Small businesses in Scotland are aware of the increasing threat of cyber crime but are failing to act on the threat effectively, according to a detailed cyber security survey.
The survey highlights how firms are being overwhelmed and confused by the amount of advice around cyber crime.
As a consequence they are choosing to take only the most minor “common knowledge” preventative measures, like using anti-virus software and firewalls, which leaves them unwittingly vulnerable.
The survey also shows that SMEs still do not regard the data they hold, whether their own or that of customers, as having value.
The study is the first of its kind to assess why Scotland’s SMEs are not doing more to protect themselves, despite the almost daily reports of companies being hacked, having personal data stolen or experiencing a loss of business.
The research, by the University of Glasgow, was commissioned by the Scottish Government and the Scottish Business Resilience Centre (SBRC), and funded by a Royal Academy of Engineering Industrial Secondment Grant.
Mandy Haeburn-Little, SBRC director, said the survey provided crucial guidance on how small businesses, government and other agencies all need to change their thinking to counter the threat of cyber crime.
She said: “It’s vital we do everything we can to support smaller companies, including the many businesses who work from home. These findings will help us to do this.
“They show that SMEs do care and take cyber crime seriously, but they are hitting obstacles on what to do about it.
“However, also particularly concerning is that many small businesses still do not recognise that there is a value attached to the data they hold.
“The fact that there is so much advice online – and also significant levels of conflicting advice – is leaving them confused, bewildered and overwhelmed.”
The survey found that 95 per cent of businesses carried out security activities that showed they did care about security, but only 15 per cent thought they were at significant risk of being the target of an attack.
More than 50 per cent said they consulted Google for cyber advice, with less than seven per cent consulting Government websites.
With 12 million results coming up on Google, firms felt unable to identify trustworthy advice and were left floundering.
The recent Cyber Breaches Security Survey, carried out by Ipsos Mori for the UK Government, found two-thirds of large British businesses have experienced a cyber attack or breach in the last 12 months – one in four of which were attacked at least once a month.
More than half (53 per cent) of small businesses in Scotland think it is unlikely or very unlikely they would be a target for an attack and only 23 per cent feel completely prepared for one, with 19 per cent saying they have not taken any steps to protect their data.
The SBRC is now looking to highlight the survey recommendations in its ongoing discussions with the Scottish Government and Police Scotland as part of Scotland’s developing cyber strategy.
Cyber crime can take many forms, including theft, fraud, selling sensitive company data and sabotaging equipment.
In the past year, notable cyber attacks have included the TalkTalk scandal and the crashing of the BBC website.
However, smaller firms are at an increased risk due to limited resources and lack of in-house IT capabilities.
As part of its cyber prevention guidance, the SBRC provides services to protect companies - particularly small firms. For more information on the cyber services visit www.sbrc.co.uk.