Despite the impression given by media reporting on larger companies, it is the small business that is probably most at risk of being hacked. Their customers may not take kindly to having their privacy compromised, or being unable to log in due to systems put out of action.
Until very recently, some considered it an acceptable risk assessment strategy for small businesses to “run the risk”, in the mistaken belief that hackers are only interested in large businesses. Our research going back to 2009 has shown that regional SMEs were only prepared to allocate limited resources to the matter of information security. As is well acknowledged, the apparently relaxed attitude of SMEs was a source of constant frustration for the InfoSec community.
The latest, ongoing, research suggests that SMEs are becoming more receptive, and other studies indicate that customer attitudes to personal data might be changing. However, our own research also suggests, disappointingly, that SMEs aren’t currently impressed with certification as a way forward. Chicken Little steps, however, might just gradually overcome that reticence. After a slow start many SMEs now have ISO9001 certification, and proudly display a certificate demonstrating that they have an effective quality management system.
What marks out ISO9001 against the various certificated equivalents for information security? The answer is simple… public awareness. If SMEs really thought members of the public would be more likely to engage with their products if they displayed a Cyber Essentials, IASME, PCI-DSS, or even ISO27001 badge they would be queuing up to gain market advantage. The reality has been that the public have shown little inclination to care enough about their personal data to use it as a factor in making purchasing decisions.
So why might there be a shift in public perception? Recent research suggests that the data gathered was always conflicting on analysis (the privacy paradox) , and in the second half of 2015, two very high profile data breaches captured the public attention: Ashley-Madison and TalkTalk. A fascinating detailed study conducted for the RAND Corporation over that same year has shown that attitudes to privacy are much more nuanced than previously acknowledged; some groups do really care about privacy of online data and SMEs may be missing a trick here. We will be doing more research at Worcester in the coming months. If there is further evidence that a demand is emerging from younger professionals (25 upwards) for more online security that could be a clear driver for change. Another possible driver for changing attitudes could be the new EU Regulations, which will be examined in my next article.