The SME cybersecurity paradox

Published on the 22/07/2021 | Written by Heather Wright

Cybersecurity paradox

Awareness and concern but is there action?…

Cybersecurity – and the security of tools and applications implemented during the pandemic – is weighing heavily on the minds of New Zealand’s smaller businesses, but there’s a disconnect when it comes to taking action.

At least that’s according to a survey of more than 300 Kiwi SMEs courtesy of IT and digital technology services provider Dynamo6.

The results show plans to increase IT spend for 56 percent of SMEs, with medium-sized businesses more bolshy with seven in 10 planning increased IT budgets this year.

“Businesses don’t know where to begin boosting their cyber-resilience.”

Investment in security and risk management was far and away the top investment planned for 2021/2022 for medium businesses, with 28.7 percent of medium sized businesses investing there. But when it comes to the smaller end of town, the appetite for security and risk management investment is much lower – a somewhat dismal 4.2 percent, in fact, placing it 12th priority and well behind the top priorities of business process management (11 percent), customer experience technologies (10.3 percent) and data and analytics, cloud based applications and cloud migrations, all of which tied for third with 10 percent.

(Security and risk management was ranked third on a similar survey into large enterprise investment plans.)

It comes at a time when security incidents continue to rise with more 1,431 cybersecurity incidents reported to Cert NZ in the first three months of 2021. Twenty-three percent of those resulted in some form of direct financial loss, totalling $3 million.

The survey – carried out in late March – predates the publicity-grabbing Waikato District Health Board ransomware attack which crippled five hospitals’ IT systems in May and brought cybersecurity concerns to the fore again and further raised awareness.

The results are echoed in a June survey from Cert NZ. It showed three in five small businesses believe they should be doing more to keep secure online, with 54 percent saying their organisation is concerned about cybersecurity and 46 percent saying they’re trying to learn more about keeping their online business safe.

But despite the awareness and concern, the Cert NZ survey also showed small businesses (with less than 20 employees) aren’t taking action to secure themselves, with just 45 percent saying they have processes in place to prevent a cyber attack.

And just 38 percent believe their business adequately invests in cyber security with only 34 percent saying their business has put a lot of thought and planning into being cyber secure.

Rob Pope, Cert NZ director, says the recent high profile attacks have put online security at the front of businesses’ minds and are generating more open conversations.

“It’s encouraging that businesses are gaining greater awareness of the mitigations they need to put in place to minimise cyber security threats,” Pope says.

“However, our research indicates businesses don’t know where to begin boosting their cyber-resilience. Time and money may be a barrier, but prevention is the best and least costly form of defence.”

Igor Matich, Dynamo6 founder and executive director, says “While we understand many small businesses are quick to focus on technologies that boost business processes and enhance customer experience, we often see security deprioritised with an ‘ambulance at the bottom of the cliff’ approach employed only when major issues arise.”

He says he’s surprised at the ‘huge rate of this pitfall’ for small businesses in particular, saying smaller operators need to reconsider their proactive management and funding in cybersecurity.

“Some SMEs have hit a wall with the pressures of digital transformation fatigue in this regard and putting the foot back on the accelerator is vital for protecting both individual businesses and our national economy.”

Pope says a large percentage of the incidents being reported to Cert NZ could have been prevented simply with a strong password and the use of two-factor authentication.

Cert’s ‘simple actions’ for businesses to take include:

  • Regularly installing updates on software and devices to prevent attackers exploiting vulnerabilities
  • Backing up business and customer data on a segregated network so if it’s lost or stolen you can recover it quickly
  • Having a password manager
  • Enabling logging to keep records for investigative purposes
  • Monitoring logs for unusual activity
  • Having an incident response plan so you’re prepared if the worst happens

Matich is also concerned businesses might be overstretching themselves with their other IT projects, noting that while the median number of planned technology investments was three per business, some were wanting to tackle up to 16 projects.

Dynamo6’s The State of IT: New Zealand Small and Medium-sized Business Edition shows for small businesses increasing revenues, retaining customers and improving operational efficiency are top priority for 2021. For medium sized businesses it’s using analytics to improve finance predictability, improving the customer experience and improving operational efficiency.

But small businesses also highlighted that they were concerned about trying to stay afloat, coping with a lack of staff and dealing with evolving health and safety requirements – hinting at the underlying stresses of keeping a small business running.

One in three (30 percent) New Zealand SMEs don’t have or plan to have a digital and IT strategy and a quarter of SMEs (26 percent) are struggling with or have given up on digital transformation according to the report.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...