- The paper provides a narrative review of cybersecurity implications for Australian small businesses, highlighting the urgent need for tailored solutions based on global evidence.
- Small businesses face significant challenges including limited data availability, technical differences from large enterprises, lack of internal IT expertise, and difficulty navigating complex standards.
- Despite challenges, small businesses possess advantages like agility, potential for networking, suitability for zero trust models, and access to open-source tools for enhanced cybersecurity.
The paper provides a narrative review of cyber-security implications for Australian small businesses. The authors highlight the urgent need for effective and suitable cyber-security solutions tailored to small businesses, which are increasingly targeted by cyber-criminals. The paper uses global evidence from industry, government, and research communities across multiple disciplines to explore technical and non-technical factors impacting a small business's ability to safeguard itself. It also identifies unique characteristics of small businesses that could allow for increased cyber-security.
Background and Motivation:
The paper notes that businesses worldwide are under pressure to adopt technology, a trend accelerated by the COVID-19 pandemic. Cyber-crimes are becoming more sophisticated, costing the Australian economy billions annually. Small businesses, employing nearly half of the Australian private sector workforce, require support against cyber-criminals. They face potential penalties for non-compliance with regulations like GDPR (General Data Protection Regulation) in the EU and HIPAA in the US.
Literature Review:
The authors conducted a keyword search across multiple academic search engines, identifying relevant review papers on small and medium business (SME) cyber-security. They compare the aims of their paper to selected review papers, focusing on:
- Restricting context to small businesses.
- Critically examining the landscape of existing small business cyber-security research.
- Examining potential technical and human issues with small business use of cyber-security solutions.
- Identifying structural opportunities for small businesses.
The review found that existing literature often groups small businesses with medium businesses, failing to distinguish the unique challenges faced by smaller entities. The authors address this gap by exploring organizational characteristics impacting cyber-security posture, both negatively and positively.
Research Data Challenges:
The paper discusses the limited research on cyber-security posture and solutions for small businesses (0-19 employees), despite their importance in global economies. Transferability of research from large enterprises is problematic due to differences in resource availability, technical landscape, and operational processes. Discrepancies in survey results, both within Australia and internationally, highlight the difficulty in obtaining comparable data from disparate and technically inexperienced small businesses. The authors identify several challenges:
- The Elusive Cohort: Difficulty in gathering data from diverse small businesses due to low response rates and lack of public domain data.
- Disparate Technical Terms: Lack of standard definitions, structures, and classifications within cyber-security, leading to ad-hoc and incomplete data.
- Size Matters: Differing definitions of small businesses worldwide make data comparison difficult, as organizations with varying employee counts operate and communicate differently.
- Self-Reporting Fallacies: Inaccuracies in self-reported cyber-incidents due to non-technical users' difficulty in reporting subtle attacks and psychological self-reporting biases.
- Business versus IT Perspectives: Under-representation of non-technical respondents in online surveys, leading to biased results as technically literate respondents are more likely to participate.
Challenges Faced by Small Businesses:
The paper identifies several technical, human, and organizational challenges faced by small businesses:
- Technical Challenges: The technical landscape of small businesses differs from large enterprises, making it impractical to apply large-scale solutions. Small businesses often lack test environments for destructive testing and incident response training. The move towards cloud infrastructure presents challenges for traditional cyber-security products, as general network scanning assumes local infrastructure.
- Human Challenges: Small businesses lack qualified and accountable IT departments. Support typically comes from external contractors or non-IT qualified staff. Small business owners often have limited technical knowledge and exposure to technology, hindering their ability to advocate for cyber-security needs.
- Organizational/Process Maturity: Small businesses in early inception stages do not focus on processes, which is at odds with a well-rounded cyber defense posture requiring business policies and controls.
- Industry Standards: The variety and complexity of industry standards (e.g., NIST, COBIT, ISO27001) pose a challenge for small business owners. Simplified versions of these standards have limited comparability, leaving non-technical owners with a low sense of self-efficacy.
- Cyber Insurance: Cyber insurance is a relatively new phenomenon with many variations, and the effectiveness of coverage has been called into question, particularly regarding exemptions for acts of war or terrorism.
- Legal Remediation: Cyber-criminals operate with impunity due to the legal complexity of investigating and prosecuting cyber-crimes across different jurisdictions. Low conviction rates and low rates of reporting further exacerbate the issue.
- Cost of a Data Breach: The lack of knowledge regarding the cost of inaction makes investing in cyber-security a difficult decision for small businesses, as existing data breach costing studies primarily focus on larger businesses.
Advantages for Small Businesses:
Despite the challenges, the paper identifies several advantages that small businesses possess:
- Small Business Agility: Small businesses exhibit flexibility and willingness to learn, enabling them to adapt to fluid situations. Older demographics of small business owners come with creative and critical thinking skills, which are important for cyber-security.
- Small Business Networking and Alliances: An alliance between small business owners would enable data collection, advanced intelligence sharing, and peer support, providing real-time knowledge of trending threats and attack methods.
- Advantages of Zero Trust Model: The low requirement for IT homogeneity makes zero trust security models a prime framework for small businesses, as they have limited large-scale technical legacy to undo.
- Open Source Cyber-security Tools: Open source software and hardware offer an option when paid IT products do not meet technical or cost requirements. These tools can provide ongoing reviews, minimize security vulnerabilities, and reduce vendor lock-in.
Discussion and Conclusion:
The paper concludes that data collection in small business cyber-security research requires improvements in scope, consistency, and respondent range. Small businesses face numerous hurdles in understanding and implementing cyber-security, including technical, human, and organizational challenges. However, their agility, potential for networking, suitability for zero trust models, and access to open-source tools present opportunities for enhancing their cyber-security posture. The authors argue that a more coherent understanding of small business cyber-security needs and risks can lead to more resilient small businesses, benefiting industry, government, and society at large.