Cyber security professionals need to improve the way they communicate risks to SMEs, according to the Institute of Chartered Accountants in England and Wales (ICAEW).
During a panel debate at the Parliament & Internet conference the association claimed that a “language disconnect” between small businesses and security experts is leaving SMEs open to online attacks.
George Quigley, chair of the ICAEW’s IT faculty, said that too many SMEs are yet to be convinced that online security is particularly relevant or worthy of prioritisation and need more evidence before spending money.
He said: “We can use basic guidance to get rid of 80 percent of the problem. But security professionals need to be better at explaining what it means for the business. SMEs are not going to buy security products if they don’t understand them.”
Firms “not getting basics right”
Gerry Penfold, risk consulting partner at KPMG, echoed Quigley’s view that “many organisations are still not getting the basics right”.
He suggested that part of the issue is that firms need to see security as a business issue first and foremost rather than just a technical issue for the IT department.
Penfold advised: “Organisations have to accept a degree of risk. They should identify critical information assets and make them their highest priority for protection.”
Simon Kendall, assistant director for cyber security at the Department for Business, Innovation and Skills (BIS), agreed that “ensuring a basic level of protection cuts out most of the threat”.
He encouraged businesses to certify themselves for the ‘Cyber Essentials’ standard, launched by the government in April to allow organisations to prove that they are working to protect themselves against the risks of operating online.
Kendall said the scheme “points to what good looks like” and “represents the basics” that businesses should be doing to protect themselves.
However Quigley suggested current initiatives do not go far enough, and said that the government should consider introducing mandatory disclosure rules for breaches involving personal data loss.
He said such a rule would “mean that firms can see the issue in full” and “realise the relevance” of protecting themselves.
Gerry Penfold, risk consulting partner at KPMG, agreed that the government should consider obliging firms to disclose serious breaches, as is currently the case in the US.
He said: “The government hopes we can get there without mandatory reporting. But we don’t seem to be getting there,” Penfold said.
Kendall said that the current government did not want to enforce disclosure of breaches. However he indicated that an upcoming review could lead to a change in policy.
He said: “The current government says that mandatory breach disclosure is not something they want to enforce, as businesses don’t want to air dirty laundry and they feel that if the UK goes down this route alone, it could damage our reputation.”
But he added that there is an election coming up and the official cyber security strategy is due to be reviewed and updated shortly after that.
“A lot of ministers say it [online security] remains a considerable threat, so we can expect something to come out from the strategic review”, he said.