buckinghamshire or Oxfordshire or to a Country House Hotel beside the Thames, (for webcams in support of international advertising, let alone the wifi traffic generated by the smartphones and tablets of the guests), were at a serious competitive disadvantage. In this context the Ofcom investigation into BT’s squeeze on reseller margins for fibre , after its actions (in co-operation with Virgin) to block the Birmingham attempt to leapfrog its upgrade schedule, would be good news – were it to help expedite the availability of fibre to premises at affordable cost – as opposed to the Openreach “excess construction charges“. However, Talk Talk had to employ a German consultancy to produce the evidence, such is BT’s dominance of the UK market, including vis a vis consultancies who have long been in a position to produce such information, were it not that it would lose them more custom from BT and its partners than it would gain from others. More-over we need to get BT and Virgin to expedite and upgrade their investment plans rather than block those of offers.
I threfore fear that the result will be more fear, uncertainty and doubt as UK economic recovery is delayed because BT is putting over a £billion into trying to compete with Sky on Sports Content, instead of into infrastructure to rent to Sky and others. Given that economic recovery on the back of such investment is essential to bridging the ballooning gap in the BT pension fund, I fear that this strategy may prove to be a lose lose for almost all. The only winners will be thsoe in BT who are looking forward to salaries akin to those of their counterparts in the BBC: whether or not the sports content business shows a better return to shareholders than BTs other attempts at diversification. Meanwhile sovereign wealth and pension fund managers around the world are looking to invest in the boringly profitable critical infrastructure utilities which MacQuarie, and others, are funding around the rest of the world.
Now for some good news. At the end of March the contract for the Cybersecurity Skills Partnership was finally signed. e-Skills has the go ahead to organise a set of pilots, from schools activities through FE and HE apprenticeships to continuous professional development, bringing together a wide range of partners, building on that existing work which is well-regarded by employers. The programme is unusual in that the first public announcement is that of research into the actual paths followed by those in the industry . I have agreed to help identify employers wish to use the results to improve the skills and motivation of those they recruit and to improve and update the skills of those they already employ. I hope to blog on the details shortly but, in the mean time, e-Skills is looking for those who will take a lead and ensure that the programme really is built around employer needs and not just the shifting sands of government policy .
Next I should say a word of praise (and I should say it is genuine praise) for BT’s skills activities in support of its core business. BT is one of the few organisations that takes its apprenticeship programmes seriously. Its support for the plans for SME IT support apprenticeships should be copied by all who are serious about wanting small firms to have the skills and confidence to transact on-line.