Over the summer, two very interesting reports were published on the state of cyber security readiness in UK SMBs. In the first, insurer Hiscox, reported a sharp rise in cyber-attacks, with “55% facing an attack in 2019, up from 40% last year”. It ranked “almost three quarters of firms as ‘novices’ in terms of cyber readiness.” The second, from the Federation of Small Businesses, reported that “Small businesses are collectively subject to almost 10,000 cyber-attacks a day” and that “the annual cost of such attacks to the small business community is estimated to be £4.5 billion, with the average cost of an individual attack put at £1,300.”
Notably, the £1,300 cost does not factor in subsequent loss of customers and damage to brand. Alarmingly, it reported that “One in three small firms (35%) say they have not installed security software over the past two years. Four in ten do not regularly update software and a similar proportion do not back up data and IT systems. Fewer than half (47%) have a strict password policy for devices.” I then read through the UK Government’s National Cyber Security Strategy report 2016-2021 and found that “just under a fifth of businesses had their staff take part in cyber security training in the past year.”
We clearly have a problem. Small businesses are the lifeblood, the engine room of the UK economy. They employed a third of the workforce, provide the eco-system that supports the giant brands of the UK and generate huge amounts of innovation. But they are leaving themselves wide open and vulnerable. It seems nuts that small businesses aren’t protecting themselves, but they aren’t! So I started thinking about why this might be.
On the customer side, I think the problem stems from busyness, obligation and complexity. The busyness factor is obvious – small businesses spend their time selling, delivering, watching cash-flow and trying to grow. Experts at cyber security, they are not. By obligation, I mean that protection from cyber-crime is not a must, but a should. Like insurance, it’s an investment that yields no obvious benefit, until something goes wrong. And it’s complicated. We probably all know someone who knows someone who knows a lot about cyber security. Go on, be honest – how long does a conversation with these people on their specialist subject last before your eyes glaze over? It’s an ever-changing, highly technical problem, full of technical gobbledegook language – and quite boring.
On the supply side, I don’t see Channel businesses trying to solve cyber-security problems for small businesses. Where are the SMB security experts? Although the market is awash with point security solutions, covering every facet of small business infrastructure, software and services, there is little incentive for the Channel to sell wrap-around security services to SMBs. The Channel can make decent money selling mobile, broadband, email, laptops and software. But security – that’s tough, because it is so multi-faceted and is involved in a little way in all areas of a small business’ technology set-up.
A small business should change its passwords regularly; it should have a firewall and DDoS on its internet connection; it should have AV and encryption on laptops; it should have backup, security and DLP on email, web security and DLP for browsing, MDM on all mobiles, web application security protecting hosted services – that small business should be alerted and be able to respond if there are breaches through any of these environments – and the tech should be kept up to date and serviced, with active policies and procedures in place that all staff understand.
The challenge for the Channel is that each of these facets deliver a tiny security sale, adding it in may make you more expensive than the competition. And the nirvana – selling a comprehensive managed service that pulls together all aspects of security protection for a 10-user business is uneconomical. Let’s face it, unless something changes, it’s not going to happen; the Channel will remain focused elsewhere and your average small business will remain largely unprotected.
Bigger businesses, while not immune, possess the scale to afford an IT department, they will have someone responsible for security. And these businesses are well served by the Channel. The few security-focused MSPs that have got any scale focus all of their efforts on corporates and multinationals – going where the money is.
The technology is there, but the reports tell us that it’s just not being adopted. This is where I think the Channel has an obligation to educate and to play a long-term game with customers. The Channel is a trusted advisor to the small business. We are the go-to people when they have a problem or need some tech to help them grow. In every conversation and in every engagement with our customers, we should be talking about security as a key agenda item. And we should insist that our customers pay the small increment required to make that product secure, and ensure this then fits into a wider framework of security that protects the overall business posture. It will cost the Channel and the customer marginally more, in both hard cash and in headspace, but it’s worth it. It requires the conversation to move from price to value, from sales to trust.
I can’t offer a DWS silver bullet I’m afraid, but we are working hard to try to make a change. For a long time, we’ve been building compulsory, ‘non-opt-outable’ security into our product offerings, incidentally this normally results in us giving security away. For example, we were one of the first connectivity providers to give DDoS protection away free with every broadband and Ethernet circuit sold. When we built our hosted telephony platform, we spent considerable time and money ensuring that the product was resilient and secure out of the box. Over time we believe this quality-over-price approach will win because the resultant uptime experienced by our partners’ customers will win – these are long term plays.
I’m very excited about the imminent launch of our new Guardian cyber security brand. We believe we have a differentiator – bringing together a bundle of the most important security solutions for small businesses in simple, affordable bundles. The pitch – with one click of a button and for the price of a cup of coffee per user, per month, you can protect your business from 95% of all cyber threat – all in, no policy set ups, no security expertise required. Behind this simplicity we are masking some real complexity. We have taken service provider-class email, web, DLP (Data Loss Prevention) and next generation firewall security solutions from the best players in the market and virtualised and automated their deployment through a software defined network, using network function virtualisation, running in AWS. It’s not perfect and it’s certainly not a silver bullet. Cyber criminals are clever and nothing you do will protect you 100%. But if you take this approach to your customers and perhaps make them just a little safer, you present a challenge to the cyber-criminal that will reduce the chances of your customers getting attacked.
The Channel won’t grow rich selling these solutions. Pence per user, per month doesn’t massively boost Channel margins, but, bundled with other core services, what it does do is the ‘right thing’. It creates trust with customers and, over time, if you play the long game, it will yield stronger, more trusted relationships with customers – who will give more and more of their wallet to you.