What Attitude Changes Are Needed to Cause SMEs to Take a Strategic Approach to Information Security?

Spending on security in an SME usually has to compete with demands for hardware, infrastructure, and strategic applications. In this paper, the authors seek to explore the reasons why smaller SMEs in particular have consistently failed to see securing information as strategic year-on-year spending, and just regard as part of an overall tight IT budget. The authors scrutinise the typical SMEs reasoning for choosing to see non-spending on security as an acceptable strategic risk. They look particularly at possible reasons why SMEs tend not to take much notice of "scare stories" in the media based on research showing they are increasingly at risk, whilst larger businesses are taking greater precautions and become more difficult to penetrate. The results and their analysis provide useful pointers towards broader business environment changes that would cause SMEs to be more risk-averse and ethical in their approach to securing their own and their clients’ information.

SMEs Attitudes to “Information Assurance” and Consequences for the Digital Single Market

It is now generally accepted that cyber crime represents a big threat to organisations, and that they need to take appropriate action to protect their valuable information assets. However, current research shows that, although small businesses understand that they are potentially vulnerable, many are still not taking sufficient action to counteract the threat. Last year, the authors sought, through a more generalised but categorised attitudinal study, to explore the reasons why smaller SMEs in particular were reluctant to engage with accepted principles for protecting their data. The results showed that SMEs understood many of the issues. They were prepared to spend more but were particularly suspicious about spending on information assurance. The authors’ current research again focuses on SME attitudes but this time the survey asks only questions directly relating to information assurance and the standards available, in an attempt to try to understand exactly what is causing them to shy away from getting the badge or certificate that would demonstrate to customers and business partners that they take cyber security seriously. As with last year’s study, the results and analysis provide useful pointers towards the broader business environment changes that might cause SMEs to be more interested in working towards an appropriate cyber security standard.

Building Owner vs. Energy User: a Split Incentive for Energy Reduction

The UK’s historically low cost of energy has encouraged a culture that considers energy to be in limitless supply and excessive levels of consumption acceptable. Now that supplies are becoming restricted and costs rising, it is becoming recognised this energy culture has created a legacy stock of buildings with poor building fabric, limited energy efficiency equipment and even lower levels of energy awareness. Cost effective technologies are readily available but not adopted by UK SMEs in non-domestic buildings, as rational economic theory would expect. Policy-makers attribute this to inaccessibility of information and investment and design policies accordingly. However, as escalation of demand continues an alternative driver of this paradox must exist. This research hypothesises that this is the ownership structures of non-domestic buildings. Tenure of business premises is found to prevent adoption of energy conservation opportunities; 64% of SME surveyed encountered barriers to energy efficiency related to building ownership. When increased pro rata to reflect the UK SME population, almost 2.5 million businesses appear unable to benefit from energy improvements.