Why we need to research the cybersecurity needs of Micro-Businesses?

The scale and nature of the problem

Government surveys, whether of data breaches, digital skills or anything else lump SMEs (those employing under 250 staff together). But medium sized businesses (50 – 250 staff) are very different to small firms (under 10 – 50) and no-one appears to have ever separately looked at the needs of micro-businesses (2 – 9 employers) let alone those of sole traders, many part-time on the margins of welfare and work.

Government analyses of the impact of cybercrime such as the Data Breaches survey  indicate that needs of SMEs are very different to those of medium to large organisations. So too is the take up of advice and support package. But SMEs are, by definition those with 10 – 250 staff, of which there are 250,000.  By contrast there are 4 million sole traders and a million micro-businesses (2 – 9 employees). They account for 30% private sector employment and nearly 20% of turnover.

They also employ a disproportionate number of those on the margin between welfare and work. 20% are women sole traders or micro-businesses led by women, although this varies by sector, from under 4% in construction to over 50% in Health, Care and Education. Around 6% of from ethnic minority backgrounds rising to 20% in London. There is evidence (anecdotal) that those run by women are at greater risk of targeted attack, particularly those run by women from ethnic minorities.  This is significant if Government is serious about addressing quality and diversity, given the impact of on-line misogyny compounding that off-line.

It is unclear how much current NCSC cyber-security material, if any, reaches micro-businesses, via which channels and, if so, what impact it has. Much is said about programmes to help them get on-line and/or improve their security but there appears to be no statistically valid research into their actual needs or how to contact them via channels they can trust. It is also unclear whether anyone has yet attempted to understand the behaviour changes that micro-businesses make based on the information shared with them by those they trust.

Policy for guidance and support is therefore currently based on assumption and ignorance

Studies which conflate the needs of micro-businesses with those of SMEs may be as misleading as those which regard the needs of SMEs (who may have one or two full time staff looking after digital infrastructure, albeit not full-time) as a cut down version of larger businesses (commonly with one or two qualified but part-time staff  looking after security and compliance) and/or the much smaller number, (perhaps under a thousand), with in-house teams of full-time specialists.

Professionally perceived risks may map onto neither audience perception or reality

The risks commonly perceived by professional and policy-advisors are of cyber-attacks based on payment fraud, identity theft, impersonation, malware, denial-of-service, extortion and ransomware. Meanwhile female proprietors, particularly those from minority backgrounds, are said to be at greater risk from those with more personal motives. This is a particularly difficult area to research since those at most risk may well also be concealing their business activities from male community leaders and/or relatives.

Surveys indicate a high level of unreported micro payment fraud because it is too difficult to report low value transactions. Some criminal groups use impersonated micro-businesses to launch major financial frauds and make large sums of money in a coordinated fashion.

Surveys indicate that over 40% of those who go on-line, whether business or consumer, have been victimised. There are, however, known to be major variations by sector with targeted attempts on particular SME honeypots, e.g. Estate Agents, Financial Advisors etc.

Micro-businesses commonly connect home and work networks including unsecured IoT devices which use default usernames and passwords provided by the device manufacturers, including printers, hubs, cameras and displays. Criminals often target these to access wider networks to steal data and/or launch a denial-of-service attacks.

The need to address wider risks to securing the UK employment base

Micro-businesses provide 30% of jobs including those most likely to bring those on welfare, including as a result of Covid and Covid lockdown, back into the workforce. But their confidence in going digital dropped with the experiences and aftermath of Covid lockdown, including large scale spamming and phishing via text, phone and e-mail, leading to fragility of confidence on on-line contact and increased vulnerability to blended impersonation (e.g. digital impersonation reinforced and facilitated by courier fraud).

Meanwhile larger businesses and those running third-party and inter-connected supply chains are demanding greater security from the micro-businesses, including free-lance home-based workers, in their supply chains with data loss and/or e-mail compromise leading to loss of on-line facilities and/or business closure.

Problems with providing guidance on how to improve security at affordable cost.

There are several software-as-a-service marketplaces where micro-businesses buy businesses services such as payment gateways, authentication plug-ins, accounting and invoicing, logistics etc. However, the pricing models commonly encourage micro-businesses go for the options that minimise operational costs at the expense of support.

Many of the relevant vendors, particularly SME resellers, are not credible, lack current cyber security certification and/or are otherwise themselves vulnerable to attacks. Lack of transparency and uncertainty over the competence and/or probity of advisors and suppliers compounds lack of confidence in taking simple steps to reduce vulnerability and impedes the digital transformation of micro-businesses.

Reputable vendors seeking to commercially viable means of meeting the needs of micro-businesses therefore have an interest in supporting research that will help identify and create trusted and trustworthy marketing channels, as have banks, transaction processing and financial service providers seeking to improve confidence in their on-line services.

The first task is to identify trusted and trustworthy channels of communication

To support micro-businesses it is important to begin by identifying mechanisms by which we can establish trusted channels through which we can securely contact them to conduct detailed studies to understand their digital transformation needs and societal challenges.

Cold calling or campaign emails will be seen as phishing attempts. Given the rising volume and increasing sophistication of phishing it is rational for them to assume that any text or e-mail other than from someone they think they already know and trust is probably from a fraudster.

We will need to identify trade associations, small business support hubs and others with  trusted and trustworthy relationships with micro businesses. In the case of female proprietors and minorities that may need to include a variety of community support groups.

That will require a phased approach beginning with channels of communication

Phase 1 should identify which communications channels reach which types of micro-business in order to mount research into how to communicate with them and change their digital behaviours and attitudes.

That is probably best done by commissioning a study to look at how to use franchise operations (around 10% are thought to belong to franchise operations), trade associations, interest groups, financial services and others (e.g. HMRC) which communicate regularly with them via channels they can verity and identify which might be willing to co-operate.

The next step is to use media and journalism students with behaviour psychology and media skills to develop and test communications material in language that will be understood by the micro-business community.

That will enable the planning of reliable research into needs and priorities

Only then will be able to structure research into the needs and priorities of small/micro businesses and how they respond to messaging from various external entities, let alone the impact of cybercrime on how they behave on-line or respond to advice and guidance on how to protect themselves.

It will not be cheap. The last exercise to attempt this was probably that of the West London TEC (Training and Enterprise Council)  in 1991.  The TEC was given £250,000 to add a survey into digital skills needs to its £150,000 labour market survey. The resultant computer assisted telephone survey or a structured sample of all local businesses achieved a 50% response rate but the results were so embarrassing that only the headline “The users have taken over the system” was published. None of the programmes of the day were relevant to their needs. Most users were self taught using equipment the computer industry thought was obsolete. More-over they lacked the time to learn how to upgrade, replace or use anything new.

Is it different today?

For example how many still use a Windows XP PC or Laptop and/or have bypassed any upgrades as they switch to running the business over a smart phone and a credit/debit card reader?

Only serious research will tell.