Smaller but stronger: Lifting SME cyber security in South Australia

Small and medium enterprises (SMEs) are the lifeblood of Australia’s economy, comprising more than 90 per cent of the economy. The Australian Bureau of Statistics (ABS, 2019) reports SMEs specifically contributed to the national economy through employment (44% of private-sector employment in selected industries), industry value added (34%) and gross domestic product (35%). However, when it comes to cyber security uplift, the SME sector – which is diverse in size and scope – faces a myriad of challenges. Investment of money, time and resources often present significant barriers to SME cyber uplift. In addition, SMEs are inundated with cyber security how-to guides and written advice, which can be overwhelming and confusing. Hence, our project took a different approach: focusing on practical cyber security implementation and integration, by identifying the common strengths and weaknesses of SMEs as it comes to cyber security and establishing simple and cost-effective solutions to bolster cyber security.

The Cyber Security Cooperative Research Centre (CSCRC), in collaboration with CyberCX and CSIRO’s Data61, and supported by the Government of South Australia and the Australian Cyber Security Centre (ACSC), invited six Adelaide-based SMEs from different industries to participate in the pilot project.

KEY FINDINGS

keyfindings_1

Cyber is considered as an add-on and is not built-in to business operations.

keyfindings_2

SMEs manage cyber security budgets in an ad hoc fashion.

keyfindings_3

A trusted network is not established in the supply chain.

Physical assets are better secured than digital assets.

Physical assets are better secured than digital assets.

Regulatory and legislative obligations are unclear.

Regulatory and legislative obligations are unclear.

Incident preparedness is very poorly developed.

Incident preparedness is very poorly developed.

BYOD (bring your own device) poses a considerable risk.

BYOD (bring your own device) poses a considerable risk.

Cyber security maturity varies significantly between SMEs

Cyber security maturity varies significantly between SMEs.

RECOMMENDATIONS FOR POLICY MAKERS

  • Implement a co-designed approach to cyber security campaigns aimed at SMEs to support general awareness and the need for SME cyber security maturity. These might be co-designed with industry to ensure widespread industry uptake.

  • Establishing new funding models and incentivisation packages to support SME cyber security uplift.

  • Establishing new programs and initiatives to embed a cyber secure attitude across the economy and foster cyber maturity.

  • Together with the business community, the co-design and development of a SME community engagement system to provide support and access to relevant cyber security information which will facilitate SME cyber maturity uplift.

  • Ongoing, timely and clear guidance concerning specific legislative and policy requirements for SMEs.

PUBLIC GUIDANCE – KEY MESSAGING

  • Cyber security should be elevated to the board as a strategic business and risk consideration, not siloed within the IT department.

  • Cyber security is integral to ongoing organisational integrity, and not considered as a one-off, ‘tick box’ exercise.

  • Cyber security requires proactive and considered investment to elevate maturity.

  • More transparency concerning vendor offerings will enable broader SME product take-up and drive cyber security uplift.

  • Cyber security must be a shared responsibility within organisations to drive an economy wide cyber safe culture change.