OCSRC's beginnings...
Pragmatic cyber security for complex supply chains and the SMEs that live there
For a long time there’s been a gap in our knowledge about cyber security. The place on the roadmap where it still says ‘here be dragons’… In understanding what motivates small organisations (SMEs) to invest in cyber security.
There’s three problems with the dialogue around SME cyber security:
Scoping the problem is hard. Sensational articles are easy to find, pragmatic solutions are difficult to filter from marketing, and most small organisations don’t work in isolation, so have a complex digital footprint. Googling ‘cyber security’ SMEs can’t see the wood for the trees… and most of the advice is aimed at the trees not the saplings. Small organisations need to understand how the problems in the press scale to their own business.
The pressure is from the supply chain and this causes a quiet conflict. Are small organisations at risk? Definitely. The last time I spoke to the police, they suggested that 50% of the small businesses they saw post cyber breach went out of business within a year. Should their customers be trying to fix this by telling them they need them to invest in security? Only if it makes sense to both businesses: the request is proportionate to the value of the contract you have with them and isn’t so bespoke that it conflicts with other customers’ requirements.
It’s a simple complex problem. Yes, cyber security breaches can put a big dent in any individual’s or business’ wallet, but cyber security really is in the small things. The problem is that the cost of a breach is high and advice is expensive… so we undervalue the advice that comes for free. Surely it can’t be as simple as creating strong passwords, installing antivirus and allowing updates? We’re used to big problems needing big solutions, being things we can solve with money instead of time, and having a measurable outcome. Unfortunately cyber security doesn’t conform to this model and many ‘best practices’ are out of reach for small businesses.
It’s a problem I started researching in 2014, as a doctoral student in the University of Oxford Centre for Doctoral Training in Cyber Security. As a graduate, I’d taken my knowledge of small businesses – knowledge from around the family dinner table – into the cyber security industry. But their understanding of business was different … the prices, the timescales, the level of expert support needed to solve a problem, all were out of the reach of the businesses I grew up hearing about. So when I got the opportunity to do a research degree, I decided to explore who and what we were excluding from cyber security by our definition of best practices.
Four years on, with a doctorate under my belt, I’m striking out on my own: to provide services that work with complex groupings of sole traders; that support supply chains in valuing what their small suppliers have a achieved, as well as highlighting where they could improve; or that offer training where support is out of reach.
For more details about my consultancy and training services click here.